#include <mach/vm_types.h>
#endif /* ASSEMBLER */
+#include <os/base.h>
+#include <os/overflow.h>
+
/*
* The machine independent pages are refered to as PAGES. A page
* is some number of hardware pages, depending on the target machine.
#define mach_vm_round_page(x) (((mach_vm_offset_t)(x) + PAGE_MASK) & ~((signed)PAGE_MASK))
#define mach_vm_trunc_page(x) ((mach_vm_offset_t)(x) & ~((signed)PAGE_MASK))
+#define round_page_overflow(in, out) __os_warn_unused(({ \
+ bool __ovr = os_add_overflow(in, (__typeof__(*out))PAGE_MASK, out); \
+ *out &= ~((__typeof__(*out))PAGE_MASK); \
+ __ovr; \
+ }))
+
+static inline int OS_WARN_RESULT
+mach_vm_round_page_overflow(mach_vm_offset_t in, mach_vm_offset_t *out)
+{
+ return round_page_overflow(in, out);
+}
+
#define memory_object_round_page(x) (((memory_object_offset_t)(x) + PAGE_MASK) & ~((signed)PAGE_MASK))
#define memory_object_trunc_page(x) ((memory_object_offset_t)(x) & ~((signed)PAGE_MASK))
#ifdef XNU_KERNEL_PRIVATE
+#include <kern/debug.h>
+
extern uint64_t mem_actual; /* 64-bit size of memory - not limited by maxmem */
extern uint64_t sane_size; /* Memory size to use for defaults calculations */
extern addr64_t vm_last_addr; /* Highest kernel virtual address known to the VM system */
extern const vm_offset_t vm_min_kernel_address;
extern const vm_offset_t vm_max_kernel_address;
-extern vm_offset_t vm_kernel_stext;
-extern vm_offset_t vm_kernel_etext;
-extern vm_offset_t vm_kernel_base;
-extern vm_offset_t vm_kernel_top;
+extern vm_offset_t vm_kernel_stext;
+extern vm_offset_t vm_kernel_etext;
+extern vm_offset_t vm_kernel_slid_base;
+extern vm_offset_t vm_kernel_slid_top;
extern vm_offset_t vm_kernel_slide;
-extern vm_offset_t vm_hib_base;
extern vm_offset_t vm_kernel_addrperm;
-
extern vm_offset_t vm_kext_base;
extern vm_offset_t vm_kext_top;
-extern vm_offset_t vm_prelink_stext;
-extern vm_offset_t vm_prelink_etext;
-extern vm_offset_t vm_prelink_sinfo;
-extern vm_offset_t vm_prelink_einfo;
-extern vm_offset_t vm_slinkedit;
-extern vm_offset_t vm_elinkedit;
+extern vm_offset_t vm_kernel_base;
+extern vm_offset_t vm_kernel_top;
+extern vm_offset_t vm_hib_base;
#define VM_KERNEL_IS_SLID(_o) \
- (((vm_offset_t)(_o) >= vm_kernel_base) && \
- ((vm_offset_t)(_o) < vm_kernel_top))
-#define VM_KERNEL_IS_KEXT(_o) \
- (((vm_offset_t)(_o) >= vm_kext_base) && \
- ((vm_offset_t)(_o) < vm_kext_top))
-
-#define VM_KERNEL_IS_PRELINKTEXT(_o) \
- (((vm_offset_t)(_o) >= vm_prelink_stext) && \
- ((vm_offset_t)(_o) < vm_prelink_etext))
-
-#define VM_KERNEL_IS_PRELINKINFO(_o) \
- (((vm_offset_t)(_o) >= vm_prelink_sinfo) && \
- ((vm_offset_t)(_o) < vm_prelink_einfo))
-
-#define VM_KERNEL_IS_KEXT_LINKEDIT(_o) \
- (((vm_offset_t)(_o) >= vm_slinkedit) && \
- ((vm_offset_t)(_o) < vm_elinkedit))
+ (((vm_offset_t)(_o) >= vm_kernel_slid_base) && \
+ ((vm_offset_t)(_o) < vm_kernel_slid_top))
#define VM_KERNEL_SLIDE(_u) \
((vm_offset_t)(_u) + vm_kernel_slide)
* (e.g. stackshot, proc_info syscall, etc.). It is important to understand
* the goal of each macro and choose the right one depending on what you are
* trying to do. Misuse of these macros can result in critical data leaks
- * which in turn lead to all sorts of system vulnerabilities.
+ * which in turn lead to all sorts of system vulnerabilities. It is invalid to
+ * call these macros on a non-kernel address (NULL is allowed).
*
- * Note that in general the ideal goal is to protect addresses from userspace
- * in a way that is reversible assuming you know the permutation and/or slide.
- *
- * The macros are as follows:
- *
* VM_KERNEL_UNSLIDE:
* Use this macro when you are exposing an address to userspace which is
- * a "static" kernel or kext address (i.e. coming from text or data
- * sections). These are the addresses which get "slid" via ASLR on kernel
- * or kext load, and it's precisely the slide value we are trying to
+ * *guaranteed* to be a "static" kernel or kext address (i.e. coming from text
+ * or data sections). These are the addresses which get "slid" via ASLR on
+ * kernel or kext load, and it's precisely the slide value we are trying to
* protect from userspace.
*
- * VM_KERNEL_ADDRPERM:
- * Use this macro when you are exposing an address to userspace which is
- * coming from the kernel's "heap". Since these adresses are not "loaded"
- * from anywhere, there is no slide applied and we instead apply the
- * permutation value to obscure the address.
+ * VM_KERNEL_ADDRHIDE:
+ * Use when exposing an address for internal purposes: debugging, tracing,
+ * etc. The address will be unslid if necessary. Other addresses will be
+ * hidden on customer builds, and unmodified on internal builds.
*
- * VM_KERNEL_UNSLIDE_OR_ADDRPERM:
- * Use this macro when you are exposing an address to userspace that could
- * come from either kernel text/data *or* the heap. This is a rare case,
- * but one that does come up and must be handled correctly.
+ * VM_KERNEL_ADDRHASH:
+ * Use this macro when exposing a kernel address to userspace on customer
+ * builds. The address can be from the static kernel or kext regions, or the
+ * kernel heap. The address will be unslid or hashed as appropriate.
+ *
+ *
+ * ** SECURITY WARNING: The following macros can leak kernel secrets.
+ * Use *only* in performance *critical* code.
+ *
+ * VM_KERNEL_ADDRPERM:
+ * VM_KERNEL_UNSLIDE_OR_PERM:
+ * Use these macros when exposing a kernel address to userspace on customer
+ * builds. The address can be from the static kernel or kext regions, or the
+ * kernel heap. The address will be unslid or permuted as appropriate.
*
* Nesting of these macros should be considered invalid.
*/
-#define VM_KERNEL_UNSLIDE(_v) \
- ((VM_KERNEL_IS_SLID(_v) || \
- VM_KERNEL_IS_KEXT(_v) || \
- VM_KERNEL_IS_PRELINKTEXT(_v) || \
- VM_KERNEL_IS_PRELINKINFO(_v) || \
- VM_KERNEL_IS_KEXT_LINKEDIT(_v)) ? \
- (vm_offset_t)(_v) - vm_kernel_slide : \
- (vm_offset_t)(_v))
-
-#define VM_KERNEL_ADDRPERM(_v) \
- (((vm_offset_t)(_v) == 0) ? \
- (vm_offset_t)(0) : \
- (vm_offset_t)(_v) + vm_kernel_addrperm)
-
-#define VM_KERNEL_UNSLIDE_OR_PERM(_v) \
- ((VM_KERNEL_IS_SLID(_v) || \
- VM_KERNEL_IS_KEXT(_v) || \
- VM_KERNEL_IS_PRELINKTEXT(_v) || \
- VM_KERNEL_IS_PRELINKINFO(_v) || \
- VM_KERNEL_IS_KEXT_LINKEDIT(_v)) ? \
- (vm_offset_t)(_v) - vm_kernel_slide : \
- VM_KERNEL_ADDRPERM(_v))
-
+
+__BEGIN_DECLS
+extern vm_offset_t vm_kernel_addrhash(vm_offset_t addr);
+__END_DECLS
+
+#define __DO_UNSLIDE(_v) ((vm_offset_t)(_v) - vm_kernel_slide)
+
+#if DEBUG || DEVELOPMENT
+# define VM_KERNEL_ADDRHIDE(_v) (VM_KERNEL_IS_SLID(_v) ? __DO_UNSLIDE(_v) : (vm_address_t)(_v))
+#else
+# define VM_KERNEL_ADDRHIDE(_v) (VM_KERNEL_IS_SLID(_v) ? __DO_UNSLIDE(_v) : (vm_address_t)0)
+#endif
+
+#define VM_KERNEL_ADDRHASH(_v) vm_kernel_addrhash((vm_offset_t)(_v))
+
+#define VM_KERNEL_UNSLIDE_OR_PERM(_v) ({ \
+ VM_KERNEL_IS_SLID(_v) ? __DO_UNSLIDE(_v) : \
+ VM_KERNEL_ADDRESS(_v) ? ((vm_offset_t)(_v) + vm_kernel_addrperm) : \
+ (vm_offset_t)(_v); \
+ })
+
+#define VM_KERNEL_UNSLIDE(_v) ({ \
+ VM_KERNEL_IS_SLID(_v) ? __DO_UNSLIDE(_v) : (vm_offset_t)0; \
+ })
+
+#define VM_KERNEL_ADDRPERM(_v) VM_KERNEL_UNSLIDE_OR_PERM(_v)
+
+#undef mach_vm_round_page
+#undef round_page
+#undef round_page_32
+#undef round_page_64
+
+static inline mach_vm_offset_t
+mach_vm_round_page(mach_vm_offset_t x)
+{
+ if (round_page_overflow(x, &x)) {
+ panic("overflow detected");
+ }
+ return x;
+}
+
+static inline vm_offset_t
+round_page(vm_offset_t x)
+{
+ if (round_page_overflow(x, &x)) {
+ panic("overflow detected");
+ }
+ return x;
+}
+
+static inline mach_vm_offset_t
+round_page_64(mach_vm_offset_t x)
+{
+ if (round_page_overflow(x, &x)) {
+ panic("overflow detected");
+ }
+ return x;
+}
+
+static inline uint32_t
+round_page_32(uint32_t x)
+{
+ if (round_page_overflow(x, &x)) {
+ panic("overflow detected");
+ }
+ return x;
+}
#endif /* XNU_KERNEL_PRIVATE */