X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/a1c7dba18ef36983396c282fe85292db066e39db..527f99514973766e9c0382a4d8550dfb00f54939:/osfmk/mach/vm_param.h diff --git a/osfmk/mach/vm_param.h b/osfmk/mach/vm_param.h index 499fb9cf5..96bd1f445 100644 --- a/osfmk/mach/vm_param.h +++ b/osfmk/mach/vm_param.h @@ -75,6 +75,9 @@ #include #endif /* ASSEMBLER */ +#include +#include + /* * The machine independent pages are refered to as PAGES. A page * is some number of hardware pages, depending on the target machine. @@ -119,6 +122,18 @@ #define mach_vm_round_page(x) (((mach_vm_offset_t)(x) + PAGE_MASK) & ~((signed)PAGE_MASK)) #define mach_vm_trunc_page(x) ((mach_vm_offset_t)(x) & ~((signed)PAGE_MASK)) +#define round_page_overflow(in, out) __os_warn_unused(({ \ + bool __ovr = os_add_overflow(in, (__typeof__(*out))PAGE_MASK, out); \ + *out &= ~((__typeof__(*out))PAGE_MASK); \ + __ovr; \ + })) + +static inline int OS_WARN_RESULT +mach_vm_round_page_overflow(mach_vm_offset_t in, mach_vm_offset_t *out) +{ + return round_page_overflow(in, out); +} + #define memory_object_round_page(x) (((memory_object_offset_t)(x) + PAGE_MASK) & ~((signed)PAGE_MASK)) #define memory_object_trunc_page(x) ((memory_object_offset_t)(x) & ~((signed)PAGE_MASK)) @@ -233,6 +248,8 @@ extern uint64_t max_mem; /* 64-bit size of memory - limited by maxmem */ #ifdef XNU_KERNEL_PRIVATE +#include + extern uint64_t mem_actual; /* 64-bit size of memory - not limited by maxmem */ extern uint64_t sane_size; /* Memory size to use for defaults calculations */ extern addr64_t vm_last_addr; /* Highest kernel virtual address known to the VM system */ @@ -240,41 +257,21 @@ extern addr64_t vm_last_addr; /* Highest kernel virtual address known to the VM extern const vm_offset_t vm_min_kernel_address; extern const vm_offset_t vm_max_kernel_address; -extern vm_offset_t vm_kernel_stext; -extern vm_offset_t vm_kernel_etext; -extern vm_offset_t vm_kernel_base; -extern vm_offset_t vm_kernel_top; +extern vm_offset_t vm_kernel_stext; +extern vm_offset_t vm_kernel_etext; +extern vm_offset_t vm_kernel_slid_base; +extern vm_offset_t vm_kernel_slid_top; extern vm_offset_t vm_kernel_slide; -extern vm_offset_t vm_hib_base; extern vm_offset_t vm_kernel_addrperm; - extern vm_offset_t vm_kext_base; extern vm_offset_t vm_kext_top; -extern vm_offset_t vm_prelink_stext; -extern vm_offset_t vm_prelink_etext; -extern vm_offset_t vm_prelink_sinfo; -extern vm_offset_t vm_prelink_einfo; -extern vm_offset_t vm_slinkedit; -extern vm_offset_t vm_elinkedit; +extern vm_offset_t vm_kernel_base; +extern vm_offset_t vm_kernel_top; +extern vm_offset_t vm_hib_base; #define VM_KERNEL_IS_SLID(_o) \ - (((vm_offset_t)(_o) >= vm_kernel_base) && \ - ((vm_offset_t)(_o) < vm_kernel_top)) -#define VM_KERNEL_IS_KEXT(_o) \ - (((vm_offset_t)(_o) >= vm_kext_base) && \ - ((vm_offset_t)(_o) < vm_kext_top)) - -#define VM_KERNEL_IS_PRELINKTEXT(_o) \ - (((vm_offset_t)(_o) >= vm_prelink_stext) && \ - ((vm_offset_t)(_o) < vm_prelink_etext)) - -#define VM_KERNEL_IS_PRELINKINFO(_o) \ - (((vm_offset_t)(_o) >= vm_prelink_sinfo) && \ - ((vm_offset_t)(_o) < vm_prelink_einfo)) - -#define VM_KERNEL_IS_KEXT_LINKEDIT(_o) \ - (((vm_offset_t)(_o) >= vm_slinkedit) && \ - ((vm_offset_t)(_o) < vm_elinkedit)) + (((vm_offset_t)(_o) >= vm_kernel_slid_base) && \ + ((vm_offset_t)(_o) < vm_kernel_slid_top)) #define VM_KERNEL_SLIDE(_u) \ ((vm_offset_t)(_u) + vm_kernel_slide) @@ -285,56 +282,105 @@ extern vm_offset_t vm_elinkedit; * (e.g. stackshot, proc_info syscall, etc.). It is important to understand * the goal of each macro and choose the right one depending on what you are * trying to do. Misuse of these macros can result in critical data leaks - * which in turn lead to all sorts of system vulnerabilities. + * which in turn lead to all sorts of system vulnerabilities. It is invalid to + * call these macros on a non-kernel address (NULL is allowed). * - * Note that in general the ideal goal is to protect addresses from userspace - * in a way that is reversible assuming you know the permutation and/or slide. - * - * The macros are as follows: - * * VM_KERNEL_UNSLIDE: * Use this macro when you are exposing an address to userspace which is - * a "static" kernel or kext address (i.e. coming from text or data - * sections). These are the addresses which get "slid" via ASLR on kernel - * or kext load, and it's precisely the slide value we are trying to + * *guaranteed* to be a "static" kernel or kext address (i.e. coming from text + * or data sections). These are the addresses which get "slid" via ASLR on + * kernel or kext load, and it's precisely the slide value we are trying to * protect from userspace. * - * VM_KERNEL_ADDRPERM: - * Use this macro when you are exposing an address to userspace which is - * coming from the kernel's "heap". Since these adresses are not "loaded" - * from anywhere, there is no slide applied and we instead apply the - * permutation value to obscure the address. + * VM_KERNEL_ADDRHIDE: + * Use when exposing an address for internal purposes: debugging, tracing, + * etc. The address will be unslid if necessary. Other addresses will be + * hidden on customer builds, and unmodified on internal builds. * - * VM_KERNEL_UNSLIDE_OR_ADDRPERM: - * Use this macro when you are exposing an address to userspace that could - * come from either kernel text/data *or* the heap. This is a rare case, - * but one that does come up and must be handled correctly. + * VM_KERNEL_ADDRHASH: + * Use this macro when exposing a kernel address to userspace on customer + * builds. The address can be from the static kernel or kext regions, or the + * kernel heap. The address will be unslid or hashed as appropriate. + * + * + * ** SECURITY WARNING: The following macros can leak kernel secrets. + * Use *only* in performance *critical* code. + * + * VM_KERNEL_ADDRPERM: + * VM_KERNEL_UNSLIDE_OR_PERM: + * Use these macros when exposing a kernel address to userspace on customer + * builds. The address can be from the static kernel or kext regions, or the + * kernel heap. The address will be unslid or permuted as appropriate. * * Nesting of these macros should be considered invalid. */ -#define VM_KERNEL_UNSLIDE(_v) \ - ((VM_KERNEL_IS_SLID(_v) || \ - VM_KERNEL_IS_KEXT(_v) || \ - VM_KERNEL_IS_PRELINKTEXT(_v) || \ - VM_KERNEL_IS_PRELINKINFO(_v) || \ - VM_KERNEL_IS_KEXT_LINKEDIT(_v)) ? \ - (vm_offset_t)(_v) - vm_kernel_slide : \ - (vm_offset_t)(_v)) - -#define VM_KERNEL_ADDRPERM(_v) \ - (((vm_offset_t)(_v) == 0) ? \ - (vm_offset_t)(0) : \ - (vm_offset_t)(_v) + vm_kernel_addrperm) - -#define VM_KERNEL_UNSLIDE_OR_PERM(_v) \ - ((VM_KERNEL_IS_SLID(_v) || \ - VM_KERNEL_IS_KEXT(_v) || \ - VM_KERNEL_IS_PRELINKTEXT(_v) || \ - VM_KERNEL_IS_PRELINKINFO(_v) || \ - VM_KERNEL_IS_KEXT_LINKEDIT(_v)) ? \ - (vm_offset_t)(_v) - vm_kernel_slide : \ - VM_KERNEL_ADDRPERM(_v)) - + +__BEGIN_DECLS +extern vm_offset_t vm_kernel_addrhash(vm_offset_t addr); +__END_DECLS + +#define __DO_UNSLIDE(_v) ((vm_offset_t)(_v) - vm_kernel_slide) + +#if DEBUG || DEVELOPMENT +# define VM_KERNEL_ADDRHIDE(_v) (VM_KERNEL_IS_SLID(_v) ? __DO_UNSLIDE(_v) : (vm_address_t)(_v)) +#else +# define VM_KERNEL_ADDRHIDE(_v) (VM_KERNEL_IS_SLID(_v) ? __DO_UNSLIDE(_v) : (vm_address_t)0) +#endif + +#define VM_KERNEL_ADDRHASH(_v) vm_kernel_addrhash((vm_offset_t)(_v)) + +#define VM_KERNEL_UNSLIDE_OR_PERM(_v) ({ \ + VM_KERNEL_IS_SLID(_v) ? __DO_UNSLIDE(_v) : \ + VM_KERNEL_ADDRESS(_v) ? ((vm_offset_t)(_v) + vm_kernel_addrperm) : \ + (vm_offset_t)(_v); \ + }) + +#define VM_KERNEL_UNSLIDE(_v) ({ \ + VM_KERNEL_IS_SLID(_v) ? __DO_UNSLIDE(_v) : (vm_offset_t)0; \ + }) + +#define VM_KERNEL_ADDRPERM(_v) VM_KERNEL_UNSLIDE_OR_PERM(_v) + +#undef mach_vm_round_page +#undef round_page +#undef round_page_32 +#undef round_page_64 + +static inline mach_vm_offset_t +mach_vm_round_page(mach_vm_offset_t x) +{ + if (round_page_overflow(x, &x)) { + panic("overflow detected"); + } + return x; +} + +static inline vm_offset_t +round_page(vm_offset_t x) +{ + if (round_page_overflow(x, &x)) { + panic("overflow detected"); + } + return x; +} + +static inline mach_vm_offset_t +round_page_64(mach_vm_offset_t x) +{ + if (round_page_overflow(x, &x)) { + panic("overflow detected"); + } + return x; +} + +static inline uint32_t +round_page_32(uint32_t x) +{ + if (round_page_overflow(x, &x)) { + panic("overflow detected"); + } + return x; +} #endif /* XNU_KERNEL_PRIVATE */