X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/b0d623f7f2ae71ed96e60569f61f9a9a27016e80..143464d58d2bd6378e74eec636961ceb0d32fb91:/bsd/kern/ubc_subr.c diff --git a/bsd/kern/ubc_subr.c b/bsd/kern/ubc_subr.c index 1f1f99d3e..2916f3e08 100644 --- a/bsd/kern/ubc_subr.c +++ b/bsd/kern/ubc_subr.c @@ -66,6 +66,10 @@ #include /* last */ #include +#include + +#include +#include #include @@ -74,6 +78,9 @@ extern kern_return_t memory_object_pages_resident(memory_object_control_t, boolean_t *); extern kern_return_t memory_object_signed(memory_object_control_t control, boolean_t is_signed); +extern boolean_t memory_object_is_slid(memory_object_control_t control); +extern boolean_t memory_object_is_signed(memory_object_control_t); + extern void Debugger(const char *message); @@ -131,67 +138,16 @@ cs_valid_range( return TRUE; } -/* - * Magic numbers used by Code Signing - */ -enum { - CSMAGIC_REQUIREMENT = 0xfade0c00, /* single Requirement blob */ - CSMAGIC_REQUIREMENTS = 0xfade0c01, /* Requirements vector (internal requirements) */ - CSMAGIC_CODEDIRECTORY = 0xfade0c02, /* CodeDirectory blob */ - CSMAGIC_EMBEDDED_SIGNATURE = 0xfade0cc0, /* embedded form of signature data */ - CSMAGIC_EMBEDDED_SIGNATURE_OLD = 0xfade0b02, /* XXX */ - CSMAGIC_DETACHED_SIGNATURE = 0xfade0cc1, /* multi-arch collection of embedded signatures */ - - CSSLOT_CODEDIRECTORY = 0, /* slot index for CodeDirectory */ -}; - -static const uint32_t supportsScatter = 0x20100; // first version to support scatter option - -/* - * Structure of an embedded-signature SuperBlob - */ -typedef struct __BlobIndex { - uint32_t type; /* type of entry */ - uint32_t offset; /* offset of entry */ -} CS_BlobIndex; - -typedef struct __SuperBlob { - uint32_t magic; /* magic number */ - uint32_t length; /* total length of SuperBlob */ - uint32_t count; /* number of index entries following */ - CS_BlobIndex index[]; /* (count) entries */ - /* followed by Blobs in no particular order as indicated by offsets in index */ -} CS_SuperBlob; - -struct Scatter { - uint32_t count; // number of pages; zero for sentinel (only) - uint32_t base; // first page number - uint64_t targetOffset; // offset in target - uint64_t spare; // reserved -}; - -/* - * C form of a CodeDirectory. - */ -typedef struct __CodeDirectory { - uint32_t magic; /* magic number (CSMAGIC_CODEDIRECTORY) */ - uint32_t length; /* total length of CodeDirectory blob */ - uint32_t version; /* compatibility version */ - uint32_t flags; /* setup and mode flags */ - uint32_t hashOffset; /* offset of hash slot element at index zero */ - uint32_t identOffset; /* offset of identifier string */ - uint32_t nSpecialSlots; /* number of special hash slots */ - uint32_t nCodeSlots; /* number of ordinary (code) hash slots */ - uint32_t codeLimit; /* limit to main image signature range */ - uint8_t hashSize; /* size of each hash in bytes */ - uint8_t hashType; /* type of hash (cdHashType* constants) */ - uint8_t spare1; /* unused (must be zero) */ - uint8_t pageSize; /* log2(page size in bytes); 0 => infinite */ - uint32_t spare2; /* unused (must be zero) */ - /* Version 0x20100 */ - uint32_t scatterOffset; /* offset of optional scatter vector */ - /* followed by dynamic content as located by offset fields above */ -} CS_CodeDirectory; +static void +hex_str( + const unsigned char *hash, + size_t len, + char *buf) +{ + unsigned int n; + for (n = 0; n < len; n++) + snprintf(buf + 2*n, 3, "%02.2x", hash[n]); +} /* @@ -268,9 +224,9 @@ hashes( assert(cs_valid_range(cd, cd + 1, lower_bound, upper_bound)); - if((ntohl(cd->version) >= supportsScatter) && (ntohl(cd->scatterOffset))) { + if((ntohl(cd->version) >= CS_SUPPORTSSCATTER) && (ntohl(cd->scatterOffset))) { /* Get first scatter struct */ - const struct Scatter *scatter = (const struct Scatter*) + const SC_Scatter *scatter = (const SC_Scatter*) ((const char*)cd + ntohl(cd->scatterOffset)); uint32_t hashindex=0, scount, sbase=0; /* iterate all scatter structs */ @@ -348,11 +304,400 @@ hashes( return hash; } + +/* + * cs_validate_codedirectory + * + * Validate that pointers inside the code directory to make sure that + * all offsets and lengths are constrained within the buffer. + * + * Parameters: cd Pointer to code directory buffer + * length Length of buffer + * + * Returns: 0 Success + * EBADEXEC Invalid code signature + */ + +static int +cs_validate_codedirectory(const CS_CodeDirectory *cd, size_t length) +{ + + if (length < sizeof(*cd)) + return EBADEXEC; + if (ntohl(cd->magic) != CSMAGIC_CODEDIRECTORY) + return EBADEXEC; + if (cd->hashSize != SHA1_RESULTLEN) + return EBADEXEC; + if (cd->pageSize != PAGE_SHIFT) + return EBADEXEC; + if (cd->hashType != CS_HASHTYPE_SHA1) + return EBADEXEC; + + if (length < ntohl(cd->hashOffset)) + return EBADEXEC; + + /* check that nSpecialSlots fits in the buffer in front of hashOffset */ + if (ntohl(cd->hashOffset) / SHA1_RESULTLEN < ntohl(cd->nSpecialSlots)) + return EBADEXEC; + + /* check that codeslots fits in the buffer */ + if ((length - ntohl(cd->hashOffset)) / SHA1_RESULTLEN < ntohl(cd->nCodeSlots)) + return EBADEXEC; + + if (ntohl(cd->version) >= CS_SUPPORTSSCATTER && cd->scatterOffset) { + + if (length < ntohl(cd->scatterOffset)) + return EBADEXEC; + + SC_Scatter *scatter = (SC_Scatter *) + (((uint8_t *)cd) + ntohl(cd->scatterOffset)); + uint32_t nPages = 0; + + /* + * Check each scatter buffer, since we don't know the + * length of the scatter buffer array, we have to + * check each entry. + */ + while(1) { + /* check that the end of each scatter buffer in within the length */ + if (((const uint8_t *)scatter) + sizeof(scatter[0]) > (const uint8_t *)cd + length) + return EBADEXEC; + uint32_t scount = ntohl(scatter->count); + if (scount == 0) + break; + if (nPages + scount < nPages) + return EBADEXEC; + nPages += scount; + scatter++; + + /* XXX check that basees doesn't overlap */ + /* XXX check that targetOffset doesn't overlap */ + } +#if 0 /* rdar://12579439 */ + if (nPages != ntohl(cd->nCodeSlots)) + return EBADEXEC; +#endif + } + + if (length < ntohl(cd->identOffset)) + return EBADEXEC; + + /* identifier is NUL terminated string */ + if (cd->identOffset) { + uint8_t *ptr = (uint8_t *)cd + ntohl(cd->identOffset); + if (memchr(ptr, 0, length - ntohl(cd->identOffset)) == NULL) + return EBADEXEC; + } + + return 0; +} + +/* + * + */ + +static int +cs_validate_blob(const CS_GenericBlob *blob, size_t length) +{ + if (length < sizeof(CS_GenericBlob) || length < ntohl(blob->length)) + return EBADEXEC; + return 0; +} + +/* + * cs_validate_csblob + * + * Validate that superblob/embedded code directory to make sure that + * all internal pointers are valid. + * + * Will validate both a superblob csblob and a "raw" code directory. + * + * + * Parameters: buffer Pointer to code signature + * length Length of buffer + * rcd returns pointer to code directory + * + * Returns: 0 Success + * EBADEXEC Invalid code signature + */ + +static int +cs_validate_csblob(const uint8_t *addr, size_t length, + const CS_CodeDirectory **rcd) +{ + const CS_GenericBlob *blob = (const CS_GenericBlob *)(void *)addr; + int error; + + *rcd = NULL; + + error = cs_validate_blob(blob, length); + if (error) + return error; + + length = ntohl(blob->length); + + if (ntohl(blob->magic) == CSMAGIC_EMBEDDED_SIGNATURE) { + const CS_SuperBlob *sb = (const CS_SuperBlob *)blob; + uint32_t n, count = ntohl(sb->count); + + if (length < sizeof(CS_SuperBlob)) + return EBADEXEC; + + /* check that the array of BlobIndex fits in the rest of the data */ + if ((length - sizeof(CS_SuperBlob)) / sizeof(CS_BlobIndex) < count) + return EBADEXEC; + + /* now check each BlobIndex */ + for (n = 0; n < count; n++) { + const CS_BlobIndex *blobIndex = &sb->index[n]; + if (length < ntohl(blobIndex->offset)) + return EBADEXEC; + + const CS_GenericBlob *subBlob = + (const CS_GenericBlob *)(void *)(addr + ntohl(blobIndex->offset)); + + size_t subLength = length - ntohl(blobIndex->offset); + + if ((error = cs_validate_blob(subBlob, subLength)) != 0) + return error; + subLength = ntohl(subBlob->length); + + /* extra validation for CDs, that is also returned */ + if (ntohl(blobIndex->type) == CSSLOT_CODEDIRECTORY) { + const CS_CodeDirectory *cd = (const CS_CodeDirectory *)subBlob; + if ((error = cs_validate_codedirectory(cd, subLength)) != 0) + return error; + *rcd = cd; + } + } + + } else if (ntohl(blob->magic) == CSMAGIC_CODEDIRECTORY) { + + if ((error = cs_validate_codedirectory((const CS_CodeDirectory *)(void *)addr, length)) != 0) + return error; + *rcd = (const CS_CodeDirectory *)blob; + } else { + return EBADEXEC; + } + + if (*rcd == NULL) + return EBADEXEC; + + return 0; +} + +/* + * cs_find_blob_bytes + * + * Find an blob from the superblob/code directory. The blob must have + * been been validated by cs_validate_csblob() before calling + * this. Use cs_find_blob() instead. + * + * Will also find a "raw" code directory if its stored as well as + * searching the superblob. + * + * Parameters: buffer Pointer to code signature + * length Length of buffer + * type type of blob to find + * magic the magic number for that blob + * + * Returns: pointer Success + * NULL Buffer not found + */ + +static const CS_GenericBlob * +cs_find_blob_bytes(const uint8_t *addr, size_t length, uint32_t type, uint32_t magic) +{ + const CS_GenericBlob *blob = (const CS_GenericBlob *)(void *)addr; + + if (ntohl(blob->magic) == CSMAGIC_EMBEDDED_SIGNATURE) { + const CS_SuperBlob *sb = (const CS_SuperBlob *)blob; + size_t n, count = ntohl(sb->count); + + for (n = 0; n < count; n++) { + if (ntohl(sb->index[n].type) != type) + continue; + uint32_t offset = ntohl(sb->index[n].offset); + if (length - sizeof(const CS_GenericBlob) < offset) + return NULL; + blob = (const CS_GenericBlob *)(void *)(addr + offset); + if (ntohl(blob->magic) != magic) + continue; + return blob; + } + } else if (type == CSSLOT_CODEDIRECTORY + && ntohl(blob->magic) == CSMAGIC_CODEDIRECTORY + && magic == CSMAGIC_CODEDIRECTORY) + return blob; + return NULL; +} + + +static const CS_GenericBlob * +cs_find_blob(struct cs_blob *csblob, uint32_t type, uint32_t magic) +{ + if ((csblob->csb_flags & CS_VALID) == 0) + return NULL; + return cs_find_blob_bytes((const uint8_t *)csblob->csb_mem_kaddr, csblob->csb_mem_size, type, magic); +} + +static const uint8_t * +cs_find_special_slot(const CS_CodeDirectory *cd, uint32_t slot) +{ + /* there is no zero special slot since that is the first code slot */ + if (ntohl(cd->nSpecialSlots) < slot || slot == 0) + return NULL; + + return ((const uint8_t *)cd + ntohl(cd->hashOffset) - (SHA1_RESULTLEN * slot)); +} + /* * CODESIGNING * End of routines to navigate code signing data structures in the kernel. */ +/* + * ENTITLEMENTS + * Routines to navigate entitlements in the kernel. + */ + +/* Retrieve the entitlements blob for a process. + * Returns: + * EINVAL no text vnode associated with the process + * EBADEXEC invalid code signing data + * 0 no error occurred + * + * On success, out_start and out_length will point to the + * entitlements blob if found; or will be set to NULL/zero + * if there were no entitlements. + */ + +static uint8_t sha1_zero[SHA1_RESULTLEN] = { 0 }; + +int +cs_entitlements_blob_get(proc_t p, void **out_start, size_t *out_length) +{ + uint8_t computed_hash[SHA1_RESULTLEN]; + const CS_GenericBlob *entitlements; + const CS_CodeDirectory *code_dir; + struct cs_blob *csblob; + const uint8_t *embedded_hash; + SHA1_CTX context; + + *out_start = NULL; + *out_length = 0; + + if (NULL == p->p_textvp) + return EINVAL; + + if ((csblob = ubc_cs_blob_get(p->p_textvp, -1, p->p_textoff)) == NULL) + return 0; + + if ((code_dir = (const CS_CodeDirectory *)cs_find_blob(csblob, CSSLOT_CODEDIRECTORY, CSMAGIC_CODEDIRECTORY)) == NULL) + return 0; + + entitlements = cs_find_blob(csblob, CSSLOT_ENTITLEMENTS, CSMAGIC_EMBEDDED_ENTITLEMENTS); + embedded_hash = cs_find_special_slot(code_dir, CSSLOT_ENTITLEMENTS); + + if (embedded_hash == NULL) { + if (entitlements) + return EBADEXEC; + return 0; + } else if (entitlements == NULL && memcmp(embedded_hash, sha1_zero, SHA1_RESULTLEN) != 0) { + return EBADEXEC; + } + + SHA1Init(&context); + SHA1Update(&context, entitlements, ntohl(entitlements->length)); + SHA1Final(computed_hash, &context); + if (memcmp(computed_hash, embedded_hash, SHA1_RESULTLEN) != 0) + return EBADEXEC; + + *out_start = (void *)entitlements; + *out_length = ntohl(entitlements->length); + + return 0; +} + +/* Retrieve the codesign identity for a process. + * Returns: + * NULL an error occured + * string the cs_identity + */ + +const char * +cs_identity_get(proc_t p) +{ + const CS_CodeDirectory *code_dir; + struct cs_blob *csblob; + + if (NULL == p->p_textvp) + return NULL; + + if ((csblob = ubc_cs_blob_get(p->p_textvp, -1, p->p_textoff)) == NULL) + return NULL; + + if ((code_dir = (const CS_CodeDirectory *)cs_find_blob(csblob, CSSLOT_CODEDIRECTORY, CSMAGIC_CODEDIRECTORY)) == NULL) + return NULL; + + if (code_dir->identOffset == 0) + return NULL; + + return ((const char *)code_dir) + ntohl(code_dir->identOffset); +} + + + +/* Retrieve the codesign blob for a process. + * Returns: + * EINVAL no text vnode associated with the process + * 0 no error occurred + * + * On success, out_start and out_length will point to the + * cms blob if found; or will be set to NULL/zero + * if there were no blob. + */ + +int +cs_blob_get(proc_t p, void **out_start, size_t *out_length) +{ + struct cs_blob *csblob; + + *out_start = NULL; + *out_length = 0; + + if (NULL == p->p_textvp) + return EINVAL; + + if ((csblob = ubc_cs_blob_get(p->p_textvp, -1, p->p_textoff)) == NULL) + return 0; + + *out_start = (void *)csblob->csb_mem_kaddr; + *out_length = csblob->csb_mem_size; + + return 0; +} + +uint8_t * +cs_get_cdhash(struct proc *p) +{ + struct cs_blob *csblob; + + if (NULL == p->p_textvp) + return NULL; + + if ((csblob = ubc_cs_blob_get(p->p_textvp, -1, p->p_textoff)) == NULL) + return NULL; + + return csblob->csb_sha1; +} + +/* + * ENTITLEMENTS + * End of routines to navigate entitlements in the kernel. + */ + + /* * ubc_init @@ -374,6 +719,8 @@ ubc_init(void) i = (vm_size_t) sizeof (struct ubc_info); ubc_info_zone = zinit (i, 10000*i, 8192, "ubc_info zone"); + + zone_change(ubc_info_zone, Z_NOENCRYPT, TRUE); } @@ -624,7 +971,10 @@ ubc_setsize(struct vnode *vp, off_t nsize) uip->ui_size = nsize; if (nsize >= osize) { /* Nothing more to do */ - lock_vnode_and_post(vp, NOTE_EXTEND); + if (nsize > osize) { + lock_vnode_and_post(vp, NOTE_EXTEND); + } + return (1); /* return success */ } @@ -984,6 +1334,16 @@ ubc_getobject(struct vnode *vp, __unused int flags) return (MEMORY_OBJECT_CONTROL_NULL); } +boolean_t +ubc_strict_uncached_IO(struct vnode *vp) +{ + boolean_t result = FALSE; + + if (UBCINFOEXISTS(vp)) { + result = memory_object_is_slid(vp->v_ubcinfo->ui_control); + } + return result; +} /* * ubc_blktooff @@ -1384,6 +1744,9 @@ ubc_map(vnode_t vp, int flags) if ( !ISSET(uip->ui_flags, UI_ISMAPPED)) need_ref = 1; SET(uip->ui_flags, (UI_WASMAPPED | UI_ISMAPPED)); + if (flags & PROT_WRITE) { + SET(uip->ui_flags, UI_MAPPEDWRITE); + } } CLR(uip->ui_flags, UI_MAPBUSY); @@ -1832,6 +2195,9 @@ ubc_create_upl( if (bufsize & 0xfff) return KERN_INVALID_ARGUMENT; + if (bufsize > MAX_UPL_SIZE * PAGE_SIZE) + return KERN_INVALID_ARGUMENT; + if (uplflags & (UPL_UBC_MSYNC | UPL_UBC_PAGEOUT | UPL_UBC_PAGEIN)) { if (uplflags & UPL_UBC_MSYNC) { @@ -1849,9 +2215,20 @@ ubc_create_upl( uplflags |= UPL_FOR_PAGEOUT | UPL_CLEAN_IN_PLACE | UPL_COPYOUT_FROM | UPL_SET_INTERNAL | UPL_SET_LITE; } else { - uplflags |= UPL_RET_ONLY_ABSENT | UPL_NOBLOCK | + uplflags |= UPL_RET_ONLY_ABSENT | UPL_NO_SYNC | UPL_CLEAN_IN_PLACE | UPL_SET_INTERNAL | UPL_SET_LITE; + + /* + * if the requested size == PAGE_SIZE, we don't want to set + * the UPL_NOBLOCK since we may be trying to recover from a + * previous partial pagein I/O that occurred because we were low + * on memory and bailed early in order to honor the UPL_NOBLOCK... + * since we're only asking for a single page, we can block w/o fear + * of tying up pages while waiting for more to become available + */ + if (bufsize > PAGE_SIZE) + uplflags |= UPL_NOBLOCK; } } else { uplflags &= ~UPL_FOR_PAGEOUT; @@ -2209,6 +2586,16 @@ UBCINFOEXISTS(struct vnode * vp) } +void +ubc_upl_range_needed( + upl_t upl, + int index, + int count) +{ + upl_range_needed(upl, index, count); +} + + /* * CODE SIGNING */ @@ -2221,12 +2608,15 @@ static SInt32 cs_blob_count_peak = 0; int cs_validation = 1; -SYSCTL_INT(_vm, OID_AUTO, cs_validation, CTLFLAG_RW, &cs_validation, 0, "Do validate code signatures"); -SYSCTL_INT(_vm, OID_AUTO, cs_blob_count, CTLFLAG_RD, &cs_blob_count, 0, "Current number of code signature blobs"); -SYSCTL_INT(_vm, OID_AUTO, cs_blob_size, CTLFLAG_RD, &cs_blob_size, 0, "Current size of all code signature blobs"); -SYSCTL_INT(_vm, OID_AUTO, cs_blob_count_peak, CTLFLAG_RD, &cs_blob_count_peak, 0, "Peak number of code signature blobs"); -SYSCTL_INT(_vm, OID_AUTO, cs_blob_size_peak, CTLFLAG_RD, &cs_blob_size_peak, 0, "Peak size of code signature blobs"); -SYSCTL_INT(_vm, OID_AUTO, cs_blob_size_max, CTLFLAG_RD, &cs_blob_size_max, 0, "Size of biggest code signature blob"); +#ifndef SECURE_KERNEL +SYSCTL_INT(_vm, OID_AUTO, cs_validation, CTLFLAG_RW | CTLFLAG_LOCKED, &cs_validation, 0, "Do validate code signatures"); +#endif +SYSCTL_INT(_vm, OID_AUTO, cs_blob_count, CTLFLAG_RD | CTLFLAG_LOCKED, (int *)(uintptr_t)&cs_blob_count, 0, "Current number of code signature blobs"); +SYSCTL_INT(_vm, OID_AUTO, cs_blob_size, CTLFLAG_RD | CTLFLAG_LOCKED, (int *)(uintptr_t)&cs_blob_size, 0, "Current size of all code signature blobs"); +SYSCTL_INT(_vm, OID_AUTO, cs_blob_count_peak, CTLFLAG_RD | CTLFLAG_LOCKED, &cs_blob_count_peak, 0, "Peak number of code signature blobs"); +SYSCTL_INT(_vm, OID_AUTO, cs_blob_size_peak, CTLFLAG_RD | CTLFLAG_LOCKED, &cs_blob_size_peak, 0, "Peak size of code signature blobs"); +SYSCTL_INT(_vm, OID_AUTO, cs_blob_size_max, CTLFLAG_RD | CTLFLAG_LOCKED, &cs_blob_size_max, 0, "Size of biggest code signature blob"); + kern_return_t ubc_cs_blob_allocate( @@ -2261,12 +2651,125 @@ ubc_cs_blob_deallocate( #endif /* CS_BLOB_PAGEABLE */ } +int +ubc_cs_sigpup_add( + struct vnode *vp, + vm_address_t address, + vm_size_t size) +{ + kern_return_t kr; + struct ubc_info *uip; + struct cs_blob *blob; + memory_object_control_t control; + const CS_CodeDirectory *cd; + int error; + + control = ubc_getobject(vp, UBC_FLAGS_NONE); + if (control == MEMORY_OBJECT_CONTROL_NULL) + return KERN_INVALID_ARGUMENT; + + if (memory_object_is_signed(control)) + return 0; + + blob = (struct cs_blob *) kalloc(sizeof (struct cs_blob)); + if (blob == NULL) + return ENOMEM; + + /* fill in the new blob */ + blob->csb_cpu_type = CPU_TYPE_ANY; + blob->csb_base_offset = 0; + blob->csb_mem_size = size; + blob->csb_mem_offset = 0; + blob->csb_mem_handle = IPC_PORT_NULL; + blob->csb_mem_kaddr = address; + blob->csb_sigpup = 1; + + /* + * Validate the blob's contents + */ + cd = findCodeDirectory( + (const CS_SuperBlob *) address, + (char *) address, + (char *) address + blob->csb_mem_size); + if (cd == NULL) { + /* no code directory => useless blob ! */ + error = EINVAL; + goto out; + } + + blob->csb_flags = ntohl(cd->flags) | CS_VALID; + blob->csb_end_offset = round_page(ntohl(cd->codeLimit)); + if((ntohl(cd->version) >= CS_SUPPORTSSCATTER) && (ntohl(cd->scatterOffset))) { + const SC_Scatter *scatter = (const SC_Scatter*) + ((const char*)cd + ntohl(cd->scatterOffset)); + blob->csb_start_offset = ntohl(scatter->base) * PAGE_SIZE; + } else { + blob->csb_start_offset = (blob->csb_end_offset - (ntohl(cd->nCodeSlots) * PAGE_SIZE)); + } + + /* + * We don't need to check with the policy module, since the input data is supposed to be already checked + */ + + vnode_lock(vp); + if (! UBCINFOEXISTS(vp)) { + vnode_unlock(vp); + if (cs_debug) + printf("out ubc object\n"); + error = ENOENT; + goto out; + } + uip = vp->v_ubcinfo; + + /* someone raced us to adding the code directory */ + if (uip->cs_blobs != NULL) { + if (cs_debug) + printf("sigpup: vnode already have CD ?\n"); + vnode_unlock(vp); + error = EEXIST; + goto out; + } + + blob->csb_next = uip->cs_blobs; + uip->cs_blobs = blob; + + OSAddAtomic(+1, &cs_blob_count); + OSAddAtomic((SInt32) +blob->csb_mem_size, &cs_blob_size); + + /* mark this vnode's VM object as having "signed pages" */ + kr = memory_object_signed(uip->ui_control, TRUE); + if (kr != KERN_SUCCESS) { + vnode_unlock(vp); + if (cs_debug) + printf("sigpup: not signable ?\n"); + error = ENOENT; + goto out; + } + + vnode_unlock(vp); + + error = 0; +out: + if (error) { + if (cs_debug) + printf("sigpup: not signable ?\n"); + /* we failed; release what we allocated */ + if (blob) { + kfree(blob, sizeof (*blob)); + blob = NULL; + } + } + + return error; +} + int ubc_cs_blob_add( struct vnode *vp, cpu_type_t cputype, off_t base_offset, vm_address_t addr, + off_t blob_offset, vm_size_t size) { kern_return_t kr; @@ -2278,6 +2781,9 @@ ubc_cs_blob_add( const CS_CodeDirectory *cd; off_t blob_start_offset, blob_end_offset; SHA1_CTX sha1ctxt; + boolean_t record_mtime; + + record_mtime = FALSE; blob_handle = IPC_PORT_NULL; @@ -2314,32 +2820,36 @@ ubc_cs_blob_add( /* fill in the new blob */ blob->csb_cpu_type = cputype; + blob->csb_sigpup = 0; blob->csb_base_offset = base_offset; + blob->csb_blob_offset = blob_offset; blob->csb_mem_size = size; blob->csb_mem_offset = 0; blob->csb_mem_handle = blob_handle; blob->csb_mem_kaddr = addr; + blob->csb_flags = 0; /* * Validate the blob's contents */ - cd = findCodeDirectory( - (const CS_SuperBlob *) addr, - (char *) addr, - (char *) addr + blob->csb_mem_size); - if (cd == NULL) { - /* no code directory => useless blob ! */ + + error = cs_validate_csblob((const uint8_t *)addr, size, &cd); + if (error) { + if (cs_debug) + printf("CODESIGNING: csblob invalid: %d\n", error); blob->csb_flags = 0; blob->csb_start_offset = 0; blob->csb_end_offset = 0; + memset(blob->csb_sha1, 0, SHA1_RESULTLEN); + /* let the vnode checker determine if the signature is valid or not */ } else { - unsigned char *sha1_base; + const unsigned char *sha1_base; int sha1_size; - blob->csb_flags = ntohl(cd->flags) | CS_VALID; + blob->csb_flags = (ntohl(cd->flags) & CS_ALLOWED_MACHO) | CS_VALID; blob->csb_end_offset = round_page(ntohl(cd->codeLimit)); - if((ntohl(cd->version) >= supportsScatter) && (ntohl(cd->scatterOffset))) { - const struct Scatter *scatter = (const struct Scatter*) + if((ntohl(cd->version) >= CS_SUPPORTSSCATTER) && (ntohl(cd->scatterOffset))) { + const SC_Scatter *scatter = (const SC_Scatter*) ((const char*)cd + ntohl(cd->scatterOffset)); blob->csb_start_offset = ntohl(scatter->base) * PAGE_SIZE; } else { @@ -2358,7 +2868,7 @@ ubc_cs_blob_add( * Let policy module check whether the blob's signature is accepted. */ #if CONFIG_MACF - error = mac_vnode_check_signature(vp, blob->csb_sha1, (void*)addr, size); + error = mac_vnode_check_signature(vp, base_offset, blob->csb_sha1, (void*)addr, size); if (error) goto out; #endif @@ -2424,11 +2934,43 @@ ubc_cs_blob_add( */ oblob->csb_cpu_type = cputype; } + /* + * If the same blob moved around in the Mach-O, we + * want to remember the new blob offset to avoid + * coming back here again and again. + */ + oblob->csb_blob_offset = blob_offset; + vnode_unlock(vp); error = EAGAIN; goto out; } else { /* different blob: reject the new one */ + char pathbuf[MAXPATHLEN]; + char new_sha1_str[2*SHA1_RESULTLEN+1]; + char old_sha1_str[2*SHA1_RESULTLEN+1]; + char arch_str[20]; + const char *pathp = "?unknown"; + int pblen = sizeof(pathbuf); + if (vn_getpath(vp, pathbuf, &pblen) == 0) { + /* pblen == strlen(pathbuf) + 1. Assume strlen(pathbuf) > 0 */ + for (pathp = pathbuf + pblen - 2; pathp > pathbuf && pathp[-1] != '/'; pathp--) ; + } + snprintf(arch_str, sizeof(arch_str), "%x", cputype); + hex_str(oblob->csb_sha1, SHA1_RESULTLEN, old_sha1_str); + hex_str(blob->csb_sha1, SHA1_RESULTLEN, new_sha1_str); + kern_asl_msg(LOG_NOTICE, "messagetracer", + 6, + "com.apple.message.domain", "com.apple.kernel.cs.replace", + "com.apple.message.signature", pathp, + "com.apple.message.signature2", arch_str, + "com.apple.message.signature3", old_sha1_str, + "com.apple.message.result", new_sha1_str, + "com.apple.message.summarize", "YES", + NULL + ); + printf("CODESIGNING: rejected new signature for architecture %d of file %s\n", + cputype, pathbuf); vnode_unlock(vp); error = EALREADY; goto out; @@ -2437,7 +2979,6 @@ ubc_cs_blob_add( } - /* mark this vnode's VM object as having "signed pages" */ kr = memory_object_signed(uip->ui_control, TRUE); if (kr != KERN_SUCCESS) { @@ -2446,6 +2987,11 @@ ubc_cs_blob_add( goto out; } + if (uip->cs_blobs == NULL) { + /* loading 1st blob: record the file's current "modify time" */ + record_mtime = TRUE; + } + /* * Add this blob to the list of blobs for this vnode. * We always add at the front of the list and we never remove a @@ -2468,23 +3014,28 @@ ubc_cs_blob_add( cs_blob_size_max = (UInt32) blob->csb_mem_size; } - if (cs_debug) { + if (cs_debug > 1) { proc_t p; - + const char *name = vnode_getname_printable(vp); p = current_proc(); printf("CODE SIGNING: proc %d(%s) " "loaded %s signatures for file (%s) " "range 0x%llx:0x%llx flags 0x%x\n", p->p_pid, p->p_comm, blob->csb_cpu_type == -1 ? "detached" : "embedded", - vnode_name(vp), + name, blob->csb_base_offset + blob->csb_start_offset, blob->csb_base_offset + blob->csb_end_offset, blob->csb_flags); + vnode_putname_printable(name); } vnode_unlock(vp); + if (record_mtime) { + vnode_mtime(vp, &uip->cs_mtime, vfs_context_current()); + } + error = 0; /* success ! */ out: @@ -2551,6 +3102,8 @@ ubc_cs_blob_get( } } + if (cs_debug && blob != NULL && blob->csb_sigpup) + printf("found sig pup blob\n"); out: vnode_unlock(vp); @@ -2567,7 +3120,7 @@ ubc_cs_free( blob != NULL; blob = next_blob) { next_blob = blob->csb_next; - if (blob->csb_mem_kaddr != 0) { + if (blob->csb_mem_kaddr != 0 && !blob->csb_sigpup) { ubc_cs_blob_deallocate(blob->csb_mem_kaddr, blob->csb_mem_size); blob->csb_mem_kaddr = 0; @@ -2580,6 +3133,9 @@ ubc_cs_free( OSAddAtomic((SInt32) -blob->csb_mem_size, &cs_blob_size); kfree(blob, sizeof (*blob)); } +#if CHECK_CS_VALIDATION_BITMAP + ubc_cs_validation_bitmap_deallocate( uip->ui_vnode ); +#endif uip->cs_blobs = NULL; } @@ -2617,11 +3173,30 @@ out: return blobs; } +void +ubc_get_cs_mtime( + struct vnode *vp, + struct timespec *cs_mtime) +{ + struct ubc_info *uip; + + if (! UBCINFOEXISTS(vp)) { + cs_mtime->tv_sec = 0; + cs_mtime->tv_nsec = 0; + return; + } + + uip = vp->v_ubcinfo; + cs_mtime->tv_sec = uip->cs_mtime.tv_sec; + cs_mtime->tv_nsec = uip->cs_mtime.tv_nsec; +} + unsigned long cs_validate_page_no_hash = 0; unsigned long cs_validate_page_bad_hash = 0; boolean_t cs_validate_page( void *_blobs, + memory_object_t pager, memory_object_offset_t page_offset, const void *data, boolean_t *tainted) @@ -2683,6 +3258,9 @@ cs_validate_page( break; } } + if (blob->csb_sigpup && cs_debug) + printf("checking for a sigpup CD\n"); + blob_addr = kaddr + blob->csb_mem_offset; lower_bound = CAST_DOWN(char *, blob_addr); @@ -2692,9 +3270,11 @@ cs_validate_page( cd = findCodeDirectory(embedded, lower_bound, upper_bound); if (cd != NULL) { if (cd->pageSize != PAGE_SHIFT || - cd->hashType != 0x1 || + cd->hashType != CS_HASHTYPE_SHA1 || cd->hashSize != SHA1_RESULTLEN) { /* bogus blob ? */ + if (blob->csb_sigpup && cs_debug) + printf("page foo bogus sigpup CD\n"); continue; } @@ -2702,19 +3282,30 @@ cs_validate_page( if (offset < blob->csb_start_offset || offset >= blob->csb_end_offset) { /* our page is not covered by this blob */ + if (blob->csb_sigpup && cs_debug) + printf("OOB sigpup CD\n"); continue; } codeLimit = ntohl(cd->codeLimit); - hash = hashes(cd, atop(offset), + if (blob->csb_sigpup && cs_debug) + printf("sigpup codesize %d\n", (int)codeLimit); + + hash = hashes(cd, (unsigned)atop(offset), lower_bound, upper_bound); if (hash != NULL) { bcopy(hash, expected_hash, sizeof (expected_hash)); found_hash = TRUE; + if (blob->csb_sigpup && cs_debug) + printf("sigpup hash\n"); } break; + } else { + if (blob->csb_sigpup && cs_debug) + printf("sig pup had no valid CD\n"); + } } @@ -2730,15 +3321,14 @@ cs_validate_page( cs_validate_page_no_hash++; if (cs_debug > 1) { printf("CODE SIGNING: cs_validate_page: " - "off 0x%llx: no hash to validate !?\n", - page_offset); + "mobj %p off 0x%llx: no hash to validate !?\n", + pager, page_offset); } validated = FALSE; *tainted = FALSE; } else { size = PAGE_SIZE; - const uint32_t *asha1, *esha1; if ((off_t)(offset + size) > codeLimit) { /* partial page at end of segment */ assert(offset < codeLimit); @@ -2749,28 +3339,37 @@ cs_validate_page( SHA1UpdateUsePhysicalAddress(&sha1ctxt, data, size); SHA1Final(actual_hash, &sha1ctxt); - asha1 = (const uint32_t *) actual_hash; - esha1 = (const uint32_t *) expected_hash; - if (bcmp(expected_hash, actual_hash, SHA1_RESULTLEN) != 0) { + char asha1_str[2*SHA1_RESULTLEN+1]; + char esha1_str[2*SHA1_RESULTLEN+1]; + hex_str(actual_hash, SHA1_RESULTLEN, asha1_str); + hex_str(expected_hash, SHA1_RESULTLEN, esha1_str); if (cs_debug) { printf("CODE SIGNING: cs_validate_page: " - "off 0x%llx size 0x%lx: " - "actual [0x%x 0x%x 0x%x 0x%x 0x%x] != " - "expected [0x%x 0x%x 0x%x 0x%x 0x%x]\n", - page_offset, size, - asha1[0], asha1[1], asha1[2], - asha1[3], asha1[4], - esha1[0], esha1[1], esha1[2], - esha1[3], esha1[4]); + "mobj %p off 0x%llx size 0x%lx: actual %s expected %s\n", + pager, page_offset, size, asha1_str, esha1_str); } cs_validate_page_bad_hash++; + if (!*tainted) { + char page_offset_str[20]; + snprintf(page_offset_str, sizeof(page_offset_str), "%llx", page_offset); + kern_asl_msg(LOG_NOTICE, "messagetracer", + 5, + "com.apple.message.domain", "com.apple.kernel.cs.mismatch", + "com.apple.message.signature", page_offset_str, + "com.apple.message.signature2", asha1_str, + "com.apple.message.signature3", esha1_str, + "com.apple.message.summarize", "YES", + NULL + ); + } *tainted = TRUE; } else { - if (cs_debug > 1) { + if (cs_debug > 10) { printf("CODE SIGNING: cs_validate_page: " - "off 0x%llx size 0x%lx: SHA1 OK\n", - page_offset, size); + "mobj %p off 0x%llx size 0x%lx: " + "SHA1 OK\n", + pager, page_offset, size); } *tainted = FALSE; } @@ -2818,3 +3417,127 @@ ubc_cs_getcdhash( return ret; } + +#if CHECK_CS_VALIDATION_BITMAP +#define stob(s) ((atop_64((s)) + 07) >> 3) +extern boolean_t root_fs_upgrade_try; + +/* + * Should we use the code-sign bitmap to avoid repeated code-sign validation? + * Depends: + * a) Is the target vnode on the root filesystem? + * b) Has someone tried to mount the root filesystem read-write? + * If answers are (a) yes AND (b) no, then we can use the bitmap. + */ +#define USE_CODE_SIGN_BITMAP(vp) ( (vp != NULL) && (vp->v_mount != NULL) && (vp->v_mount->mnt_flag & MNT_ROOTFS) && !root_fs_upgrade_try) +kern_return_t +ubc_cs_validation_bitmap_allocate( + vnode_t vp) +{ + kern_return_t kr = KERN_SUCCESS; + struct ubc_info *uip; + char *target_bitmap; + vm_object_size_t bitmap_size; + + if ( ! USE_CODE_SIGN_BITMAP(vp) || (! UBCINFOEXISTS(vp))) { + kr = KERN_INVALID_ARGUMENT; + } else { + uip = vp->v_ubcinfo; + + if ( uip->cs_valid_bitmap == NULL ) { + bitmap_size = stob(uip->ui_size); + target_bitmap = (char*) kalloc( (vm_size_t)bitmap_size ); + if (target_bitmap == 0) { + kr = KERN_NO_SPACE; + } else { + kr = KERN_SUCCESS; + } + if( kr == KERN_SUCCESS ) { + memset( target_bitmap, 0, (size_t)bitmap_size); + uip->cs_valid_bitmap = (void*)target_bitmap; + uip->cs_valid_bitmap_size = bitmap_size; + } + } + } + return kr; +} + +kern_return_t +ubc_cs_check_validation_bitmap ( + vnode_t vp, + memory_object_offset_t offset, + int optype) +{ + kern_return_t kr = KERN_SUCCESS; + + if ( ! USE_CODE_SIGN_BITMAP(vp) || ! UBCINFOEXISTS(vp)) { + kr = KERN_INVALID_ARGUMENT; + } else { + struct ubc_info *uip = vp->v_ubcinfo; + char *target_bitmap = uip->cs_valid_bitmap; + + if ( target_bitmap == NULL ) { + kr = KERN_INVALID_ARGUMENT; + } else { + uint64_t bit, byte; + bit = atop_64( offset ); + byte = bit >> 3; + + if ( byte > uip->cs_valid_bitmap_size ) { + kr = KERN_INVALID_ARGUMENT; + } else { + + if (optype == CS_BITMAP_SET) { + target_bitmap[byte] |= (1 << (bit & 07)); + kr = KERN_SUCCESS; + } else if (optype == CS_BITMAP_CLEAR) { + target_bitmap[byte] &= ~(1 << (bit & 07)); + kr = KERN_SUCCESS; + } else if (optype == CS_BITMAP_CHECK) { + if ( target_bitmap[byte] & (1 << (bit & 07))) { + kr = KERN_SUCCESS; + } else { + kr = KERN_FAILURE; + } + } + } + } + } + return kr; +} + +void +ubc_cs_validation_bitmap_deallocate( + vnode_t vp) +{ + struct ubc_info *uip; + void *target_bitmap; + vm_object_size_t bitmap_size; + + if ( UBCINFOEXISTS(vp)) { + uip = vp->v_ubcinfo; + + if ( (target_bitmap = uip->cs_valid_bitmap) != NULL ) { + bitmap_size = uip->cs_valid_bitmap_size; + kfree( target_bitmap, (vm_size_t) bitmap_size ); + uip->cs_valid_bitmap = NULL; + } + } +} +#else +kern_return_t ubc_cs_validation_bitmap_allocate(__unused vnode_t vp){ + return KERN_INVALID_ARGUMENT; +} + +kern_return_t ubc_cs_check_validation_bitmap( + __unused struct vnode *vp, + __unused memory_object_offset_t offset, + __unused int optype){ + + return KERN_INVALID_ARGUMENT; +} + +void ubc_cs_validation_bitmap_deallocate(__unused vnode_t vp){ + return; +} +#endif /* CHECK_CS_VALIDATION_BITMAP */