/*
* Function: csproc_get_blob
*
* Description: This function returns the cs_blob
* for the process p
*/
struct cs_blob *
csproc_get_blob(struct proc *p)
{
if (NULL == p)
return NULL;
if (NULL == p->p_textvp)
return NULL;
return ubc_cs_blob_get(p->p_textvp, -1, p->p_textoff);
}
uint8_t *
cs_get_cdhash(struct proc *p)
{
struct cs_blob *csblob;
if (NULL == p->p_textvp)
return NULL;
if ((csblob = ubc_cs_blob_get(p->p_textvp, -1, p->p_textoff)) == NULL)
return NULL;
return csblob->csb_cdhash;
}
const char *
cs_identity_get(proc_t p)
{
struct cs_blob *csblob;
if (NULL == p->p_textvp)
return NULL;
if ((csblob = ubc_cs_blob_get(p->p_textvp, -1, p->p_textoff)) == NULL)
return NULL;
return csblob_get_identity(csblob);
}
/*
* Function: csvnode_get_teamid
*
* Description: This function returns a pointer to the
* team id of the binary at the given offset in vnode vp
*/
const char *
csvnode_get_teamid(struct vnode *vp, off_t offset)
{
struct cs_blob *csblob;
if (vp == NULL)
return NULL;
csblob = ubc_cs_blob_get(vp, -1, offset);
if (csblob == NULL)
return NULL;
return csblob_get_teamid(csblob);
}
int
cs_entitlements_blob_get(proc_t p, void **out_start, size_t *out_length)
{
struct cs_blob *csblob;
*out_start = NULL;
*out_length = 0;
if (NULL == p->p_textvp)
return EINVAL;
if ((csblob = ubc_cs_blob_get(p->p_textvp, -1, p->p_textoff)) == NULL)
return 0;
return csblob_get_entitlements(csblob, out_start, out_length);
}
int
cs_blob_get(proc_t p, void **out_start, size_t *out_length)
{
struct cs_blob *csblob;
*out_start = NULL;
*out_length = 0;
if (NULL == p->p_textvp)
return EINVAL;
if ((csblob = ubc_cs_blob_get(p->p_textvp, -1, p->p_textoff)) == NULL)
return 0;
*out_start = (void *)csblob->csb_mem_kaddr;
*out_length = csblob->csb_mem_size;
return 0;
}
uint8_t *
csfg_get_cdhash(struct fileglob *fg, uint64_t offset, size_t *cdhash_size)
{
vnode_t vp;
if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE)
return NULL;
vp = (struct vnode *)fg->fg_data;
if (vp == NULL)
return NULL;
struct cs_blob *csblob = NULL;
if ((csblob = ubc_cs_blob_get(vp, -1, offset)) == NULL)
return NULL;
if (cdhash_size)
*cdhash_size = CS_CDHASH_LEN;
return csblob->csb_cdhash;
}
/*
* The file size of a mach-o file is limited to 32 bits; this is because
* this is the limit on the kalloc() of enough bytes for a mach_header and
* the contents of its sizeofcmds, which is currently constrained to 32
* bits in the file format itself. We read into the kernel buffer the
* commands section, and then parse it in order to parse the mach-o file
* format load_command segment(s). We are only interested in a subset of
* the total set of possible commands. If "map"==VM_MAP_NULL or
* "thread"==THREAD_NULL, do not make permament VM modifications,
* just preflight the parse.
*/
static
load_return_t
parse_machfile(
struct vnode *vp,
vm_map_t map,
thread_t thread,
struct mach_header *header,
off_t file_offset,
off_t macho_size,
int depth,
int64_t aslr_offset,
load_result_t *result
)
{
uint32_t ncmds;
struct load_command *lcp;
struct dylinker_command *dlp = 0;
struct uuid_command *uulp = 0;
integer_t dlarchbits = 0;
void * control;
load_return_t ret = LOAD_SUCCESS;
caddr_t addr;
void * kl_addr;
vm_size_t size,kl_size;
size_t offset;
size_t oldoffset; /* for overflow check */
int pass;
proc_t p = current_proc(); /* XXXX */
int error;
int resid=0;
size_t mach_header_sz = sizeof(struct mach_header);
boolean_t abi64;
boolean_t got_code_signatures = FALSE;
int64_t slide = 0;
if (header->magic == MH_MAGIC_64 ||
header->magic == MH_CIGAM_64) {
mach_header_sz = sizeof(struct mach_header_64);
}
/*
* Break infinite recursion
*/
if (depth > 6) {
return(LOAD_FAILURE);
}
depth++;
/*
* Check to see if right machine type.
*/
if (((cpu_type_t)(header->cputype & ~CPU_ARCH_MASK) != cpu_type()) ||
!grade_binary(header->cputype,
header->cpusubtype & ~CPU_SUBTYPE_MASK))
return(LOAD_BADARCH);
abi64 = ((header->cputype & CPU_ARCH_ABI64) == CPU_ARCH_ABI64);
switch (header->filetype) {
case MH_OBJECT:
case MH_EXECUTE:
case MH_PRELOAD:
if (depth != 1) {
return (LOAD_FAILURE);
}
break;
case MH_FVMLIB:
case MH_DYLIB:
if (depth == 1) {
return (LOAD_FAILURE);
}
break;
case MH_DYLINKER:
if (depth != 2) {
return (LOAD_FAILURE);
}
break;
default:
return (LOAD_FAILURE);
}
/*
* Get the pager for the file.
*/
control = ubc_getobject(vp, UBC_FLAGS_NONE);
/*
* Map portion that must be accessible directly into
* kernel's map.
*/
if ((off_t)(mach_header_sz + header->sizeofcmds) > macho_size)
return(LOAD_BADMACHO);
/*
* Round size of Mach-O commands up to page boundry.
*/
size = round_page(mach_header_sz + header->sizeofcmds);
if (size <= 0)
return(LOAD_BADMACHO);
/*
* Map the load commands into kernel memory.
*/
addr = 0;
kl_size = size;
kl_addr = kalloc(size);
addr = (caddr_t)kl_addr;
if (addr == NULL)
return(LOAD_NOSPACE);
error = vn_rdwr(UIO_READ, vp, addr, size, file_offset,
UIO_SYSSPACE, 0, kauth_cred_get(), &resid, p);
if (error) {
if (kl_addr )
kfree(kl_addr, kl_size);
return(LOAD_IOERROR);
}
/*
* For PIE and dyld, slide everything by the ASLR offset.
*/
aslr_offset = 0;
if ((header->flags & MH_PIE) || (header->filetype == MH_DYLINKER)) {
slide = aslr_offset;
}
/*
* Scan through the commands, processing each one as necessary.
*/
for (pass = 1; pass <= 3; pass++) {
/*
* Check that the entry point is contained in an executable segments
*/
if ((pass == 3) && (result->validentry == 0)) {
thread_state_initialize(thread);
ret = LOAD_FAILURE;
break;
}
/*
* Loop through each of the load_commands indicated by the
* Mach-O header; if an absurd value is provided, we just
* run off the end of the reserved section by incrementing
* the offset too far, so we are implicitly fail-safe.
*/
offset = mach_header_sz;
ncmds = header->ncmds;
while (ncmds--) {
/*
* Get a pointer to the command.
*/
lcp = (struct load_command *)(addr + offset);
oldoffset = offset;
offset += lcp->cmdsize;
/*
* Perform prevalidation of the struct load_command
* before we attempt to use its contents. Invalid
* values are ones which result in an overflow, or
* which can not possibly be valid commands, or which
* straddle or exist past the reserved section at the
* start of the image.
*/
if (oldoffset > offset ||
lcp->cmdsize < sizeof(struct load_command) ||
offset > header->sizeofcmds + mach_header_sz) {
ret = LOAD_BADMACHO;
break;
}
/*
* Act on struct load_command's for which kernel
* intervention is required.
*/
switch(lcp->cmd) {
case LC_SEGMENT:
case LC_SEGMENT_64:
if (pass != 2)
break;
ret = load_segment(lcp,
header->filetype,
control,
file_offset,
macho_size,
vp,
map,
slide,
result);
break;
case LC_UNIXTHREAD:
if (pass != 1)
break;
ret = load_unixthread(
(struct thread_command *) lcp,
thread,
slide,
result);
break;
case LC_MAIN:
if (pass != 1)
break;
if (depth != 1)
break;
ret = load_main(
(struct entry_point_command *) lcp,
thread,
slide,
result);
break;
case LC_LOAD_DYLINKER:
if (pass != 3)
break;
if ((depth == 1) && (dlp == 0)) {
dlp = (struct dylinker_command *)lcp;
dlarchbits = (header->cputype & CPU_ARCH_MASK);
} else {
ret = LOAD_FAILURE;
}
break;
case LC_UUID:
if (pass == 1 && depth == 1) {
uulp = (struct uuid_command *)lcp;
memcpy(&result->uuid[0], &uulp->uuid[0], sizeof(result->uuid));
}
break;
case LC_CODE_SIGNATURE:
/* CODE SIGNING */
if (pass != 1)
break;
/* pager -> uip ->
load signatures & store in uip
set VM object "signed_pages"
*/
ret = load_code_signature(
(struct linkedit_data_command *) lcp,
vp,
file_offset,
macho_size,
header->cputype,
(depth == 1) ? result : NULL);
if (ret != LOAD_SUCCESS) {
printf("proc %d: load code signature error %d "
"for file \"%s\"\n",
p->p_pid, ret, vp->v_name);
ret = LOAD_SUCCESS; /* ignore error */
} else {
got_code_signatures = TRUE;
}
break;
#if CONFIG_CODE_DECRYPTION
#ifndef __arm__
case LC_ENCRYPTION_INFO:
if (pass != 3)
break;
ret = set_code_unprotect(
(struct encryption_info_command *) lcp,
addr, map, slide, vp);
if (ret != LOAD_SUCCESS) {
printf("proc %d: set_code_unprotect() error %d "
"for file \"%s\"\n",
p->p_pid, ret, vp->v_name);
/* Don't let the app run if it's
* encrypted but we failed to set up the
* decrypter */
psignal(p, SIGKILL);
}
break;
#endif
#endif
default:
/* Other commands are ignored by the kernel */
ret = LOAD_SUCCESS;
break;
}
if (ret != LOAD_SUCCESS)
break;
}
if (ret != LOAD_SUCCESS)
break;
}
if (ret == LOAD_SUCCESS) {
if (! got_code_signatures) {
struct cs_blob *blob;
/* no embedded signatures: look for detached ones */
blob = ubc_cs_blob_get(vp, -1, file_offset);
if (blob != NULL) {
/* get flags to be applied to the process */
result->csflags |= blob->csb_flags;
}
}
/* Make sure if we need dyld, we got it */
if (result->needs_dynlinker && !dlp) {
ret = LOAD_FAILURE;
}
if ((ret == LOAD_SUCCESS) && (dlp != 0)) {
/* load the dylinker, and always slide it by the ASLR
* offset regardless of PIE */
ret = load_dylinker(dlp, dlarchbits, map, thread, depth, aslr_offset, result);
}
if((ret == LOAD_SUCCESS) && (depth == 1)) {
if (result->thread_count == 0) {
ret = LOAD_FAILURE;
}
}
}
if (kl_addr )
kfree(kl_addr, kl_size);
return(ret);
}
/*
* Function: csproc_get_blob
*
* Description: This function returns the cs_blob
* for the vnode vp
*/
struct cs_blob *
csvnode_get_blob(struct vnode *vp, off_t offset)
{
return ubc_cs_blob_get(vp, -1, offset);
}
/*
* The file size of a mach-o file is limited to 32 bits; this is because
* this is the limit on the kalloc() of enough bytes for a mach_header and
* the contents of its sizeofcmds, which is currently constrained to 32
* bits in the file format itself. We read into the kernel buffer the
* commands section, and then parse it in order to parse the mach-o file
* format load_command segment(s). We are only interested in a subset of
* the total set of possible commands.
*/
static
load_return_t
parse_machfile(
struct vnode *vp,
vm_map_t map,
thread_t thread,
struct mach_header *header,
off_t file_offset,
off_t macho_size,
int depth,
load_result_t *result
)
{
uint32_t ncmds;
struct load_command *lcp;
struct dylinker_command *dlp = 0;
integer_t dlarchbits = 0;
void * pager;
load_return_t ret = LOAD_SUCCESS;
caddr_t addr;
void * kl_addr;
vm_size_t size,kl_size;
size_t offset;
size_t oldoffset; /* for overflow check */
int pass;
proc_t p = current_proc(); /* XXXX */
int error;
int resid=0;
task_t task;
size_t mach_header_sz = sizeof(struct mach_header);
boolean_t abi64;
boolean_t got_code_signatures = FALSE;
if (header->magic == MH_MAGIC_64 ||
header->magic == MH_CIGAM_64) {
mach_header_sz = sizeof(struct mach_header_64);
}
/*
* Break infinite recursion
*/
if (depth > 6) {
return(LOAD_FAILURE);
}
task = (task_t)get_threadtask(thread);
depth++;
/*
* Check to see if right machine type.
*/
if (((cpu_type_t)(header->cputype & ~CPU_ARCH_MASK) != cpu_type()) ||
!grade_binary(header->cputype,
header->cpusubtype & ~CPU_SUBTYPE_MASK))
return(LOAD_BADARCH);
abi64 = ((header->cputype & CPU_ARCH_ABI64) == CPU_ARCH_ABI64);
switch (header->filetype) {
case MH_OBJECT:
case MH_EXECUTE:
case MH_PRELOAD:
if (depth != 1) {
return (LOAD_FAILURE);
}
break;
case MH_FVMLIB:
case MH_DYLIB:
if (depth == 1) {
return (LOAD_FAILURE);
}
break;
case MH_DYLINKER:
if (depth != 2) {
return (LOAD_FAILURE);
}
break;
default:
return (LOAD_FAILURE);
}
/*
* Get the pager for the file.
*/
pager = (void *) ubc_getpager(vp);
/*
* Map portion that must be accessible directly into
* kernel's map.
*/
if ((mach_header_sz + header->sizeofcmds) > macho_size)
return(LOAD_BADMACHO);
/*
* Round size of Mach-O commands up to page boundry.
*/
size = round_page(mach_header_sz + header->sizeofcmds);
if (size <= 0)
return(LOAD_BADMACHO);
/*
* Map the load commands into kernel memory.
*/
addr = 0;
kl_size = size;
kl_addr = kalloc(size);
addr = (caddr_t)kl_addr;
if (addr == NULL)
return(LOAD_NOSPACE);
error = vn_rdwr(UIO_READ, vp, addr, size, file_offset,
UIO_SYSSPACE32, 0, kauth_cred_get(), &resid, p);
if (error) {
if (kl_addr )
kfree(kl_addr, kl_size);
return(LOAD_IOERROR);
}
/* (void)ubc_map(vp, PROT_EXEC); */ /* NOT HERE */
/*
* Scan through the commands, processing each one as necessary.
*/
for (pass = 1; pass <= 2; pass++) {
/*
* Loop through each of the load_commands indicated by the
* Mach-O header; if an absurd value is provided, we just
* run off the end of the reserved section by incrementing
* the offset too far, so we are implicitly fail-safe.
*/
offset = mach_header_sz;
ncmds = header->ncmds;
while (ncmds--) {
/*
* Get a pointer to the command.
*/
lcp = (struct load_command *)(addr + offset);
oldoffset = offset;
offset += lcp->cmdsize;
/*
* Perform prevalidation of the struct load_command
* before we attempt to use its contents. Invalid
* values are ones which result in an overflow, or
* which can not possibly be valid commands, or which
* straddle or exist past the reserved section at the
* start of the image.
*/
if (oldoffset > offset ||
lcp->cmdsize < sizeof(struct load_command) ||
offset > header->sizeofcmds + mach_header_sz) {
ret = LOAD_BADMACHO;
break;
}
/*
* Act on struct load_command's for which kernel
* intervention is required.
*/
switch(lcp->cmd) {
case LC_SEGMENT_64:
if (pass != 1)
break;
ret = load_segment_64(
(struct segment_command_64 *)lcp,
pager,
file_offset,
macho_size,
ubc_getsize(vp),
map,
result);
break;
case LC_SEGMENT:
if (pass != 1)
break;
ret = load_segment(
(struct segment_command *) lcp,
pager,
file_offset,
macho_size,
ubc_getsize(vp),
map,
result);
break;
case LC_THREAD:
if (pass != 2)
break;
ret = load_thread((struct thread_command *)lcp,
thread,
result);
break;
case LC_UNIXTHREAD:
if (pass != 2)
break;
ret = load_unixthread(
(struct thread_command *) lcp,
thread,
result);
break;
case LC_LOAD_DYLINKER:
if (pass != 2)
break;
if ((depth == 1) && (dlp == 0)) {
dlp = (struct dylinker_command *)lcp;
dlarchbits = (header->cputype & CPU_ARCH_MASK);
} else {
ret = LOAD_FAILURE;
}
break;
case LC_CODE_SIGNATURE:
/* CODE SIGNING */
if (pass != 2)
break;
/* pager -> uip ->
load signatures & store in uip
set VM object "signed_pages"
*/
ret = load_code_signature(
(struct linkedit_data_command *) lcp,
vp,
file_offset,
macho_size,
header->cputype,
(depth == 1) ? result : NULL);
if (ret != LOAD_SUCCESS) {
printf("proc %d: load code signature error %d "
"for file \"%s\"\n",
p->p_pid, ret, vp->v_name);
ret = LOAD_SUCCESS; /* ignore error */
} else {
got_code_signatures = TRUE;
}
break;
default:
/* Other commands are ignored by the kernel */
ret = LOAD_SUCCESS;
break;
}
if (ret != LOAD_SUCCESS)
break;
}
if (ret != LOAD_SUCCESS)
break;
}
if (ret == LOAD_SUCCESS) {
if (! got_code_signatures) {
struct cs_blob *blob;
/* no embedded signatures: look for detached ones */
blob = ubc_cs_blob_get(vp, -1, file_offset);
if (blob != NULL) {
/* get flags to be applied to the process */
result->csflags |= blob->csb_flags;
}
}
if (dlp != 0)
ret = load_dylinker(dlp, dlarchbits, map, thread, depth, result, abi64);
if(depth == 1) {
if (result->thread_count == 0) {
ret = LOAD_FAILURE;
} else if ( abi64 ) {
#ifdef __ppc__
/* Map in 64-bit commpage */
/* LP64todo - make this clean */
/*
* PPC51: ppc64 is limited to 51-bit addresses.
* Memory above that limit is handled specially
* at the pmap level.
*/
pmap_map_sharedpage(current_task(), get_map_pmap(map));
#endif /* __ppc__ */
}
}
}
if (kl_addr )
kfree(kl_addr, kl_size);
if (ret == LOAD_SUCCESS)
(void)ubc_map(vp, PROT_READ | PROT_EXEC);
return(ret);
}
int
load_code_signature(
struct linkedit_data_command *lcp,
struct vnode *vp,
off_t macho_offset,
off_t macho_size,
cpu_type_t cputype,
load_result_t *result)
{
int ret;
kern_return_t kr;
vm_offset_t addr;
int resid;
struct cs_blob *blob;
int error;
addr = 0;
blob = NULL;
if (lcp->cmdsize != sizeof (struct linkedit_data_command) ||
lcp->dataoff + lcp->datasize > macho_size) {
ret = LOAD_BADMACHO;
goto out;
}
blob = ubc_cs_blob_get(vp, cputype, -1);
if (blob != NULL) {
/* we already have a blob for this vnode and cputype */
if (blob->csb_cpu_type == cputype &&
blob->csb_base_offset == macho_offset &&
blob->csb_mem_size == lcp->datasize) {
/* it matches the blob we want here: we're done */
ret = LOAD_SUCCESS;
} else {
/* the blob has changed for this vnode: fail ! */
ret = LOAD_BADMACHO;
}
goto out;
}
kr = kmem_alloc(kernel_map, &addr, round_page(lcp->datasize));
if (kr != KERN_SUCCESS) {
ret = LOAD_NOSPACE;
goto out;
}
resid = 0;
error = vn_rdwr(UIO_READ,
vp,
(caddr_t) addr,
lcp->datasize,
macho_offset + lcp->dataoff,
UIO_SYSSPACE32,
0,
kauth_cred_get(),
&resid,
current_proc());
if (error || resid != 0) {
ret = LOAD_IOERROR;
goto out;
}
if (ubc_cs_blob_add(vp,
cputype,
macho_offset,
addr,
lcp->datasize)) {
ret = LOAD_FAILURE;
goto out;
} else {
/* ubc_cs_blob_add() has consumed "addr" */
addr = 0;
}
blob = ubc_cs_blob_get(vp, cputype, -1);
ret = LOAD_SUCCESS;
out:
if (result && ret == LOAD_SUCCESS) {
result->csflags |= blob->csb_flags;
}
if (addr != 0) {
kmem_free(kernel_map, addr, round_page(lcp->datasize));
addr = 0;
}
return ret;
}
