1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
|
/*
* Copyright (c) 2016 Apple Inc. All rights reserved.
*/
typedef char *kobject_description_t[512];
#include "options.h"
#include "vm.h"
#include "utils.h"
#include "region.h"
#include "sparse.h"
#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
#include <errno.h>
#include <unistd.h>
#include <stdbool.h>
#include <assert.h>
#include <sys/queue.h>
#include <machine/cpu_capabilities.h>
/*
* There should be better APIs to describe the shared region
* For now, some hackery.
*/
#include <mach/shared_region.h>
static __inline boolean_t
in_shared_region(mach_vm_address_t addr)
{
const mach_vm_address_t base = SHARED_REGION_BASE;
const mach_vm_address_t size = SHARED_REGION_SIZE;
return addr >= base && addr < (base + size);
}
/*
* On both x64 and arm, there's a globallly-shared
* read-only page at _COMM_PAGE_START_ADDRESS
* which low-level library routines reference.
*
* On x64, somewhere randomly chosen between _COMM_PAGE_TEXT_ADDRESS
* and the top of the user address space, there's the
* pre-emption-free-zone read-execute page.
*/
#include <System/machine/cpu_capabilities.h>
static __inline boolean_t
in_comm_region(const mach_vm_address_t addr, const vm_region_submap_info_data_64_t *info)
{
return addr >= _COMM_PAGE_START_ADDRESS &&
SM_TRUESHARED == info->share_mode &&
VM_INHERIT_SHARE == info->inheritance &&
!info->external_pager && (info->max_protection & VM_PROT_WRITE) == 0;
}
static __inline boolean_t
in_zfod_region(const vm_region_submap_info_data_64_t *info)
{
return info->share_mode == SM_EMPTY && !info->is_submap &&
0 == info->object_id && !info->external_pager &&
0 == info->pages_dirtied + info->pages_resident + info->pages_swapped_out;
}
static struct region *
new_region(mach_vm_offset_t vmaddr, mach_vm_size_t vmsize, const vm_region_submap_info_data_64_t *infop)
{
struct region *r = calloc(1, sizeof (*r));
assert(vmaddr != 0 && vmsize != 0);
R_SETADDR(r, vmaddr);
R_SETSIZE(r, vmsize);
r->r_info = *infop;
r->r_purgable = VM_PURGABLE_DENY;
r->r_insharedregion = in_shared_region(vmaddr);
r->r_incommregion = in_comm_region(vmaddr, &r->r_info);
r->r_inzfodregion = in_zfod_region(&r->r_info);
if (r->r_inzfodregion)
r->r_op = &zfod_ops;
else
r->r_op = &vanilla_ops;
return r;
}
void
del_fileref_region(struct region *r)
{
assert(&fileref_ops == r->r_op);
/* r->r_fileref->fr_libent is a reference into the name table */
poison(r->r_fileref, 0xdeadbee9, sizeof (*r->r_fileref));
free(r->r_fileref);
poison(r, 0xdeadbeeb, sizeof (*r));
free(r);
}
void
del_zfod_region(struct region *r)
{
assert(&zfod_ops == r->r_op);
assert(r->r_inzfodregion && 0 == r->r_nsubregions);
assert(NULL == r->r_fileref);
poison(r, 0xdeadbeed, sizeof (*r));
free(r);
}
void
del_vanilla_region(struct region *r)
{
assert(&vanilla_ops == r->r_op);
assert(!r->r_inzfodregion && 0 == r->r_nsubregions);
assert(NULL == r->r_fileref);
poison(r, 0xdeadbeef, sizeof (*r));
free(r);
}
/*
* "does any part of this address range match the tag?"
*/
int
is_tagged(task_t task, mach_vm_offset_t addr, mach_vm_offset_t size, unsigned tag)
{
mach_vm_offset_t vm_addr = addr;
mach_vm_offset_t vm_size = 0;
natural_t depth = 0;
size_t pgsize = (1u << pageshift_host);
do {
mach_msg_type_number_t count = VM_REGION_SUBMAP_INFO_COUNT_64;
vm_region_submap_info_data_64_t info;
kern_return_t ret = mach_vm_region_recurse(task, &vm_addr, &vm_size, &depth, (vm_region_recurse_info_t)&info, &count);
if (KERN_FAILURE == ret) {
err_mach(ret, NULL, "error inspecting task at %llx", vm_addr);
return -1;
} else if (KERN_INVALID_ADDRESS == ret) {
err_mach(ret, NULL, "invalid address at %llx", vm_addr);
return -1;
} else if (KERN_SUCCESS != ret) {
err_mach(ret, NULL, "error inspecting task at %llx", vm_addr);
return -1;
}
if (info.is_submap) {
depth++;
continue;
}
if (info.user_tag == tag)
return 1;
if (vm_addr + vm_size > addr + size)
return 0;
vm_addr += pgsize;
} while (1);
}
STAILQ_HEAD(regionhead, region);
/*
* XXX Need something like mach_vm_shared_region_recurse()
* to properly identify the shared region address ranges as
* we go.
*/
static int
walk_regions(task_t task, struct regionhead *rhead)
{
mach_vm_offset_t vm_addr = MACH_VM_MIN_ADDRESS;
natural_t depth = 0;
if (OPTIONS_DEBUG(opt, 3)) {
printf("Building raw region list\n");
print_memory_region_header();
}
while (1) {
vm_region_submap_info_data_64_t info;
mach_msg_type_number_t count = VM_REGION_SUBMAP_INFO_COUNT_64;
mach_vm_size_t vm_size;
kern_return_t ret = mach_vm_region_recurse(task, &vm_addr, &vm_size, &depth, (vm_region_recurse_info_t)&info, &count);
if (KERN_FAILURE == ret) {
err_mach(ret, NULL, "error inspecting task at %llx", vm_addr);
goto bad;
} else if (KERN_INVALID_ADDRESS == ret) {
break; /* loop termination */
} else if (KERN_SUCCESS != ret) {
err_mach(ret, NULL, "error inspecting task at %llx", vm_addr);
goto bad;
}
if (OPTIONS_DEBUG(opt, 3)) {
struct region *d = new_region(vm_addr, vm_size, &info);
ROP_PRINT(d);
ROP_DELETE(d);
}
if (info.is_submap) {
#ifdef CONFIG_SUBMAP
/* We also want to see submaps -- for debugging purposes. */
struct region *r = new_region(vm_addr, vm_size, &info);
r->r_depth = depth;
STAILQ_INSERT_TAIL(rhead, r, r_linkage);
#endif
depth++;
continue;
}
if (VM_MEMORY_IOKIT == info.user_tag) {
vm_addr += vm_size;
continue; // ignore immediately: IO memory has side-effects
}
struct region *r = new_region(vm_addr, vm_size, &info);
#ifdef CONFIG_SUBMAP
r->r_depth = depth;
#endif
/* grab the page info of the first page in the mapping */
mach_msg_type_number_t pageinfoCount = VM_PAGE_INFO_BASIC_COUNT;
ret = mach_vm_page_info(task, R_ADDR(r), VM_PAGE_INFO_BASIC, (vm_page_info_t)&r->r_pageinfo, &pageinfoCount);
if (KERN_SUCCESS != ret)
err_mach(ret, r, "getting pageinfo at %llx", R_ADDR(r));
/* record the purgability */
ret = mach_vm_purgable_control(task, vm_addr, VM_PURGABLE_GET_STATE, &r->r_purgable);
if (KERN_SUCCESS != ret)
r->r_purgable = VM_PURGABLE_DENY;
STAILQ_INSERT_TAIL(rhead, r, r_linkage);
vm_addr += vm_size;
}
return 0;
bad:
return EX_OSERR;
}
void
del_region_list(struct regionhead *rhead)
{
struct region *r, *t;
STAILQ_FOREACH_SAFE(r, rhead, r_linkage, t) {
STAILQ_REMOVE(rhead, r, region, r_linkage);
ROP_DELETE(r);
}
free(rhead);
}
struct regionhead *
build_region_list(task_t task)
{
struct regionhead *rhead = malloc(sizeof (*rhead));
STAILQ_INIT(rhead);
if (0 != walk_regions(task, rhead)) {
del_region_list(rhead);
return NULL;
}
return rhead;
}
int
walk_region_list(struct regionhead *rhead, walk_region_cbfn_t cbfn, void *arg)
{
struct region *r, *t;
STAILQ_FOREACH_SAFE(r, rhead, r_linkage, t) {
switch (cbfn(r, arg)) {
case WALK_CONTINUE:
break;
case WALK_DELETE_REGION:
STAILQ_REMOVE(rhead, r, region, r_linkage);
ROP_DELETE(r);
break;
case WALK_TERMINATE:
goto done;
case WALK_ERROR:
return -1;
}
}
done:
return 0;
}
int pageshift_host;
int pageshift_app;
void
setpageshift(void)
{
if (0 == pageshift_host) {
vm_size_t hps = 0;
kern_return_t ret = host_page_size(MACH_PORT_NULL, &hps);
if (KERN_SUCCESS != ret || hps == 0)
err_mach(ret, NULL, "host page size");
int pshift = 0;
while (((vm_offset_t)1 << pshift) != hps)
pshift++;
pageshift_host = pshift;
}
if (OPTIONS_DEBUG(opt, 3))
printf("host page size: %lu\n", 1ul << pageshift_host);
if (0 == pageshift_app) {
size_t psz = getpagesize();
int pshift = 0;
while ((1ul << pshift) != psz)
pshift++;
pageshift_app = pshift;
}
if (OPTIONS_DEBUG(opt, 3) && pageshift_app != pageshift_host)
printf("app page size: %lu\n", 1ul << pageshift_app);
}
void
print_memory_region_header(void)
{
printf("%-33s %c %-7s %-7s %8s %16s ",
"Address Range", 'S', "Size", "Cur/Max", "Obj32", "FirstPgObjectID");
printf("%9s %-3s %-11s %5s ",
"Offset", "Tag", "Mode", "Refc");
#ifdef CONFIG_SUBMAP
printf("%5s ", "Depth");
#endif
printf("%5s %5s %5s %3s ",
"Res", "SNP", "Dirty", "Pgr");
printf("\n");
}
static __inline char
region_type(const struct region *r)
{
if (r->r_fileref)
return 'f';
if (r->r_inzfodregion)
return 'z';
if (r->r_incommregion)
return 'c';
if (r->r_insharedregion)
return 's';
return ' ';
}
void
print_memory_region(const struct region *r)
{
hsize_str_t hstr;
tag_str_t tstr;
printf("%016llx-%016llx %c %-7s %s/%s %8x %16llx ",
R_ADDR(r), R_ENDADDR(r), region_type(r),
str_hsize(hstr, R_SIZE(r)),
str_prot(r->r_info.protection),
str_prot(r->r_info.max_protection),
r->r_info.object_id, r->r_pageinfo.object_id
);
printf("%9lld %3d %-11s %5u ",
r->r_info.external_pager ?
r->r_pageinfo.offset : r->r_info.offset,
r->r_info.user_tag,
str_shared(r->r_info.share_mode),
r->r_info.ref_count
);
#ifdef CONFIG_SUBMAP
printf("%5u ", r->r_depth);
#endif
if (!r->r_info.is_submap) {
printf("%5u %5u %5u %3s ",
r->r_info.pages_resident,
r->r_info.pages_shared_now_private,
r->r_info.pages_dirtied,
r->r_info.external_pager ? "ext" : "");
if (r->r_fileref)
printf("\n %s at %lld ",
r->r_fileref->fr_pathname,
r->r_fileref->fr_offset);
else
printf("%s", str_tagr(tstr, r));
printf("\n");
if (r->r_nsubregions) {
printf(" %-33s %7s %12s\t%s\n",
"Address Range", "Size", "Type(s)", "Filename(s)");
for (unsigned i = 0; i < r->r_nsubregions; i++) {
struct subregion *s = r->r_subregions[i];
printf(" %016llx-%016llx %7s %12s\t%s\n",
S_ADDR(s), S_ENDADDR(s),
str_hsize(hstr, S_SIZE(s)),
S_MACHO_TYPE(s),
S_FILENAME(s));
}
}
} else {
printf("%5s %5s %5s %3s %s\n", "", "", "", "", str_tagr(tstr, r));
}
}
walk_return_t
region_print_memory(struct region *r, __unused void *arg)
{
ROP_PRINT(r);
return WALK_CONTINUE;
}
void
print_one_memory_region(const struct region *r)
{
print_memory_region_header();
ROP_PRINT(r);
}
#ifdef RDAR_23744374
/*
* The reported size of a mapping to a file object gleaned from
* mach_vm_region_recurse() can exceed the underlying size of the file.
* If we attempt to write out the full reported size, we find that we
* error (EFAULT) or if we compress it, we die with the SIGBUS.
*
* See rdar://23744374
*
* Figure out what the "non-faulting" size of the object is to
* *host* page size resolution.
*/
bool
is_actual_size(const task_t task, const struct region *r, mach_vm_size_t *hostvmsize)
{
if (!r->r_info.external_pager ||
(r->r_info.max_protection & VM_PROT_READ) == VM_PROT_NONE)
return true;
const size_t pagesize_host = 1ul << pageshift_host;
const unsigned filepages = r->r_info.pages_resident +
r->r_info.pages_swapped_out;
if (pagesize_host * filepages == R_SIZE(r))
return true;
/*
* Verify that the last couple of host-pagesize pages
* of a file backed mapping are actually pageable in the
* underlying object by walking backwards from the end
* of the application-pagesize mapping.
*/
*hostvmsize = R_SIZE(r);
const long npagemax = 1ul << (pageshift_app - pageshift_host);
for (long npage = 0; npage < npagemax; npage++) {
const mach_vm_address_t taddress =
R_ENDADDR(r) - pagesize_host * (npage + 1);
if (taddress < R_ADDR(r) || taddress >= R_ENDADDR(r))
break;
mach_msg_type_number_t pCount = VM_PAGE_INFO_BASIC_COUNT;
vm_page_info_basic_data_t pInfo;
kern_return_t ret = mach_vm_page_info(task, taddress, VM_PAGE_INFO_BASIC, (vm_page_info_t)&pInfo, &pCount);
if (KERN_SUCCESS != ret) {
err_mach(ret, NULL, "getting pageinfo at %llx", taddress);
break; /* bail */
}
/*
* If this page has been in memory before, assume it can
* be brought back again
*/
if (pInfo.disposition & (VM_PAGE_QUERY_PAGE_PRESENT | VM_PAGE_QUERY_PAGE_REF | VM_PAGE_QUERY_PAGE_DIRTY | VM_PAGE_QUERY_PAGE_PAGED_OUT))
continue;
/*
* Force the page to be fetched to see if it faults
*/
mach_vm_size_t tsize = 1ul << pageshift_host;
void *tmp = valloc((size_t)tsize);
const mach_vm_address_t vtmp = (mach_vm_address_t)tmp;
switch (ret = mach_vm_read_overwrite(task,
taddress, tsize, vtmp, &tsize)) {
case KERN_INVALID_ADDRESS:
*hostvmsize = taddress - R_ADDR(r);
break;
case KERN_SUCCESS:
break;
default:
err_mach(ret, NULL, "mach_vm_overwrite()");
break;
}
free(tmp);
}
return R_SIZE(r) == *hostvmsize;
}
#endif
|
