xnu-3248.60.10

Imported from https://opensource.apple.com/tarballs/xnu/xnu-3248.60.10.tar.gz
javagrails · Jun 4, 2017 · 7f520aa · 7f520aa
1 parent 0ed26c3
commit 7f520aa
Show file tree

Hide file tree

Showing 17 changed files with 352 additions and 62 deletions.
diff --git a/bsd/kern/kern_proc.c b/bsd/kern/kern_proc.c
@@ -1784,7 +1784,7 @@ csops_internal(pid_t pid, int ops, user_addr_t uaddr, user_size_t usersize, user
 		case CS_OPS_ENTITLEMENTS_BLOB:
 		case CS_OPS_IDENTITY:
 		case CS_OPS_BLOB:
-			break;	/* unrestricted */
+			break;	/* not restricted to root */
 		default:
 			if (forself == 0 && kauth_cred_issuser(kauth_cred_get()) != TRUE)
 				return(EPERM);
@@ -1809,6 +1809,22 @@ csops_internal(pid_t pid, int ops, user_addr_t uaddr, user_size_t usersize, user
 		}
 	}
 
+#if CONFIG_MACF
+	switch (ops) {
+		case CS_OPS_MARKINVALID:
+		case CS_OPS_MARKHARD:
+		case CS_OPS_MARKKILL:
+		case CS_OPS_MARKRESTRICT:
+		case CS_OPS_SET_STATUS:
+			if ((error = mac_proc_check_set_cs_info(current_proc(), pt, ops)))
+				goto out;
+			break;
+		default:
+			if ((error = mac_proc_check_get_cs_info(current_proc(), pt, ops)))
+				goto out;
+	}
+#endif
+
 	switch (ops) {
 
 		case CS_OPS_STATUS: {

diff --git a/bsd/kern/mach_loader.c b/bsd/kern/mach_loader.c
@@ -985,6 +985,14 @@ unprotect_dsmos_segment(
 		       (uint64_t) map_addr, (uint64_t) (map_addr + map_size),
 		       __FUNCTION__, vp->v_name);
 #endif /* DEVELOPMENT || DEBUG */
+
+		/* The DSMOS pager can only be used by apple signed code */
+		struct cs_blob * blob = csvnode_get_blob(vp, file_off);
+		if( blob == NULL || !blob->csb_platform_binary || blob->csb_platform_path)
+		{
+			return LOAD_FAILURE;
+		}
+
 		kr = vm_map_apple_protected(map,
 					    map_addr,
 					    map_addr + map_size,

diff --git a/bsd/kern/policy_check.c b/bsd/kern/policy_check.c
@@ -118,7 +118,7 @@ common_hook(void)
 	return rv;
 }
 
-#if (MAC_POLICY_OPS_VERSION != 37)
+#if (MAC_POLICY_OPS_VERSION != 39)
 # error "struct mac_policy_ops doesn't match definition in mac_policy.h"
 #endif
 /*
@@ -400,8 +400,8 @@ static struct mac_policy_ops policy_ops = {
 	.mpo_reserved26 = (mpo_reserved_hook_t *)common_hook,
 	.mpo_reserved27 = (mpo_reserved_hook_t *)common_hook,
 	.mpo_reserved28 = (mpo_reserved_hook_t *)common_hook,
-	.mpo_reserved29 = (mpo_reserved_hook_t *)common_hook,
-	.mpo_reserved30 = (mpo_reserved_hook_t *)common_hook,
+	CHECK_SET_HOOK(proc_check_get_cs_info)
+	CHECK_SET_HOOK(proc_check_set_cs_info)
 
 	CHECK_SET_HOOK(iokit_check_hid_control)
 

diff --git a/config/MasterVersion b/config/MasterVersion
@@ -1,4 +1,4 @@
-15.5.0
+15.6.0
 
 # The first line of this file contains the master version number for the kernel.
 # All other instances of the kernel version in xnu are derived from this file.

diff --git a/iokit/IOKit/IOUserClient.h b/iokit/IOKit/IOUserClient.h
@@ -173,7 +173,6 @@ enum {
     @abstract   Provides a basis for communication between client applications and I/O Kit objects.
 */
 
-
 class IOUserClient : public IOService
 {
     OSDeclareAbstractStructors(IOUserClient)
@@ -201,22 +200,26 @@ class IOUserClient : public IOService
     bool reserve();
 
 #ifdef XNU_KERNEL_PRIVATE
+
 public:
-#else
-private:
-#endif
     OSSet * mappings;
     UInt8   sharedInstance;
     UInt8   closed;
     UInt8   __ipcFinal;
     UInt8   __reservedA[1];
     volatile SInt32 __ipc;
+    queue_head_t owners;
 #if __LP64__
-    void  * __reserved[7];
+    void  * __reserved[5];
 #else
-    void  * __reserved[6];
+    void  * __reserved[4];
 #endif
 
+#else /* XNU_KERNEL_PRIVATE */
+private:
+    void  * __reserved[9];
+#endif /* XNU_KERNEL_PRIVATE */
+
 public:
    virtual IOReturn externalMethod( uint32_t selector, IOExternalMethodArguments * arguments,
 					IOExternalMethodDispatch * dispatch = 0, OSObject * target = 0, void * reference = 0 );
@@ -248,6 +251,7 @@ class IOUserClient : public IOService
     OSMetaClassDeclareReservedUnused(IOUserClient, 15);
 
 #ifdef XNU_KERNEL_PRIVATE
+
     /* Available within xnu source only */
 public:
     static void initialize( void );
@@ -257,7 +261,10 @@ class IOUserClient : public IOService
                                     task_t task,
                                     IOOptionBits mapFlags = kIOMapAnywhere,
 				    mach_vm_address_t atAddress = 0 );
-#endif
+    IOReturn registerOwner(task_t task);
+    void     noMoreSenders(void);
+
+#endif /* XNU_KERNEL_PRIVATE */
 
 protected:
     static IOReturn sendAsyncResult(OSAsyncReference reference,

diff --git a/iokit/Kernel/IOPMrootDomain.cpp b/iokit/Kernel/IOPMrootDomain.cpp
@@ -5471,6 +5471,8 @@ IONotifier * IOPMrootDomain::registerInterest(
     if (rc != kIOReturnSuccess) {
         notifier->release();
         notifier = 0;
+
+        return NULL;
     }
     if (pmPowerStateQueue)
     {

diff --git a/iokit/Kernel/IOService.cpp b/iokit/Kernel/IOService.cpp
@@ -6229,23 +6229,31 @@ IOReturn IOService::configureReport(IOReportChannelList    *channelList,
         }
     }
 
-    IOLockLock(reserved->interruptStatisticsLock);
-
-    /* The array count is signed (because the interrupt indices are signed), hence the cast */
-    for (cnt = 0; cnt < (unsigned) reserved->interruptStatisticsArrayCount; cnt++) {
-        if (reserved->interruptStatisticsArray[cnt].reporter) {
-            /*
-             * If the reporter is currently associated with the statistics
-             * for an event source, we may need to update the reporter.
-             */
-            if (reserved->interruptStatisticsArray[cnt].statistics)
-                interruptAccountingDataUpdateChannels(reserved->interruptStatisticsArray[cnt].statistics, reserved->interruptStatisticsArray[cnt].reporter);
-
-            reserved->interruptStatisticsArray[cnt].reporter->configureReport(channelList, action, result, destination);
-        }        
-    }
+	/* 24241819: SU fix for NULL 'reserved' field */
+	if (reserved) {
+		IOLockLock(reserved->interruptStatisticsLock);
+
+		/* The array count is signed (because the interrupt indices are signed), hence the cast */
+		for (cnt = 0; cnt < (unsigned) reserved->interruptStatisticsArrayCount; cnt++) {
+			if (reserved->interruptStatisticsArray[cnt].reporter) {
+				/*
+				 * If the reporter is currently associated with the statistics
+				 * for an event source, we may need to update the reporter.
+				 */
+				if (reserved->interruptStatisticsArray[cnt].statistics)
+					interruptAccountingDataUpdateChannels(reserved->interruptStatisticsArray[cnt].statistics, reserved->interruptStatisticsArray[cnt].reporter);
+
+				reserved->interruptStatisticsArray[cnt].reporter->configureReport(channelList, action, result, destination);
+			}        
+		}
 
-    IOLockUnlock(reserved->interruptStatisticsLock);
+		IOLockUnlock(reserved->interruptStatisticsLock);
+	}
+	#if DEVELOPMENT || DEBUG
+	else {
+		IOLog("ALERT: why is %s's 'reserved' field NULL?!\n", getName());
+	}
+	#endif
 
     return kIOReturnSuccess;
 }