1 /*
2 * Copyright (c) 2000-2020 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28 /*
29 * @OSF_COPYRIGHT@
30 */
31 /*
32 * Mach Operating System
33 * Copyright (c) 1991,1990,1989 Carnegie Mellon University
34 * All Rights Reserved.
35 *
36 * Permission to use, copy, modify and distribute this software and its
37 * documentation is hereby granted, provided that both the copyright
38 * notice and this permission notice appear in all copies of the
39 * software, derivative works or modified versions, and any portions
40 * thereof, and that both notices appear in supporting documentation.
41 *
42 * CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS"
43 * CONDITION. CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR
44 * ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE.
45 *
46 * Carnegie Mellon requests users of this software to return to
47 *
48 * Software Distribution Coordinator or [email protected]
49 * School of Computer Science
50 * Carnegie Mellon University
51 * Pittsburgh PA 15213-3890
52 *
53 * any improvements or extensions that they make and grant Carnegie Mellon
54 * the rights to redistribute these changes.
55 */
56 /*
57 * NOTICE: This file was modified by McAfee Research in 2004 to introduce
58 * support for mandatory and extensible security protections. This notice
59 * is included in support of clause 2.2 (b) of the Apple Public License,
60 * Version 2.0.
61 */
62 /*
63 */
64 /*
65 * File: ipc/ipc_space.c
66 * Author: Rich Draves
67 * Date: 1989
68 *
69 * Functions to manipulate IPC capability spaces.
70 */
71
72 #include <mach/boolean.h>
73 #include <mach/kern_return.h>
74 #include <mach/port.h>
75 #include <kern/assert.h>
76 #include <kern/sched_prim.h>
77 #include <kern/zalloc.h>
78 #include <ipc/port.h>
79 #include <ipc/ipc_entry.h>
80 #include <ipc/ipc_object.h>
81 #include <ipc/ipc_hash.h>
82 #include <ipc/ipc_port.h>
83 #include <ipc/ipc_space.h>
84 #include <ipc/ipc_right.h>
85 #include <prng/random.h>
86 #include <string.h>
87
88 /* Remove this in the future so port names are less predictable. */
89 #define CONFIG_SEMI_RANDOM_ENTRIES
90 #ifdef CONFIG_SEMI_RANDOM_ENTRIES
91 #define NUM_SEQ_ENTRIES 8
92 #endif
93
94 os_refgrp_decl(static, is_refgrp, "is", NULL);
95 static ZONE_DEFINE_TYPE(ipc_space_zone, "ipc spaces",
96 struct ipc_space, ZC_ZFREE_CLEARMEM);
97
98 SECURITY_READ_ONLY_LATE(ipc_space_t) ipc_space_kernel;
99 SECURITY_READ_ONLY_LATE(ipc_space_t) ipc_space_reply;
100
101 static ipc_space_t
ipc_space_alloc(void)102 ipc_space_alloc(void)
103 {
104 ipc_space_t space;
105
106 space = zalloc_flags(ipc_space_zone, Z_WAITOK | Z_ZERO | Z_NOFAIL);
107 lck_ticket_init(&space->is_lock, &ipc_lck_grp);
108
109 return space;
110 }
111
112 __attribute__((noinline))
113 static void
ipc_space_free(ipc_space_t space)114 ipc_space_free(ipc_space_t space)
115 {
116 assert(!is_active(space));
117 lck_ticket_destroy(&space->is_lock, &ipc_lck_grp);
118 zfree(ipc_space_zone, space);
119 }
120
121 static void
ipc_space_free_table(smr_node_t node)122 ipc_space_free_table(smr_node_t node)
123 {
124 ipc_entry_t entry = __container_of(node, struct ipc_entry, ie_smr_node);
125 ipc_entry_table_t table = entry->ie_self;
126
127 ipc_entry_table_free_noclear(table);
128 }
129
130 void
ipc_space_retire_table(ipc_entry_table_t table)131 ipc_space_retire_table(ipc_entry_table_t table)
132 {
133 ipc_entry_t base;
134 vm_size_t size;
135
136 base = ipc_entry_table_base(table);
137 size = ipc_entry_table_size(table);
138 base->ie_self = table;
139 smr_ipc_call(&base->ie_smr_node, size, ipc_space_free_table);
140 }
141
142 void
ipc_space_reference(ipc_space_t space)143 ipc_space_reference(
144 ipc_space_t space)
145 {
146 os_ref_retain_mask(&space->is_bits, IS_FLAGS_BITS, &is_refgrp);
147 }
148
149 void
ipc_space_release(ipc_space_t space)150 ipc_space_release(
151 ipc_space_t space)
152 {
153 if (os_ref_release_mask(&space->is_bits, IS_FLAGS_BITS, &is_refgrp) == 0) {
154 ipc_space_free(space);
155 }
156 }
157
158 void
ipc_space_lock(ipc_space_t space)159 ipc_space_lock(
160 ipc_space_t space)
161 {
162 lck_ticket_lock(&space->is_lock, &ipc_lck_grp);
163 }
164
165 void
ipc_space_unlock(ipc_space_t space)166 ipc_space_unlock(
167 ipc_space_t space)
168 {
169 lck_ticket_unlock(&space->is_lock);
170 }
171
172 void
ipc_space_lock_sleep(ipc_space_t space)173 ipc_space_lock_sleep(
174 ipc_space_t space)
175 {
176 lck_ticket_sleep_with_inheritor(&space->is_lock, &ipc_lck_grp,
177 LCK_SLEEP_DEFAULT, (event_t)space, space->is_grower,
178 THREAD_UNINT, TIMEOUT_WAIT_FOREVER);
179 }
180
181 /*
182 * Routine: ipc_entry_rand_freelist
183 * Purpose:
184 * Pseudo-randomly permute the order of entries in an IPC space
185 * Arguments:
186 * space: the ipc space to initialize.
187 * table: the corresponding ipc table to initialize.
188 * the table is 0 initialized.
189 * bottom: the start of the range to initialize (inclusive).
190 * top: the end of the range to initialize (noninclusive).
191 */
192 void
ipc_space_rand_freelist(ipc_space_t space,ipc_entry_t table,mach_port_index_t bottom,mach_port_index_t size)193 ipc_space_rand_freelist(
194 ipc_space_t space,
195 ipc_entry_t table,
196 mach_port_index_t bottom,
197 mach_port_index_t size)
198 {
199 int at_start = (bottom == 0);
200 #ifdef CONFIG_SEMI_RANDOM_ENTRIES
201 /*
202 * Only make sequential entries at the start of the table, and not when
203 * we're growing the space.
204 */
205 ipc_entry_num_t total = 0;
206 #endif
207
208 /* First entry in the free list is always free, and is the start of the free list. */
209 mach_port_index_t curr = bottom;
210 mach_port_index_t top = size;
211
212 bottom++;
213 top--;
214
215 /*
216 * Initialize the free list in the table.
217 * Add the entries in pseudo-random order and randomly set the generation
218 * number, in order to frustrate attacks involving port name reuse.
219 */
220 while (bottom <= top) {
221 ipc_entry_t entry = &table[curr];
222 mach_port_index_t next;
223 int which;
224
225 #ifdef CONFIG_SEMI_RANDOM_ENTRIES
226 /*
227 * XXX: This is a horrible hack to make sure that randomizing the port
228 * doesn't break programs that might have (sad) hard-coded values for
229 * certain port names.
230 */
231 if (at_start && total++ < NUM_SEQ_ENTRIES) {
232 which = 0;
233 } else
234 #endif
235 {
236 which = random_bool_gen_bits(&space->is_prng,
237 space->is_entropy, IS_ENTROPY_CNT, 1);
238 }
239
240 if (which) {
241 next = top;
242 top--;
243 } else {
244 next = bottom;
245 bottom++;
246 }
247
248 /*
249 * The entry's gencount will roll over on its first allocation,
250 * at which point a random rollover will be set for the entry.
251 */
252 entry->ie_bits = IE_BITS_GEN_INIT;
253 entry->ie_next = next;
254 curr = next;
255 }
256 table[curr].ie_bits = IE_BITS_GEN_INIT;
257 }
258
259
260 /*
261 * Routine: ipc_space_create
262 * Purpose:
263 * Creates a new IPC space.
264 *
265 * The new space has two references, one for the caller
266 * and one because it is active.
267 * Conditions:
268 * Nothing locked. Allocates memory.
269 * Returns:
270 * KERN_SUCCESS Created a space.
271 * KERN_RESOURCE_SHORTAGE Couldn't allocate memory.
272 */
273
274 kern_return_t
ipc_space_create(ipc_label_t label,ipc_space_t * spacep)275 ipc_space_create(
276 ipc_label_t label,
277 ipc_space_t *spacep)
278 {
279 ipc_space_t space;
280 ipc_entry_table_t table;
281 ipc_entry_num_t count;
282
283 table = ipc_entry_table_alloc_by_count(IPC_ENTRY_TABLE_MIN,
284 Z_WAITOK | Z_ZERO | Z_NOFAIL);
285 space = ipc_space_alloc();
286 count = ipc_entry_table_count(table);
287
288 random_bool_init(&space->is_prng);
289 ipc_space_rand_freelist(space, ipc_entry_table_base(table), 0, count);
290
291 os_ref_init_count_mask(&space->is_bits, IS_FLAGS_BITS, &is_refgrp, 2, 0);
292 space->is_table_free = count - 1;
293 space->is_label = label;
294 space->is_low_mod = count;
295 smr_init_store(&space->is_table, table);
296
297 *spacep = space;
298 return KERN_SUCCESS;
299 }
300
301 /*
302 * Routine: ipc_space_label
303 * Purpose:
304 * Modify the label on a space. The desired
305 * label must be a super-set of the current
306 * label for the space (as rights may already
307 * have been previously copied out under the
308 * old label value.
309 * Conditions:
310 * Nothing locked.
311 * Returns:
312 * KERN_SUCCESS Updated the label
313 * KERN_INVALID_VALUE label not a superset of old
314 */
315 kern_return_t
ipc_space_label(ipc_space_t space,ipc_label_t label)316 ipc_space_label(
317 ipc_space_t space,
318 ipc_label_t label)
319 {
320 is_write_lock(space);
321 if (!is_active(space)) {
322 is_write_unlock(space);
323 return KERN_SUCCESS;
324 }
325
326 if ((space->is_label & label) != space->is_label) {
327 is_write_unlock(space);
328 return KERN_INVALID_VALUE;
329 }
330 space->is_label = label;
331 is_write_unlock(space);
332 return KERN_SUCCESS;
333 }
334
335 /*
336 * Routine: ipc_space_add_label
337 * Purpose:
338 * Modify the label on a space. The desired
339 * label is added to the labels already set
340 * on the space.
341 * Conditions:
342 * Nothing locked.
343 * Returns:
344 * KERN_SUCCESS Updated the label
345 * KERN_INVALID_VALUE label not a superset of old
346 */
347 kern_return_t
ipc_space_add_label(ipc_space_t space,ipc_label_t label)348 ipc_space_add_label(
349 ipc_space_t space,
350 ipc_label_t label)
351 {
352 is_write_lock(space);
353 if (!is_active(space)) {
354 is_write_unlock(space);
355 return KERN_SUCCESS;
356 }
357
358 space->is_label |= label;
359 is_write_unlock(space);
360 return KERN_SUCCESS;
361 }
362
363 /*
364 * Routine: ipc_space_create_special
365 * Purpose:
366 * Create a special space. A special space
367 * doesn't hold rights in the normal way.
368 * Instead it is place-holder for holding
369 * disembodied (naked) receive rights.
370 * See ipc_port_alloc_special.
371 * Conditions:
372 * Nothing locked.
373 * Returns:
374 * KERN_SUCCESS Created a space.
375 * KERN_RESOURCE_SHORTAGE Couldn't allocate memory.
376 */
377 ipc_space_t
ipc_space_create_special(void)378 ipc_space_create_special(void)
379 {
380 ipc_space_t space;
381
382 space = ipc_space_alloc();
383 os_ref_init_count_mask(&space->is_bits, IS_FLAGS_BITS, &is_refgrp, 1, 0);
384 ipc_space_set_policy(space, IPC_SPACE_POLICY_KERNEL);
385 space->is_label = IPC_LABEL_SPECIAL;
386
387 return space;
388 }
389
390 /*
391 * Routine: ipc_space_terminate
392 * Purpose:
393 * Marks the space as dead and cleans up the entries.
394 * Does nothing if the space is already dead.
395 * Conditions:
396 * Nothing locked.
397 */
398
399 void
ipc_space_terminate(ipc_space_t space)400 ipc_space_terminate(
401 ipc_space_t space)
402 {
403 ipc_entry_table_t table;
404
405 assert(space != IS_NULL);
406
407 is_write_lock(space);
408 if (!is_active(space)) {
409 is_write_unlock(space);
410 return;
411 }
412
413 table = smr_serialized_load(&space->is_table);
414 smr_clear_store(&space->is_table);
415
416 /*
417 * If somebody is trying to grow the table,
418 * we must wait until they finish and figure
419 * out the space died.
420 */
421 while (is_growing(space)) {
422 is_write_sleep(space);
423 }
424
425 is_write_unlock(space);
426
427
428 /*
429 * Now we can futz with it unlocked.
430 *
431 * First destroy receive rights, then the rest.
432 * This will cut down the number of notifications
433 * being sent when the notification destination
434 * was a receive right in this space.
435 */
436
437 for (mach_port_index_t index = 1;
438 ipc_entry_table_contains(table, index);
439 index++) {
440 ipc_entry_t entry = ipc_entry_table_get_nocheck(table, index);
441 mach_port_type_t type;
442
443 type = IE_BITS_TYPE(entry->ie_bits);
444 if (type & MACH_PORT_TYPE_RECEIVE) {
445 mach_port_name_t name;
446
447 name = MACH_PORT_MAKE(index,
448 IE_BITS_GEN(entry->ie_bits));
449 ipc_right_terminate(space, name, entry);
450 }
451 }
452
453 for (mach_port_index_t index = 1;
454 ipc_entry_table_contains(table, index);
455 index++) {
456 ipc_entry_t entry = ipc_entry_table_get_nocheck(table, index);
457 mach_port_type_t type;
458
459 type = IE_BITS_TYPE(entry->ie_bits);
460 if (type != MACH_PORT_TYPE_NONE) {
461 mach_port_name_t name;
462
463 name = MACH_PORT_MAKE(index,
464 IE_BITS_GEN(entry->ie_bits));
465 ipc_right_terminate(space, name, entry);
466 }
467 }
468
469 ipc_space_retire_table(table);
470 space->is_table_free = 0;
471
472 /*
473 * Because the space is now dead,
474 * we must release the "active" reference for it.
475 * Our caller still has his reference.
476 */
477 is_release(space);
478 }
479
480 #if CONFIG_PROC_RESOURCE_LIMITS
481 /*
482 * ipc_space_set_table_size_limits:
483 *
484 * Set the table size's soft and hard limit.
485 */
486 kern_return_t
ipc_space_set_table_size_limits(ipc_space_t space,ipc_entry_num_t soft_limit,ipc_entry_num_t hard_limit)487 ipc_space_set_table_size_limits(
488 ipc_space_t space,
489 ipc_entry_num_t soft_limit,
490 ipc_entry_num_t hard_limit)
491 {
492 if (space == IS_NULL) {
493 return KERN_INVALID_TASK;
494 }
495
496 is_write_lock(space);
497
498 if (!is_active(space)) {
499 is_write_unlock(space);
500 return KERN_INVALID_TASK;
501 }
502
503 if (hard_limit && soft_limit >= hard_limit) {
504 soft_limit = 0;
505 }
506
507 space->is_table_size_soft_limit = soft_limit;
508 space->is_table_size_hard_limit = hard_limit;
509
510 is_write_unlock(space);
511
512 return KERN_SUCCESS;
513 }
514
515 /*
516 * Check if port space has exceeded its limits.
517 * Should be called with the space write lock held.
518 */
519 void
ipc_space_check_limit_exceeded(ipc_space_t space)520 ipc_space_check_limit_exceeded(ipc_space_t space)
521 {
522 size_t size = ipc_entry_table_count(is_active_table(space));
523
524 if (!is_above_soft_limit_notify(space) && space->is_table_size_soft_limit &&
525 ((size - space->is_table_free) > space->is_table_size_soft_limit)) {
526 is_above_soft_limit_send_notification(space);
527 act_set_astproc_resource(current_thread());
528 } else if (!is_above_hard_limit_notify(space) && space->is_table_size_hard_limit &&
529 ((size - space->is_table_free) > space->is_table_size_hard_limit)) {
530 is_above_hard_limit_send_notification(space);
531 act_set_astproc_resource(current_thread());
532 }
533 }
534 #endif /* CONFIG_PROC_RESOURCE_LIMITS */
535
536 /*
537 * Routine: ipc_space_check_table_size_limit
538 * Purpose:
539 * Query the current size, soft_limit, and hard_limit for the ipc space.
540 * Returns true if a notification should be sent as a result of the limit
541 * being exceeded, and if we return true but the soft/hard limit values
542 * are zero that indicates the system limit has been exceeded. See
543 * is_at_max_limit_send_notification
544 * Conditions:
545 * Nothing locked on entry.
546 * Nothing locked on exit.
547 * Returns TRUE if a limit has been exceeded.
548 */
549 bool
ipc_space_check_table_size_limit(ipc_space_t space,ipc_entry_num_t * current_size,ipc_entry_num_t * soft_limit,ipc_entry_num_t * hard_limit)550 ipc_space_check_table_size_limit(
551 ipc_space_t space,
552 ipc_entry_num_t *current_size,
553 ipc_entry_num_t *soft_limit,
554 ipc_entry_num_t *hard_limit)
555 {
556 ipc_entry_table_t table;
557 bool should_notify = false;
558
559 if (space == IS_NULL) {
560 return false;
561 }
562
563 is_write_lock(space);
564
565 if (!is_active(space)) {
566 goto exit;
567 }
568 /* space is locked and active */
569
570 table = is_active_table(space);
571 *current_size = ipc_entry_table_count(table) - space->is_table_free;
572 if (is_at_max_limit_notify(space)) {
573 if (!is_at_max_limit_already_notified(space)) {
574 *soft_limit = 0;
575 *hard_limit = 0;
576 is_at_max_limit_notified(space);
577 should_notify = true;
578 }
579 goto exit;
580 }
581
582 #if CONFIG_PROC_RESOURCE_LIMITS
583 *soft_limit = space->is_table_size_soft_limit;
584 *hard_limit = space->is_table_size_hard_limit;
585
586 if (!*soft_limit && !*hard_limit) {
587 should_notify = false;
588 goto exit;
589 }
590
591 /*
592 * Check if the thread sending the soft limit notification arrives after
593 * the one that sent the hard limit notification
594 */
595 if (is_hard_limit_already_notified(space)) {
596 goto exit;
597 }
598
599 if (*hard_limit > 0 && *current_size >= *hard_limit) {
600 *soft_limit = 0;
601 should_notify = true;
602 is_hard_limit_notified(space);
603 } else {
604 if (is_soft_limit_already_notified(space)) {
605 goto exit;
606 }
607 if (*soft_limit > 0 && *current_size >= *soft_limit) {
608 *hard_limit = 0;
609 should_notify = true;
610 is_soft_limit_notified(space);
611 }
612 }
613 #endif /* CONFIG_PROC_RESOURCE_LIMITS */
614
615 exit:
616 is_write_unlock(space);
617 return should_notify;
618 }
619
620 /*
621 * Set an ast if port space is at its max limit.
622 * Should be called with the space write lock held.
623 */
624 void
ipc_space_set_at_max_limit(ipc_space_t space)625 ipc_space_set_at_max_limit(ipc_space_t space)
626 {
627 if (!is_at_max_limit_notify(space)) {
628 is_at_max_limit_send_notification(space);
629 act_set_astproc_resource(current_thread());
630 }
631 }
632