1*2c2f96dcSApple OSS Distributions /* 2*2c2f96dcSApple OSS Distributions * Copyright (c) 2000-2021 Apple Inc. All rights reserved. 3*2c2f96dcSApple OSS Distributions * 4*2c2f96dcSApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5*2c2f96dcSApple OSS Distributions * 6*2c2f96dcSApple OSS Distributions * This file contains Original Code and/or Modifications of Original Code 7*2c2f96dcSApple OSS Distributions * as defined in and that are subject to the Apple Public Source License 8*2c2f96dcSApple OSS Distributions * Version 2.0 (the 'License'). You may not use this file except in 9*2c2f96dcSApple OSS Distributions * compliance with the License. The rights granted to you under the License 10*2c2f96dcSApple OSS Distributions * may not be used to create, or enable the creation or redistribution of, 11*2c2f96dcSApple OSS Distributions * unlawful or unlicensed copies of an Apple operating system, or to 12*2c2f96dcSApple OSS Distributions * circumvent, violate, or enable the circumvention or violation of, any 13*2c2f96dcSApple OSS Distributions * terms of an Apple operating system software license agreement. 14*2c2f96dcSApple OSS Distributions * 15*2c2f96dcSApple OSS Distributions * Please obtain a copy of the License at 16*2c2f96dcSApple OSS Distributions * http://www.opensource.apple.com/apsl/ and read it before using this file. 17*2c2f96dcSApple OSS Distributions * 18*2c2f96dcSApple OSS Distributions * The Original Code and all software distributed under the License are 19*2c2f96dcSApple OSS Distributions * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20*2c2f96dcSApple OSS Distributions * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21*2c2f96dcSApple OSS Distributions * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22*2c2f96dcSApple OSS Distributions * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23*2c2f96dcSApple OSS Distributions * Please see the License for the specific language governing rights and 24*2c2f96dcSApple OSS Distributions * limitations under the License. 25*2c2f96dcSApple OSS Distributions * 26*2c2f96dcSApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27*2c2f96dcSApple OSS Distributions */ 28*2c2f96dcSApple OSS Distributions 29*2c2f96dcSApple OSS Distributions #ifndef _KASAN_INTERNAL_H_ 30*2c2f96dcSApple OSS Distributions #define _KASAN_INTERNAL_H_ 31*2c2f96dcSApple OSS Distributions 32*2c2f96dcSApple OSS Distributions #include <stdbool.h> 33*2c2f96dcSApple OSS Distributions #include <mach/mach_vm.h> 34*2c2f96dcSApple OSS Distributions #include <kern/zalloc.h> 35*2c2f96dcSApple OSS Distributions #include <sys/sysctl.h> 36*2c2f96dcSApple OSS Distributions 37*2c2f96dcSApple OSS Distributions typedef uintptr_t uptr; 38*2c2f96dcSApple OSS Distributions #define MiB(x) ((x) * 1024UL * 1024) 39*2c2f96dcSApple OSS Distributions #define BIT(x) (1U << (x)) 40*2c2f96dcSApple OSS Distributions 41*2c2f96dcSApple OSS Distributions /* Sanity checks */ 42*2c2f96dcSApple OSS Distributions #ifndef KASAN 43*2c2f96dcSApple OSS Distributions #error KASAN undefined 44*2c2f96dcSApple OSS Distributions #endif 45*2c2f96dcSApple OSS Distributions 46*2c2f96dcSApple OSS Distributions #ifndef KASAN_OFFSET 47*2c2f96dcSApple OSS Distributions #error KASAN_OFFSET undefined 48*2c2f96dcSApple OSS Distributions #endif 49*2c2f96dcSApple OSS Distributions 50*2c2f96dcSApple OSS Distributions #ifndef KASAN_SCALE 51*2c2f96dcSApple OSS Distributions #error KASAN_SCALE undefined 52*2c2f96dcSApple OSS Distributions #endif 53*2c2f96dcSApple OSS Distributions 54*2c2f96dcSApple OSS Distributions #if defined(__x86_64__) 55*2c2f96dcSApple OSS Distributions # define _JBLEN ((9 * 2) + 3 + 16) 56*2c2f96dcSApple OSS Distributions #elif defined(__arm64__) 57*2c2f96dcSApple OSS Distributions # define _JBLEN ((14 + 8 + 2) * 2) 58*2c2f96dcSApple OSS Distributions #else 59*2c2f96dcSApple OSS Distributions # error "Unknown arch" 60*2c2f96dcSApple OSS Distributions #endif 61*2c2f96dcSApple OSS Distributions 62*2c2f96dcSApple OSS Distributions #if KASAN_DEBUG 63*2c2f96dcSApple OSS Distributions #define NOINLINE OS_NOINLINE 64*2c2f96dcSApple OSS Distributions #else 65*2c2f96dcSApple OSS Distributions #define NOINLINE 66*2c2f96dcSApple OSS Distributions #endif 67*2c2f96dcSApple OSS Distributions #define ALWAYS_INLINE inline __attribute__((always_inline)) 68*2c2f96dcSApple OSS Distributions #define CLANG_MIN_VERSION(x) (defined(__apple_build_version__) && (__apple_build_version__ >= (x))) 69*2c2f96dcSApple OSS Distributions 70*2c2f96dcSApple OSS Distributions #if KASAN_CLASSIC 71*2c2f96dcSApple OSS Distributions #define KASAN_MODEL_STR "kasan-classic" 72*2c2f96dcSApple OSS Distributions #define KASAN_STRIP_ADDR(_x) (_x) 73*2c2f96dcSApple OSS Distributions #elif KASAN_TBI 74*2c2f96dcSApple OSS Distributions #define KASAN_MODEL_STR "kasan-tbi" 75*2c2f96dcSApple OSS Distributions #define KASAN_STRIP_ADDR(_x) (VM_KERNEL_STRIP_UPTR(_x)) 76*2c2f96dcSApple OSS Distributions #else 77*2c2f96dcSApple OSS Distributions #error "No kasan model specified" 78*2c2f96dcSApple OSS Distributions #endif /* KASAN_CLASSIC || KASAN_TBI */ 79*2c2f96dcSApple OSS Distributions 80*2c2f96dcSApple OSS Distributions extern vm_address_t kernel_vbase; 81*2c2f96dcSApple OSS Distributions extern vm_address_t kernel_vtop; 82*2c2f96dcSApple OSS Distributions extern unsigned shadow_pages_used; 83*2c2f96dcSApple OSS Distributions 84*2c2f96dcSApple OSS Distributions /* boot-arg configurable */ 85*2c2f96dcSApple OSS Distributions extern unsigned kasan_enabled; 86*2c2f96dcSApple OSS Distributions extern int fakestack_enabled; 87*2c2f96dcSApple OSS Distributions extern bool report_suppressed_checks; 88*2c2f96dcSApple OSS Distributions 89*2c2f96dcSApple OSS Distributions #define KASAN_GRANULE (1UL << KASAN_SCALE) 90*2c2f96dcSApple OSS Distributions #define KASAN_GRANULE_MASK (KASAN_GRANULE - 1UL) 91*2c2f96dcSApple OSS Distributions #define kasan_granule_trunc(x) (x & ~KASAN_GRANULE_MASK) 92*2c2f96dcSApple OSS Distributions #define kasan_granule_round(x) ((x + KASAN_GRANULE_MASK) & ~KASAN_GRANULE_MASK) 93*2c2f96dcSApple OSS Distributions #define kasan_granule_partial(x) (x & KASAN_GRANULE_MASK) 94*2c2f96dcSApple OSS Distributions 95*2c2f96dcSApple OSS Distributions #define ADDRESS_FOR_SHADOW(x) (((KASAN_STRIP_ADDR(x)) - KASAN_OFFSET) << KASAN_SCALE) 96*2c2f96dcSApple OSS Distributions #define SHADOW_FOR_ADDRESS(x) (uint8_t *)(((KASAN_STRIP_ADDR(x)) >> KASAN_SCALE) + KASAN_OFFSET) 97*2c2f96dcSApple OSS Distributions 98*2c2f96dcSApple OSS Distributions enum __attribute__((flag_enum)) kasan_access_types { 99*2c2f96dcSApple OSS Distributions /* Common to all KASAN versions */ 100*2c2f96dcSApple OSS Distributions TYPE_LOAD = BIT(0), /* regular memory load */ 101*2c2f96dcSApple OSS Distributions TYPE_STORE = BIT(1), /* regular store */ 102*2c2f96dcSApple OSS Distributions TYPE_MEMR = BIT(2), /* memory intrinsic (read) */ 103*2c2f96dcSApple OSS Distributions TYPE_MEMW = BIT(3), /* memory intrinsic (write) */ 104*2c2f96dcSApple OSS Distributions TYPE_STRR = BIT(4), /* string intrinsic (read) */ 105*2c2f96dcSApple OSS Distributions TYPE_STRW = BIT(5), /* string intrinsic (write) */ 106*2c2f96dcSApple OSS Distributions 107*2c2f96dcSApple OSS Distributions /* KASAN-classic specific */ 108*2c2f96dcSApple OSS Distributions TYPE_ZFREE = BIT(6), /* zfree() */ 109*2c2f96dcSApple OSS Distributions TYPE_FSFREE = BIT(7), /* fakestack free */ 110*2c2f96dcSApple OSS Distributions 111*2c2f96dcSApple OSS Distributions TYPE_UAF = BIT(12), 112*2c2f96dcSApple OSS Distributions TYPE_POISON_GLOBAL = BIT(13), 113*2c2f96dcSApple OSS Distributions TYPE_POISON_HEAP = BIT(14), 114*2c2f96dcSApple OSS Distributions /* no TYPE_POISON_STACK, because the runtime does not control stack poisoning */ 115*2c2f96dcSApple OSS Distributions TYPE_TEST = BIT(15), 116*2c2f96dcSApple OSS Distributions 117*2c2f96dcSApple OSS Distributions /* masks */ 118*2c2f96dcSApple OSS Distributions TYPE_MEM = TYPE_MEMR | TYPE_MEMW, /* memory intrinsics */ 119*2c2f96dcSApple OSS Distributions TYPE_STR = TYPE_STRR | TYPE_STRW, /* string intrinsics */ 120*2c2f96dcSApple OSS Distributions TYPE_READ = TYPE_LOAD | TYPE_MEMR | TYPE_STRR, /* all reads */ 121*2c2f96dcSApple OSS Distributions TYPE_WRITE = TYPE_STORE | TYPE_MEMW | TYPE_STRW, /* all writes */ 122*2c2f96dcSApple OSS Distributions TYPE_RW = TYPE_READ | TYPE_WRITE, /* reads and writes */ 123*2c2f96dcSApple OSS Distributions TYPE_FREE = TYPE_ZFREE | TYPE_FSFREE, 124*2c2f96dcSApple OSS Distributions TYPE_NORMAL = TYPE_RW | TYPE_FREE, 125*2c2f96dcSApple OSS Distributions TYPE_DYNAMIC = TYPE_NORMAL | TYPE_UAF, 126*2c2f96dcSApple OSS Distributions TYPE_POISON = TYPE_POISON_GLOBAL | TYPE_POISON_HEAP, 127*2c2f96dcSApple OSS Distributions TYPE_ALL = ~0U, 128*2c2f96dcSApple OSS Distributions }; 129*2c2f96dcSApple OSS Distributions 130*2c2f96dcSApple OSS Distributions enum kasan_violation_types { 131*2c2f96dcSApple OSS Distributions REASON_POISONED = 0, /* read or write of poisoned data */ 132*2c2f96dcSApple OSS Distributions REASON_BAD_METADATA = 1, /* incorrect kasan metadata */ 133*2c2f96dcSApple OSS Distributions REASON_INVALID_SIZE = 2, /* free size did not match alloc size */ 134*2c2f96dcSApple OSS Distributions REASON_MOD_AFTER_FREE = 3, /* object modified after free */ 135*2c2f96dcSApple OSS Distributions REASON_MOD_OOB = 4, /* out of bounds modification of object */ 136*2c2f96dcSApple OSS Distributions }; 137*2c2f96dcSApple OSS Distributions 138*2c2f96dcSApple OSS Distributions typedef enum kasan_access_types access_t; 139*2c2f96dcSApple OSS Distributions typedef enum kasan_violation_types violation_t; 140*2c2f96dcSApple OSS Distributions 141*2c2f96dcSApple OSS Distributions /* 142*2c2f96dcSApple OSS Distributions * KASAN may support different shadow table formats and different checking 143*2c2f96dcSApple OSS Distributions * strategies. _impl functions are called from the format-independent 144*2c2f96dcSApple OSS Distributions * kasan code to the format dependent implementations. 145*2c2f96dcSApple OSS Distributions */ 146*2c2f96dcSApple OSS Distributions void kasan_impl_report_internal(uptr, uptr, access_t, violation_t, bool); 147*2c2f96dcSApple OSS Distributions void kasan_impl_poison_range(vm_offset_t, vm_size_t, uint8_t); 148*2c2f96dcSApple OSS Distributions void kasan_impl_kdp_disable(void); 149*2c2f96dcSApple OSS Distributions void kasan_impl_init(void); 150*2c2f96dcSApple OSS Distributions void kasan_impl_late_init(void); 151*2c2f96dcSApple OSS Distributions void kasan_impl_fill_valid_range(uintptr_t, size_t); 152*2c2f96dcSApple OSS Distributions 153*2c2f96dcSApple OSS Distributions /* 154*2c2f96dcSApple OSS Distributions * Poisoning comes from KASAN CLASSIC nomenclature. KASAN CLASSIC is based on 155*2c2f96dcSApple OSS Distributions * identifying valid memory vs poisoned memory (memory that shouldn't be accessed). 156*2c2f96dcSApple OSS Distributions * This terminology isn't great for KASAN TBI, but is kept for compatibility. 157*2c2f96dcSApple OSS Distributions */ 158*2c2f96dcSApple OSS Distributions void kasan_poison(vm_offset_t, vm_size_t, vm_size_t, vm_size_t, uint8_t); 159*2c2f96dcSApple OSS Distributions 160*2c2f96dcSApple OSS Distributions /* 161*2c2f96dcSApple OSS Distributions * Runtime checking. kasan_check_range() is consumed by the inlined 162*2c2f96dcSApple OSS Distributions * instrumentation. See kasan-helper.c 163*2c2f96dcSApple OSS Distributions */ 164*2c2f96dcSApple OSS Distributions bool kasan_check_enabled(access_t); 165*2c2f96dcSApple OSS Distributions bool kasan_impl_check_enabled(access_t); 166*2c2f96dcSApple OSS Distributions void kasan_check_range(const void *, size_t, access_t); 167*2c2f96dcSApple OSS Distributions 168*2c2f96dcSApple OSS Distributions /* dynamic blacklist */ 169*2c2f96dcSApple OSS Distributions void kasan_init_dybl(void); 170*2c2f96dcSApple OSS Distributions bool kasan_is_blacklisted(access_t); 171*2c2f96dcSApple OSS Distributions void kasan_dybl_load_kext(uintptr_t, const char *); 172*2c2f96dcSApple OSS Distributions void kasan_dybl_unload_kext(uintptr_t); 173*2c2f96dcSApple OSS Distributions 174*2c2f96dcSApple OSS Distributions /* arch-specific interface */ 175*2c2f96dcSApple OSS Distributions void kasan_arch_init(void); 176*2c2f96dcSApple OSS Distributions bool kasan_is_shadow_mapped(uintptr_t); 177*2c2f96dcSApple OSS Distributions 178*2c2f96dcSApple OSS Distributions /* Locking */ 179*2c2f96dcSApple OSS Distributions void kasan_lock_init(void); 180*2c2f96dcSApple OSS Distributions void kasan_lock(boolean_t *); 181*2c2f96dcSApple OSS Distributions void kasan_unlock(boolean_t); 182*2c2f96dcSApple OSS Distributions bool kasan_lock_held(thread_t); 183*2c2f96dcSApple OSS Distributions 184*2c2f96dcSApple OSS Distributions /* Subsystem helpers */ 185*2c2f96dcSApple OSS Distributions void kasan_init_fakestack(void); 186*2c2f96dcSApple OSS Distributions 187*2c2f96dcSApple OSS Distributions /* 188*2c2f96dcSApple OSS Distributions * Global variables need to be explicitly handled at runtime, both for xnu 189*2c2f96dcSApple OSS Distributions * and for KEXTs. 190*2c2f96dcSApple OSS Distributions */ 191*2c2f96dcSApple OSS Distributions void kasan_init_globals(vm_offset_t, vm_size_t); 192*2c2f96dcSApple OSS Distributions 193*2c2f96dcSApple OSS Distributions /* 194*2c2f96dcSApple OSS Distributions * Handle KASAN detected issues. If modifying kasan_crash_report(), remember 195*2c2f96dcSApple OSS Distributions * that is called by the instrumentation as well, see kasan-helper.c. 196*2c2f96dcSApple OSS Distributions */ 197*2c2f96dcSApple OSS Distributions void kasan_violation(uintptr_t, size_t, access_t, violation_t); 198*2c2f96dcSApple OSS Distributions size_t kasan_impl_decode_issue(char *, size_t, uptr, uptr, access_t, violation_t); 199*2c2f96dcSApple OSS Distributions void NOINLINE OS_NORETURN kasan_crash_report(uptr, uptr, access_t, violation_t); 200*2c2f96dcSApple OSS Distributions 201*2c2f96dcSApple OSS Distributions void kasan_handle_test(void); 202*2c2f96dcSApple OSS Distributions 203*2c2f96dcSApple OSS Distributions SYSCTL_DECL(kasan); 204*2c2f96dcSApple OSS Distributions SYSCTL_DECL(_kern_kasan); 205*2c2f96dcSApple OSS Distributions 206*2c2f96dcSApple OSS Distributions #endif /* _KASAN_INTERNAL_H_ */ 207