1 /* 2 * Copyright (c) 2000-2021 Apple Inc. All rights reserved. 3 * 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. The rights granted to you under the License 10 * may not be used to create, or enable the creation or redistribution of, 11 * unlawful or unlicensed copies of an Apple operating system, or to 12 * circumvent, violate, or enable the circumvention or violation of, any 13 * terms of an Apple operating system software license agreement. 14 * 15 * Please obtain a copy of the License at 16 * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 * 18 * The Original Code and all software distributed under the License are 19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 * Please see the License for the specific language governing rights and 24 * limitations under the License. 25 * 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 */ 28 29 #ifndef _KASAN_INTERNAL_H_ 30 #define _KASAN_INTERNAL_H_ 31 32 #include <stdbool.h> 33 #include <mach/mach_vm.h> 34 #include <kern/zalloc.h> 35 #include <sys/sysctl.h> 36 37 typedef uintptr_t uptr; 38 #define MiB(x) ((x) * 1024UL * 1024) 39 #define BIT(x) (1U << (x)) 40 41 /* Sanity checks */ 42 #ifndef KASAN 43 #error KASAN undefined 44 #endif 45 46 #ifndef KASAN_OFFSET 47 #error KASAN_OFFSET undefined 48 #endif 49 50 #ifndef KASAN_SCALE 51 #error KASAN_SCALE undefined 52 #endif 53 54 #if defined(__x86_64__) 55 # define _JBLEN ((9 * 2) + 3 + 16) 56 #elif defined(__arm64__) 57 # define _JBLEN ((14 + 8 + 2) * 2) 58 #else 59 # error "Unknown arch" 60 #endif 61 62 #if KASAN_DEBUG 63 #define NOINLINE OS_NOINLINE 64 #else 65 #define NOINLINE 66 #endif 67 #define ALWAYS_INLINE inline __attribute__((always_inline)) 68 #define CLANG_MIN_VERSION(x) (defined(__apple_build_version__) && (__apple_build_version__ >= (x))) 69 70 #if KASAN_CLASSIC 71 #define KASAN_MODEL_STR "kasan-classic" 72 #define KASAN_STRIP_ADDR(_x) (_x) 73 #elif KASAN_TBI 74 #define KASAN_MODEL_STR "kasan-tbi" 75 #define KASAN_STRIP_ADDR(_x) (VM_KERNEL_STRIP_UPTR(_x)) 76 #else 77 #error "No kasan model specified" 78 #endif /* KASAN_CLASSIC || KASAN_TBI */ 79 80 extern vm_address_t kernel_vbase; 81 extern vm_address_t kernel_vtop; 82 extern unsigned shadow_pages_used; 83 84 /* boot-arg configurable */ 85 extern unsigned kasan_enabled; 86 extern int fakestack_enabled; 87 extern bool report_suppressed_checks; 88 89 #define KASAN_GRANULE (1UL << KASAN_SCALE) 90 #define KASAN_GRANULE_MASK (KASAN_GRANULE - 1UL) 91 #define kasan_granule_trunc(x) (x & ~KASAN_GRANULE_MASK) 92 #define kasan_granule_round(x) ((x + KASAN_GRANULE_MASK) & ~KASAN_GRANULE_MASK) 93 #define kasan_granule_partial(x) (x & KASAN_GRANULE_MASK) 94 95 #define ADDRESS_FOR_SHADOW(x) (((KASAN_STRIP_ADDR(x)) - KASAN_OFFSET) << KASAN_SCALE) 96 #define SHADOW_FOR_ADDRESS(x) (uint8_t *)(((KASAN_STRIP_ADDR(x)) >> KASAN_SCALE) + KASAN_OFFSET) 97 98 enum __attribute__((flag_enum)) kasan_access_types { 99 /* Common to all KASAN versions */ 100 TYPE_LOAD = BIT(0), /* regular memory load */ 101 TYPE_STORE = BIT(1), /* regular store */ 102 TYPE_MEMR = BIT(2), /* memory intrinsic (read) */ 103 TYPE_MEMW = BIT(3), /* memory intrinsic (write) */ 104 TYPE_STRR = BIT(4), /* string intrinsic (read) */ 105 TYPE_STRW = BIT(5), /* string intrinsic (write) */ 106 107 /* KASAN-classic specific */ 108 TYPE_KFREE = BIT(6), /* kfree() */ 109 TYPE_ZFREE = BIT(7), /* zfree() */ 110 TYPE_FSFREE = BIT(8), /* fakestack free */ 111 112 TYPE_UAF = BIT(12), 113 TYPE_POISON_GLOBAL = BIT(13), 114 TYPE_POISON_HEAP = BIT(14), 115 /* no TYPE_POISON_STACK, because the runtime does not control stack poisoning */ 116 TYPE_TEST = BIT(15), 117 118 /* masks */ 119 TYPE_MEM = TYPE_MEMR | TYPE_MEMW, /* memory intrinsics */ 120 TYPE_STR = TYPE_STRR | TYPE_STRW, /* string intrinsics */ 121 TYPE_READ = TYPE_LOAD | TYPE_MEMR | TYPE_STRR, /* all reads */ 122 TYPE_WRITE = TYPE_STORE | TYPE_MEMW | TYPE_STRW, /* all writes */ 123 TYPE_RW = TYPE_READ | TYPE_WRITE, /* reads and writes */ 124 TYPE_FREE = TYPE_KFREE | TYPE_ZFREE | TYPE_FSFREE, 125 TYPE_NORMAL = TYPE_RW | TYPE_FREE, 126 TYPE_DYNAMIC = TYPE_NORMAL | TYPE_UAF, 127 TYPE_POISON = TYPE_POISON_GLOBAL | TYPE_POISON_HEAP, 128 TYPE_ALL = ~0U, 129 }; 130 131 enum kasan_violation_types { 132 REASON_POISONED = 0, /* read or write of poisoned data */ 133 REASON_BAD_METADATA = 1, /* incorrect kasan metadata */ 134 REASON_INVALID_SIZE = 2, /* free size did not match alloc size */ 135 REASON_MOD_AFTER_FREE = 3, /* object modified after free */ 136 REASON_MOD_OOB = 4, /* out of bounds modification of object */ 137 }; 138 139 typedef enum kasan_access_types access_t; 140 typedef enum kasan_violation_types violation_t; 141 142 /* 143 * KASAN may support different shadow table formats and different checking 144 * strategies. _impl functions are called from the format-independent 145 * kasan code to the format dependent implementations. 146 */ 147 void kasan_impl_report_internal(uptr, uptr, access_t, violation_t, bool); 148 void kasan_impl_poison_range(vm_offset_t, vm_size_t, uint8_t); 149 void kasan_impl_kdp_disable(void); 150 void kasan_impl_init(void); 151 void kasan_impl_late_init(void); 152 void kasan_impl_fill_valid_range(uintptr_t, size_t); 153 154 /* 155 * Poisoning comes from KASAN CLASSIC nomenclature. KASAN CLASSIC is based on 156 * identifying valid memory vs poisoned memory (memory that shouldn't be accessed). 157 * This terminology isn't great for KASAN TBI, but is kept for compatibility. 158 */ 159 void kasan_poison(vm_offset_t, vm_size_t, vm_size_t, vm_size_t, uint8_t); 160 161 /* 162 * Runtime checking. kasan_check_range() is consumed by the inlined 163 * instrumentation. See kasan-helper.c 164 */ 165 bool kasan_check_enabled(access_t); 166 bool kasan_impl_check_enabled(access_t); 167 void kasan_check_range(const void *, size_t, access_t); 168 169 /* dynamic blacklist */ 170 void kasan_init_dybl(void); 171 bool kasan_is_blacklisted(access_t); 172 void kasan_dybl_load_kext(uintptr_t, const char *); 173 void kasan_dybl_unload_kext(uintptr_t); 174 175 /* arch-specific interface */ 176 void kasan_arch_init(void); 177 bool kasan_is_shadow_mapped(uintptr_t); 178 179 /* Locking */ 180 void kasan_lock(boolean_t *); 181 void kasan_unlock(boolean_t); 182 bool kasan_lock_held(thread_t); 183 184 /* Subsystem helpers */ 185 void kasan_free_internal(void **addrp, vm_size_t *sizep, int type, zone_t *, vm_size_t user_size, int locked, bool doquarantine); 186 void kasan_init_fakestack(void); 187 188 /* 189 * Global variables need to be explicitly handled at runtime, both for xnu 190 * and for KEXTs. 191 */ 192 void kasan_init_globals(vm_offset_t, vm_size_t); 193 194 /* 195 * Handle KASAN detected issues. If modifying kasan_crash_report(), remember 196 * that is called by the instrumentation as well, see kasan-helper.c. 197 */ 198 void kasan_violation(uintptr_t, size_t, access_t, violation_t); 199 size_t kasan_impl_decode_issue(char *, size_t, uptr, uptr, access_t, violation_t); 200 void NOINLINE OS_NORETURN kasan_crash_report(uptr, uptr, access_t, violation_t); 201 202 void kasan_handle_test(void); 203 204 SYSCTL_DECL(kasan); 205 SYSCTL_DECL(_kern_kasan); 206 207 #endif /* _KASAN_INTERNAL_H_ */ 208