1 #include <stdio.h> 2 #include <assert.h> 3 #include <stdlib.h> 4 #include <unistd.h> 5 #include <mach/mach.h> 6 #include <pthread.h> 7 #include <sys/event.h> 8 #include <errno.h> 9 #include <string.h> 10 #include <libproc.h> 11 12 #include <darwintest.h> 13 14 T_GLOBAL_META(T_META_NAMESPACE("xnu.kevent"), 15 T_META_RADAR_COMPONENT_NAME("xnu"), 16 T_META_RADAR_COMPONENT_VERSION("kevent")); 17 18 extern int __proc_info(int32_t callnum, int32_t pid, uint32_t flavor, uint64_t arg, user_addr_t buffer, int32_t buffersize); 19 20 T_DECL(avoid_leaking_KASLR, "rdar://101248992") { 21 int kq = kqueue(); 22 T_ASSERT_GE(kq, 0, "Valid kqueue"); 23 24 mach_port_t sync_port = MACH_PORT_NULL, mq_port = MACH_PORT_NULL; 25 kern_return_t kr = KERN_SUCCESS; 26 27 kr = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &sync_port); 28 T_ASSERT_MACH_SUCCESS(kr, "allocated sync port"); 29 kr = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &mq_port); 30 T_ASSERT_MACH_SUCCESS(kr, "allocated mq port"); 31 32 33 /* Create a kmsg which has the receive right of mq port in it for later copy 34 * out */ 35 typedef struct msg_request_s { 36 mach_msg_header_t header; 37 mach_msg_body_t body; 38 mach_msg_port_descriptor_t port; 39 }* msg_request_t; 40 41 typedef struct msg_reply_s { 42 mach_msg_header_t header; 43 mach_msg_body_t body; 44 mach_msg_port_descriptor_t port; 45 mach_msg_trailer_t trailer; 46 }* msg_reply_t; 47 48 union { 49 struct msg_request_s request; 50 struct msg_reply_s reply; 51 } message; 52 memset(&message, 0, sizeof(message)); 53 54 msg_request_t requestp = &message.request; 55 msg_reply_t replyp = &message.reply; 56 57 *requestp = (struct msg_request_s) { 58 .header = { 59 .msgh_bits = MACH_MSGH_BITS_SET(MACH_MSG_TYPE_MAKE_SEND_ONCE, 0, 0, MACH_MSGH_BITS_COMPLEX), 60 .msgh_remote_port = sync_port, 61 .msgh_local_port = MACH_PORT_NULL, 62 .msgh_voucher_port = MACH_PORT_NULL, 63 .msgh_size = sizeof(*requestp), 64 .msgh_id = 0x88888888, 65 }, 66 .body = { 67 .msgh_descriptor_count = 1, 68 }, 69 .port = { 70 .name = mq_port, 71 .type = MACH_MSG_PORT_DESCRIPTOR, 72 .disposition = MACH_MSG_TYPE_MOVE_RECEIVE, 73 }, 74 }; 75 76 /* 77 * Send the receive right of mq_port to sync_port for later copyout. 78 */ 79 kr = mach_msg(&requestp->header, MACH_SEND_MSG, sizeof(*requestp), 0, MACH_PORT_NULL, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL); 80 T_ASSERT_MACH_SUCCESS(kr, "sending message to sync port"); 81 82 /* 83 * The EV_DISPATCH is required that can pass filt_machport_kqueue_has_turnstile(). 84 * The received message will be copied out to replyp. 85 * In filt_machport_stash_port(), the value in ext[3] will be set to the mq_port object. 86 */ 87 struct kevent_qos_s req_event = { 88 .ident = sync_port, 89 .filter = EVFILT_MACHPORT, 90 .flags = EV_ADD | EV_DISPATCH, 91 .fflags = MACH_RCV_MSG, 92 .ext = { 93 [0] = (uint64_t)replyp, 94 [1] = sizeof(*replyp), 95 }, 96 }; 97 struct kevent_qos_s reply_event = {}; 98 99 int nevents = kevent_qos(kq, &req_event, 1, &reply_event, 1, NULL, NULL, 0); 100 T_ASSERT_EQ(nevents, 1, NULL); 101 T_ASSERT_EQ(replyp->body.msgh_descriptor_count, 1, NULL); 102 assert(MACH_PORT_VALID(replyp->port.name) && replyp->port.disposition == MACH_MSG_TYPE_MOVE_RECEIVE); 103 104 struct kevent_extinfo extinfo; 105 int knotes = __proc_info(PROC_INFO_CALL_PIDFDINFO, getpid(), PROC_PIDFDKQUEUE_EXTINFO, kq, (user_addr_t)&extinfo, sizeof(extinfo)); 106 T_ASSERT_EQ(knotes, 1, NULL); 107 T_ASSERT_EQ(extinfo.kqext_kev.ident, sync_port, NULL); 108 109 uint64_t leaked_addr = extinfo.kqext_kev.ext[3]; 110 T_ASSERT_EQ(leaked_addr, NULL, "Leaked kernel address"); 111 } 112