kern_mman.c source code [xnu/bsd/kern/kern_mman.c]

1	/*
2	* Copyright (c) 2007-2020 Apple Inc. All Rights Reserved.
3	*
4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5	*
6	* This file contains Original Code and/or Modifications of Original Code
7	* as defined in and that are subject to the Apple Public Source License
8	* Version 2.0 (the 'License'). You may not use this file except in
9	* compliance with the License. The rights granted to you under the License
10	* may not be used to create, or enable the creation or redistribution of,
11	* unlawful or unlicensed copies of an Apple operating system, or to
12	* circumvent, violate, or enable the circumvention or violation of, any
13	* terms of an Apple operating system software license agreement.
14	*
15	* Please obtain a copy of the License at
16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
17	*
18	* The Original Code and all software distributed under the License are
19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23	* Please see the License for the specific language governing rights and
24	* limitations under the License.
25	*
26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27	*/
28	/*
29	* Copyright (c) 1988 University of Utah.
30	* Copyright (c) 1991, 1993
31	* The Regents of the University of California. All rights reserved.
32	*
33	* This code is derived from software contributed to Berkeley by
34	* the Systems Programming Group of the University of Utah Computer
35	* Science Department.
36	*
37	* Redistribution and use in source and binary forms, with or without
38	* modification, are permitted provided that the following conditions
39	* are met:
40	* 1. Redistributions of source code must retain the above copyright
41	* notice, this list of conditions and the following disclaimer.
42	* 2. Redistributions in binary form must reproduce the above copyright
43	* notice, this list of conditions and the following disclaimer in the
44	* documentation and/or other materials provided with the distribution.
45	* 3. All advertising materials mentioning features or use of this software
46	* must display the following acknowledgement:
47	* This product includes software developed by the University of
48	* California, Berkeley and its contributors.
49	* 4. Neither the name of the University nor the names of its contributors
50	* may be used to endorse or promote products derived from this software
51	* without specific prior written permission.
52	*
53	* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
54	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
55	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
56	* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
57	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
58	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
59	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
60	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
61	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
62	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
63	* SUCH DAMAGE.
64	*
65	* from: Utah $Hdr: vm_mmap.c 1.6 91/10/21$
66	*
67	* @(#)vm_mmap.c 8.10 (Berkeley) 2/19/95
68	*/
69	/*
70	* NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
71	* support for mandatory and extensible security protections. This notice
72	* is included in support of clause 2.2 (b) of the Apple Public License,
73	* Version 2.0.
74	*/
75
76	/*
77	* Mapped file (mmap) interface to VM
78	*/
79
80	#include <sys/param.h>
81	#include <sys/systm.h>
82	#include <sys/filedesc.h>
83	#include <sys/proc_internal.h>
84	#include <sys/kauth.h>
85	#include <sys/resourcevar.h>
86	#include <sys/vnode_internal.h>
87	#include <sys/acct.h>
88	#include <sys/wait.h>
89	#include <sys/file_internal.h>
90	#include <sys/vadvise.h>
91	#include <sys/trace.h>
92	#include <sys/mman.h>
93	#include <sys/conf.h>
94	#include <sys/stat.h>
95	#include <sys/ubc.h>
96	#include <sys/ubc_internal.h>
97	#include <sys/sysproto.h>
98
99	#include <sys/syscall.h>
100	#include <sys/kdebug.h>
101	#include <sys/bsdtask_info.h>
102
103	#include <security/audit/audit.h>
104	#include <bsm/audit_kevents.h>
105
106	#include <mach/mach_types.h>
107	#include <mach/mach_traps.h>
108	#include <mach/vm_sync.h>
109	#include <mach/vm_behavior.h>
110	#include <mach/vm_inherit.h>
111	#include <mach/vm_statistics.h>
112	#include <mach/mach_vm.h>
113	#include <mach/vm_map.h>
114	#include <mach/host_priv.h>
115	#include <mach/sdt.h>
116	#include <mach-o/loader.h>
117
118	#include <machine/machine_routines.h>
119
120	#include <kern/cpu_number.h>
121	#include <kern/host.h>
122	#include <kern/task.h>
123	#include <kern/page_decrypt.h>
124
125	#include <IOKit/IOReturn.h>
126	#include <IOKit/IOBSD.h>
127
128	#include <vm/vm_map.h>
129	#include <vm/vm_kern.h>
130	#include <vm/vm_pager.h>
131	#include <vm/vm_protos.h>
132
133	#if CONFIG_MACF
134	#include <security/mac_framework.h>
135	#endif
136	#include <os/overflow.h>
137
138	/*
139	* this function implements the same logic as dyld's "dyld_fall_2020_os_versions"
140	* from dyld_priv.h. Basically, we attempt to draw the line of: "was this code
141	* compiled with an SDK from fall of 2020 or later?""
142	*/
143	static bool
144	proc_2020_fall_os_sdk_or_later(void)
145	{
146	const uint32_t proc_sdk_ver = proc_sdk(current_proc());
147
148	switch (proc_platform(current_proc())) {
149	case PLATFORM_MACOS:
150	return proc_sdk_ver >= `0x000a1000`; // DYLD_MACOSX_VERSION_10_16
151	case PLATFORM_IOS:
152	case PLATFORM_IOSSIMULATOR:
153	case PLATFORM_MACCATALYST:
154	return proc_sdk_ver >= `0x000e0000`; // DYLD_IOS_VERSION_14_0
155	case PLATFORM_BRIDGEOS:
156	return proc_sdk_ver >= `0x00050000`; // DYLD_BRIDGEOS_VERSION_5_0
157	case PLATFORM_TVOS:
158	case PLATFORM_TVOSSIMULATOR:
159	return proc_sdk_ver >= `0x000e0000`; // DYLD_TVOS_VERSION_14_0
160	case PLATFORM_WATCHOS:
161	case PLATFORM_WATCHOSSIMULATOR:
162	return proc_sdk_ver >= `0x00070000`; // DYLD_WATCHOS_VERSION_7_0
163	default:
164	/*
165	* tough call, but let's give new platforms the benefit of the doubt
166	* to avoid a re-occurence of rdar://89843927
167	*/
168	return true;
169	}
170	}
171
172	/*
173	* XXX Internally, we use VM_PROT_* somewhat interchangeably, but the correct
174	* XXX usage is PROT_* from an interface perspective. Thus the values of
175	* XXX VM_PROT_* and PROT_* need to correspond.
176	*/
177	int
178	mmap(proc_t p, struct mmap_args uap, user_addr_t retval)
179	{
180	/*
181	* Map in special device (must be SHARED) or file
182	*/
183	struct fileproc *fp;
184	struct vnode *vp;
185	int flags;
186	int prot;
187	int err = `0`;
188	vm_map_t user_map;
189	kern_return_t result;
190	vm_map_offset_t user_addr;
191	vm_map_offset_t sum;
192	vm_map_size_t user_size;
193	vm_object_offset_t pageoff;
194	vm_object_offset_t file_pos;
195	vm_map_kernel_flags_t vmk_flags = VM_MAP_KERNEL_FLAGS_NONE;
196	boolean_t docow;
197	vm_prot_t maxprot;
198	void *handle;
199	memory_object_t pager = MEMORY_OBJECT_NULL;
200	memory_object_control_t control;
201	int mapanon = `0`;
202	int fpref = `0`;
203	int error = `0`;
204	int fd = uap->fd;
205	int num_retries = `0`;
206
207	/*
208	* Note that for UNIX03 conformance, there is additional parameter checking for
209	* mmap() system call in libsyscall prior to entering the kernel. The sanity
210	* checks and argument validation done in this function are not the only places
211	* one can get returned errnos.
212	*/
213
214	user_map = current_map();
215	user_addr = (vm_map_offset_t)uap->addr;
216	user_size = (vm_map_size_t) uap->len;
217
218	AUDIT_ARG(addr, user_addr);
219	AUDIT_ARG(len, user_size);
220	AUDIT_ARG(fd, uap->fd);
221
222	if (vm_map_range_overflows(map: user_map, addr: user_addr, size: user_size)) {
223	return EINVAL;
224	}
225	prot = (uap->prot & VM_PROT_ALL);
226	#if 3777787
227	/*
228	* Since the hardware currently does not support writing without
229	* read-before-write, or execution-without-read, if the request is
230	* for write or execute access, we must imply read access as well;
231	* otherwise programs expecting this to work will fail to operate.
232	*/
233	if (prot & (VM_PROT_EXECUTE \| VM_PROT_WRITE)) {
234	prot \|= VM_PROT_READ;
235	}
236	#endif /* radar 3777787 */
237
238	flags = uap->flags;
239	vp = NULLVP;
240
241	/*
242	* verify no unknown flags are passed in, and if any are,
243	* fail out early to make sure the logic below never has to deal
244	* with invalid flag values. only do so for processes compiled
245	* with Fall 2020 or later SDK, which is where we drew this
246	* line and documented it as such.
247	*/
248	if (flags & ~(MAP_SHARED \|
249	MAP_PRIVATE \|
250	MAP_COPY \|
251	MAP_FIXED \|
252	MAP_RENAME \|
253	MAP_NORESERVE \|
254	MAP_RESERVED0080 \| //grandfathered in as accepted and ignored
255	MAP_NOEXTEND \|
256	MAP_HASSEMAPHORE \|
257	MAP_NOCACHE \|
258	MAP_JIT \|
259	MAP_TPRO \|
260	MAP_FILE \|
261	MAP_ANON \|
262	MAP_RESILIENT_CODESIGN \|
263	MAP_RESILIENT_MEDIA \|
264	#if XNU_TARGET_OS_OSX
265	MAP_32BIT \|
266	#endif
267	MAP_TRANSLATED_ALLOW_EXECUTE \|
268	MAP_UNIX03)) {
269	if (proc_2020_fall_os_sdk_or_later()) {
270	return EINVAL;
271	}
272	}
273
274
275	/*
276	* The vm code does not have prototypes & compiler doesn't do
277	* the right thing when you cast 64bit value and pass it in function
278	* call. So here it is.
279	*/
280	file_pos = (vm_object_offset_t)uap->pos;
281
282
283	/ make sure mapping fits into numeric range etc /
284	if (os_add3_overflow(file_pos, user_size, vm_map_page_size(user_map) - `1`, &sum)) {
285	return EINVAL;
286	}
287
288	if (flags & MAP_UNIX03) {
289	vm_map_offset_t offset_alignment_mask;
290
291	/*
292	* Enforce UNIX03 compliance.
293	*/
294
295	if (vm_map_is_exotic(map: current_map())) {
296	offset_alignment_mask = `0xFFF`;
297	} else {
298	offset_alignment_mask = vm_map_page_mask(map: current_map());
299	}
300	if (file_pos & offset_alignment_mask) {
301	/ file offset should be page-aligned /
302	return EINVAL;
303	}
304	if (!(flags & (MAP_PRIVATE \| MAP_SHARED))) {
305	/ need either MAP_PRIVATE or MAP_SHARED /
306	return EINVAL;
307	}
308	if (user_size == `0`) {
309	/ mapping length should not be 0 /
310	return EINVAL;
311	}
312	}
313
314	/*
315	* Align the file position to a page boundary,
316	* and save its page offset component.
317	*/
318	pageoff = (file_pos & vm_map_page_mask(map: user_map));
319	file_pos -= (vm_object_offset_t)pageoff;
320
321
322	/ Adjust size for rounding (on both ends). /
323	user_size += pageoff; / low end... /
324	user_size = vm_map_round_page(user_size,
325	vm_map_page_mask(user_map)); / hi end /
326
327
328	if (flags & MAP_JIT) {
329	if ((flags & MAP_FIXED) \|\|
330	(flags & MAP_SHARED) \|\|
331	!(flags & MAP_ANON) \|\|
332	(flags & MAP_RESILIENT_CODESIGN) \|\|
333	(flags & MAP_RESILIENT_MEDIA) \|\|
334	(flags & MAP_TPRO)) {
335	return EINVAL;
336	}
337	}
338
339	if ((flags & MAP_RESILIENT_CODESIGN) \|\|
340	(flags & MAP_RESILIENT_MEDIA)) {
341	if ((flags & MAP_ANON) \|\|
342	(flags & MAP_JIT) \|\|
343	(flags & MAP_TPRO)) {
344	return EINVAL;
345	}
346	}
347	if (flags & MAP_RESILIENT_CODESIGN) {
348	int reject_prot = ((flags & MAP_PRIVATE) ? VM_PROT_EXECUTE : (VM_PROT_WRITE \| VM_PROT_EXECUTE));
349	if (prot & reject_prot) {
350	/*
351	* Quick sanity check. maxprot is calculated below and
352	* we will test it again.
353	*/
354	return EPERM;
355	}
356	}
357	if (flags & MAP_SHARED) {
358	/*
359	* MAP_RESILIENT_MEDIA is not valid with MAP_SHARED because
360	* there is no place to inject zero-filled pages without
361	* actually adding them to the file.
362	* Since we didn't reject that combination before, there might
363	* already be callers using it and getting a valid MAP_SHARED
364	* mapping but without the resilience.
365	* For backwards compatibility's sake, let's keep ignoring
366	* MAP_RESILIENT_MEDIA in that case.
367	*/
368	flags &= ~MAP_RESILIENT_MEDIA;
369	}
370	if (flags & MAP_RESILIENT_MEDIA) {
371	if ((flags & MAP_ANON) \|\|
372	(flags & MAP_SHARED)) {
373	return EINVAL;
374	}
375	}
376	if (flags & MAP_TPRO) {
377	/*
378	* MAP_TPRO without VM_PROT_WRITE is not valid here because
379	* the TPRO mapping is handled at the PMAP layer with implicit RW
380	* protections.
381	*
382	* This would enable bypassing of file-based protections, i.e.
383	* a file open/mapped as read-only could be written to.
384	*/
385	if ((prot & VM_PROT_EXECUTE) \|\|
386	!(prot & VM_PROT_WRITE)) {
387	return EPERM;
388	}
389	}
390
391	/*
392	* Check for illegal addresses. Watch out for address wrap... Note
393	* that VM_*_ADDRESS are not constants due to casts (argh).
394	*/
395	if (flags & MAP_FIXED) {
396	/*
397	* The specified address must have the same remainder
398	* as the file offset taken modulo PAGE_SIZE, so it
399	* should be aligned after adjustment by pageoff.
400	*/
401	user_addr -= pageoff;
402	if (user_addr & vm_map_page_mask(map: user_map)) {
403	return EINVAL;
404	}
405	}
406	#ifdef notyet
407	/ DO not have apis to get this info, need to wait till then/
408	/*
409	* XXX for non-fixed mappings where no hint is provided or
410	* the hint would fall in the potential heap space,
411	* place it after the end of the largest possible heap.
412	*
413	* There should really be a pmap call to determine a reasonable
414	* location.
415	*/
416	else if (addr < vm_map_round_page(p->p_vmspace->vm_daddr + MAXDSIZ,
417	vm_map_page_mask(user_map))) {
418	addr = vm_map_round_page(p->p_vmspace->vm_daddr + MAXDSIZ,
419	vm_map_page_mask(user_map));
420	}
421
422	#endif
423
424	/ Entitlement check against code signing monitor /
425	if ((flags & MAP_JIT) && (vm_map_csm_allow_jit(map: user_map) != KERN_SUCCESS)) {
426	printf("[%d] code signing monitor denies JIT mapping\n", proc_pid(p));
427	return EPERM;
428	}
429
430	if (flags & MAP_ANON) {
431	maxprot = VM_PROT_ALL;
432	#if CONFIG_MACF
433	/*
434	* Entitlement check.
435	*/
436	error = mac_proc_check_map_anon(proc: p, cred: current_cached_proc_cred(p),
437	u_addr: user_addr, u_size: user_size, prot, flags, maxprot: &maxprot);
438	if (error) {
439	return EINVAL;
440	}
441	#endif /* MAC */
442
443	/*
444	* Mapping blank space is trivial. Use positive fds as the alias
445	* value for memory tracking.
446	*/
447	if (fd != -`1`) {
448	/*
449	* Use "fd" to pass (some) Mach VM allocation flags,
450	* (see the VM_FLAGS_* definitions).
451	*/
452	int vm_flags = fd & (VM_FLAGS_ALIAS_MASK \|
453	VM_FLAGS_SUPERPAGE_MASK \|
454	VM_FLAGS_PURGABLE \|
455	VM_FLAGS_4GB_CHUNK);
456
457	if (vm_flags != fd) {
458	/ reject if there are any extra flags /
459	return EINVAL;
460	}
461
462	/*
463	* vm_map_kernel_flags_set_vmflags() will assume that
464	* the full set of VM flags are passed, which is
465	* problematic for FIXED/ANYWHERE.
466	*
467	* The block handling MAP_FIXED below will do the same
468	* thing again which is fine because it's idempotent.
469	*/
470	if (flags & MAP_FIXED) {
471	vm_flags \|= VM_FLAGS_FIXED \| VM_FLAGS_OVERWRITE;
472	} else {
473	vm_flags \|= VM_FLAGS_ANYWHERE;
474	}
475	vm_map_kernel_flags_set_vmflags(vmk_flags: &vmk_flags, vm_flags_and_tag: vm_flags);
476	}
477
478	#if CONFIG_MAP_RANGES
479	/*
480	* if the client specified a tag, let the system policy apply.
481	*
482	* otherwise, force the heap range.
483	*/
484	if (vmk_flags.vm_tag) {
485	vm_map_kernel_flags_update_range_id(&vmk_flags, user_map);
486	} else {
487	vmk_flags.vmkf_range_id = UMEM_RANGE_ID_HEAP;
488	}
489	#endif /* CONFIG_MAP_RANGES */
490
491	handle = NULL;
492	file_pos = `0`;
493	pageoff = `0`;
494	mapanon = `1`;
495	} else {
496	struct vnode_attr va;
497	vfs_context_t ctx = vfs_context_current();
498
499	if (flags & MAP_JIT) {
500	return EINVAL;
501	}
502
503	/*
504	* Mapping file, get fp for validation. Obtain vnode and make
505	* sure it is of appropriate type.
506	*/
507	err = fp_lookup(p, fd, resultfp: &fp, locked: `0`);
508	if (err) {
509	return err;
510	}
511	fpref = `1`;
512	switch (FILEGLOB_DTYPE(fp->fp_glob)) {
513	case DTYPE_PSXSHM:
514	uap->addr = (user_addr_t)user_addr;
515	uap->len = (user_size_t)user_size;
516	uap->prot = prot;
517	uap->flags = flags;
518	uap->pos = file_pos;
519	error = pshm_mmap(p, uap, retval, fp, pageoff: (off_t)pageoff);
520	goto bad;
521	case DTYPE_VNODE:
522	break;
523	default:
524	error = EINVAL;
525	goto bad;
526	}
527	vp = (struct vnode *)fp_get_data(fp);
528	error = vnode_getwithref(vp);
529	if (error != `0`) {
530	goto bad;
531	}
532
533	if (vp->v_type != VREG && vp->v_type != VCHR) {
534	(void)vnode_put(vp);
535	error = EINVAL;
536	goto bad;
537	}
538
539	AUDIT_ARG(vnpath, vp, ARG_VNODE1);
540
541	/*
542	* POSIX: mmap needs to update access time for mapped files
543	*/
544	if ((vnode_vfsvisflags(vp) & MNT_NOATIME) == `0`) {
545	VATTR_INIT(&va);
546	nanotime(ts: &va.va_access_time);
547	VATTR_SET_ACTIVE(&va, va_access_time);
548	vnode_setattr(vp, vap: &va, ctx);
549	}
550
551	/*
552	* XXX hack to handle use of /dev/zero to map anon memory (ala
553	* SunOS).
554	*/
555	if (vp->v_type == VCHR \|\| vp->v_type == VSTR) {
556	(void)vnode_put(vp);
557	error = ENODEV;
558	goto bad;
559	} else {
560	/*
561	* Ensure that file and memory protections are
562	* compatible. Note that we only worry about
563	* writability if mapping is shared; in this case,
564	* current and max prot are dictated by the open file.
565	* XXX use the vnode instead? Problem is: what
566	* credentials do we use for determination? What if
567	* proc does a setuid?
568	*/
569	maxprot = VM_PROT_EXECUTE; / TODO: Remove this and restrict maxprot? /
570	if (fp->fp_glob->fg_flag & FREAD) {
571	maxprot \|= VM_PROT_READ;
572	} else if (prot & PROT_READ) {
573	(void)vnode_put(vp);
574	error = EACCES;
575	goto bad;
576	}
577	/*
578	* If we are sharing potential changes (either via
579	* MAP_SHARED or via the implicit sharing of character
580	* device mappings), and we are trying to get write
581	* permission although we opened it without asking
582	* for it, bail out.
583	*/
584
585	if ((flags & MAP_SHARED) != `0`) {
586	if ((fp->fp_glob->fg_flag & FWRITE) != `0` &&
587	/*
588	* Do not allow writable mappings of
589	* swap files (see vm_swapfile_pager.c).
590	*/
591	!vnode_isswap(vp)) {
592	/*
593	* check for write access
594	*
595	* Note that we already made this check when granting FWRITE
596	* against the file, so it seems redundant here.
597	*/
598	error = vnode_authorize(vp, NULL, KAUTH_VNODE_CHECKIMMUTABLE, ctx);
599
600	/ if not granted for any reason, but we wanted it, bad /
601	if ((prot & PROT_WRITE) && (error != `0`)) {
602	vnode_put(vp);
603	goto bad;
604	}
605
606	/ if writable, remember /
607	if (error == `0`) {
608	maxprot \|= VM_PROT_WRITE;
609	}
610	} else if ((prot & PROT_WRITE) != `0`) {
611	(void)vnode_put(vp);
612	error = EACCES;
613	goto bad;
614	}
615	} else {
616	maxprot \|= VM_PROT_WRITE;
617	}
618
619	handle = (void *)vp;
620	#if CONFIG_MACF
621	error = mac_file_check_mmap(cred: vfs_context_ucred(ctx),
622	fg: fp->fp_glob, prot, flags, file_pos: file_pos + pageoff,
623	maxprot: &maxprot);
624	if (error) {
625	(void)vnode_put(vp);
626	goto bad;
627	}
628	#endif /* MAC */
629	/*
630	* Consult the file system to determine if this
631	* particular file object can be mapped.
632	*
633	* N.B. If MAP_PRIVATE (i.e. CoW) has been specified,
634	* then we don't check for writeability on the file
635	* object, because it will only ever see reads.
636	*/
637	error = VNOP_MMAP_CHECK(vp, (flags & MAP_PRIVATE) ?
638	(prot & ~PROT_WRITE) : prot, ctx);
639	if (error) {
640	(void)vnode_put(vp);
641	goto bad;
642	}
643	}
644
645	/*
646	* No copy-on-read for mmap() mappings themselves.
647	*/
648	vmk_flags.vmkf_no_copy_on_read = `1`;
649	#if CONFIG_MAP_RANGES && !XNU_PLATFORM_MacOSX
650	/ force file ranges on !macOS /
651	vmk_flags.vmkf_range_id = UMEM_RANGE_ID_HEAP;
652	#endif /* CONFIG_MAP_RANGES && !XNU_PLATFORM_MacOSX */
653	}
654
655	if (user_size == `0`) {
656	if (!mapanon) {
657	(void)vnode_put(vp);
658	}
659	error = `0`;
660	goto bad;
661	}
662
663	/*
664	* We bend a little - round the start and end addresses
665	* to the nearest page boundary.
666	*/
667	user_size = vm_map_round_page(user_size,
668	vm_map_page_mask(user_map));
669
670	if (file_pos & vm_map_page_mask(map: user_map)) {
671	if (!mapanon) {
672	(void)vnode_put(vp);
673	}
674	error = EINVAL;
675	goto bad;
676	}
677
678	if ((flags & MAP_FIXED) == `0`) {
679	user_addr = vm_map_round_page(user_addr,
680	vm_map_page_mask(user_map));
681	} else {
682	if (user_addr != vm_map_trunc_page(user_addr,
683	vm_map_page_mask(user_map))) {
684	if (!mapanon) {
685	(void)vnode_put(vp);
686	}
687	error = EINVAL;
688	goto bad;
689	}
690	/*
691	* mmap(MAP_FIXED) will replace any existing mappings in the
692	* specified range, if the new mapping is successful.
693	* If we just deallocate the specified address range here,
694	* another thread might jump in and allocate memory in that
695	* range before we get a chance to establish the new mapping,
696	* and we won't have a chance to restore the old mappings.
697	* So we use VM_FLAGS_OVERWRITE to let Mach VM know that it
698	* has to deallocate the existing mappings and establish the
699	* new ones atomically.
700	*/
701	vmk_flags.vmf_fixed = true;
702	vmk_flags.vmf_overwrite = true;
703	}
704
705	if (flags & MAP_NOCACHE) {
706	vmk_flags.vmf_no_cache = true;
707	}
708
709	if (flags & MAP_JIT) {
710	vmk_flags.vmkf_map_jit = TRUE;
711	}
712
713	if (flags & MAP_TPRO) {
714	vmk_flags.vmf_tpro = true;
715	}
716
717	#if CONFIG_ROSETTA
718	if (flags & MAP_TRANSLATED_ALLOW_EXECUTE) {
719	if (!proc_is_translated(p)) {
720	if (!mapanon) {
721	(void)vnode_put(vp);
722	}
723	error = EINVAL;
724	goto bad;
725	}
726	vmk_flags.vmkf_translated_allow_execute = TRUE;
727	}
728	#endif
729
730	if (flags & MAP_RESILIENT_CODESIGN) {
731	vmk_flags.vmf_resilient_codesign = true;
732	}
733	if (flags & MAP_RESILIENT_MEDIA) {
734	vmk_flags.vmf_resilient_media = true;
735	}
736
737	#if XNU_TARGET_OS_OSX
738	/ macOS-specific MAP_32BIT flag handling /
739	if (flags & MAP_32BIT) {
740	vmk_flags.vmkf_32bit_map_va = TRUE;
741	}
742	#endif
743
744	/*
745	* Lookup/allocate object.
746	*/
747	if (handle == NULL) {
748	control = NULL;
749	#ifdef notyet
750	/ Hmm .. /
751	#if defined(VM_PROT_READ_IS_EXEC)
752	if (prot & VM_PROT_READ) {
753	prot \|= VM_PROT_EXECUTE;
754	}
755	if (maxprot & VM_PROT_READ) {
756	maxprot \|= VM_PROT_EXECUTE;
757	}
758	#endif
759	#endif
760
761	#if 3777787
762	if (prot & (VM_PROT_EXECUTE \| VM_PROT_WRITE)) {
763	prot \|= VM_PROT_READ;
764	}
765	if (maxprot & (VM_PROT_EXECUTE \| VM_PROT_WRITE)) {
766	maxprot \|= VM_PROT_READ;
767	}
768	#endif /* radar 3777787 */
769	map_anon_retry:
770
771	result = vm_map_enter_mem_object(map: user_map,
772	address: &user_addr, size: user_size,
773	mask: `0`, vmk_flags,
774	IPC_PORT_NULL, offset: `0`, FALSE,
775	cur_protection: prot, max_protection: maxprot,
776	inheritance: (flags & MAP_SHARED) ?
777	VM_INHERIT_SHARE :
778	VM_INHERIT_DEFAULT);
779
780	/ If a non-binding address was specified for this anonymous*
781	* mapping, retry the mapping with a zero base
782	* in the event the mapping operation failed due to
783	* lack of space between the address and the map's maximum.
784	*/
785	if ((result == KERN_NO_SPACE) && ((flags & MAP_FIXED) == `0`) && user_addr && (num_retries++ == `0`)) {
786	user_addr = vm_map_page_size(map: user_map);
787	goto map_anon_retry;
788	}
789	} else {
790	if (vnode_isswap(vp)) {
791	/*
792	* Map swap files with a special pager
793	* that returns obfuscated contents.
794	*/
795	control = NULL;
796	pager = swapfile_pager_setup(vp);
797	if (pager != MEMORY_OBJECT_NULL) {
798	control = swapfile_pager_control(mem_obj: pager);
799	}
800	} else {
801	control = ubc_getobject(vp, UBC_FLAGS_NONE);
802	}
803
804	if (control == NULL) {
805	(void)vnode_put(vp);
806	error = ENOMEM;
807	goto bad;
808	}
809
810	#if FBDP_DEBUG_OBJECT_NO_PAGER
811	//#define FBDP_PATH_NAME1 "/private/var/db/timezone/tz/2022a.1.1/icutz/"
812	#define FBDP_PATH_NAME1 "/private/var/db/timezone/tz/202"
813	#define FBDP_FILE_NAME1 "icutz44l.dat"
814	#define FBDP_PATH_NAME2 "/private/var/mobile/Containers/Data/InternalDaemon/"
815	#define FBDP_FILE_NAME_START2 "com.apple.LaunchServices-"
816	#define FBDP_FILE_NAME_END2 "-v2.csstore"
817	if (!strncmp(vp->v_name, FBDP_FILE_NAME1, strlen(FBDP_FILE_NAME1))) {
818	char *path;
819	int len;
820	bool already_tracked;
821	len = MAXPATHLEN;
822	path = zalloc_flags(ZV_NAMEI, Z_WAITOK \| Z_NOFAIL);
823	vn_getpath(vp, path, &len);
824	if (!strncmp(path, FBDP_PATH_NAME1, strlen(FBDP_PATH_NAME1))) {
825	if (memory_object_mark_as_tracked(control,
826	true,
827	&already_tracked) == KERN_SUCCESS &&
828	!already_tracked) {
829	printf("FBDP %s:%d marked vp %p \"%s\" moc %p as tracked\n", __FUNCTION__, __LINE__, vp, path, control);
830	}
831	}
832	zfree(ZV_NAMEI, path);
833	} else if (!strncmp(vp->v_name, FBDP_FILE_NAME_START2, strlen(FBDP_FILE_NAME_START2)) &&
834	strlen(vp->v_name) > strlen(FBDP_FILE_NAME_START2) + strlen(FBDP_FILE_NAME_END2) &&
835	!strncmp(vp->v_name + strlen(vp->v_name) - strlen(FBDP_FILE_NAME_END2),
836	FBDP_FILE_NAME_END2,
837	strlen(FBDP_FILE_NAME_END2))) {
838	char *path;
839	int len;
840	bool already_tracked;
841	len = MAXPATHLEN;
842	path = zalloc_flags(ZV_NAMEI, Z_WAITOK \| Z_NOFAIL);
843	vn_getpath(vp, path, &len);
844	if (!strncmp(path, FBDP_PATH_NAME2, strlen(FBDP_PATH_NAME2))) {
845	if (memory_object_mark_as_tracked(control,
846	true,
847	&already_tracked) == KERN_SUCCESS &&
848	!already_tracked) {
849	printf("FBDP %s:%d marked vp %p \"%s\" moc %p as tracked\n", __FUNCTION__, __LINE__, vp, path, control);
850	}
851	}
852	zfree(ZV_NAMEI, path);
853	}
854	#endif /* FBDP_DEBUG_OBJECT_NO_PAGER */
855
856	/*
857	* Set credentials:
858	* FIXME: if we're writing the file we need a way to
859	* ensure that someone doesn't replace our R/W creds
860	* with ones that only work for read.
861	*/
862
863	ubc_setthreadcred(vp, p, current_thread());
864	docow = FALSE;
865	if ((flags & (MAP_ANON \| MAP_SHARED)) == `0`) {
866	docow = TRUE;
867	}
868
869	#ifdef notyet
870	/ Hmm .. /
871	#if defined(VM_PROT_READ_IS_EXEC)
872	if (prot & VM_PROT_READ) {
873	prot \|= VM_PROT_EXECUTE;
874	}
875	if (maxprot & VM_PROT_READ) {
876	maxprot \|= VM_PROT_EXECUTE;
877	}
878	#endif
879	#endif /* notyet */
880
881	#if 3777787
882	if (prot & (VM_PROT_EXECUTE \| VM_PROT_WRITE)) {
883	prot \|= VM_PROT_READ;
884	}
885	if (maxprot & (VM_PROT_EXECUTE \| VM_PROT_WRITE)) {
886	maxprot \|= VM_PROT_READ;
887	}
888	#endif /* radar 3777787 */
889
890	map_file_retry:
891	if (flags & MAP_RESILIENT_CODESIGN) {
892	int reject_prot = ((flags & MAP_PRIVATE) ? VM_PROT_EXECUTE : (VM_PROT_WRITE \| VM_PROT_EXECUTE));
893	if (prot & reject_prot) {
894	/*
895	* Would like to use (prot \| maxprot) here
896	* but the assignment of VM_PROT_EXECUTE
897	* to maxprot above would always fail the test.
898	*
899	* Skipping the check is ok, however, because we
900	* restrict maxprot to prot just below in this
901	* block.
902	*/
903	assert(!mapanon);
904	vnode_put(vp);
905	error = EPERM;
906	goto bad;
907	}
908	/ strictly limit access to "prot" /
909	maxprot &= prot;
910	}
911
912	vm_object_offset_t end_pos = `0`;
913	if (os_add_overflow(user_size, file_pos, &end_pos)) {
914	vnode_put(vp);
915	error = EINVAL;
916	goto bad;
917	}
918
919	result = vm_map_enter_mem_object_control(map: user_map,
920	address: &user_addr, size: user_size,
921	mask: `0`, vmk_flags,
922	control, offset: file_pos,
923	needs_copy: docow, cur_protection: prot, max_protection: maxprot,
924	inheritance: (flags & MAP_SHARED) ?
925	VM_INHERIT_SHARE :
926	VM_INHERIT_DEFAULT);
927
928	/ If a non-binding address was specified for this file backed*
929	* mapping, retry the mapping with a zero base
930	* in the event the mapping operation failed due to
931	* lack of space between the address and the map's maximum.
932	*/
933	if ((result == KERN_NO_SPACE) && ((flags & MAP_FIXED) == `0`) && user_addr && (num_retries++ == `0`)) {
934	user_addr = vm_map_page_size(map: user_map);
935	goto map_file_retry;
936	}
937	}
938
939	if (!mapanon) {
940	(void)vnode_put(vp);
941	}
942
943	switch (result) {
944	case KERN_SUCCESS:
945	*retval = user_addr + pageoff;
946	error = `0`;
947	break;
948	case KERN_INVALID_ADDRESS:
949	case KERN_NO_SPACE:
950	error = ENOMEM;
951	break;
952	case KERN_PROTECTION_FAILURE:
953	error = EACCES;
954	break;
955	default:
956	error = EINVAL;
957	break;
958	}
959	bad:
960	if (pager != MEMORY_OBJECT_NULL) {
961	/*
962	* Release the reference on the pager.
963	* If the mapping was successful, it now holds
964	* an extra reference.
965	*/
966	memory_object_deallocate(object: pager);
967	}
968	if (fpref) {
969	fp_drop(p, fd, fp, locked: `0`);
970	}
971
972	KERNEL_DEBUG_CONSTANT((BSDDBG_CODE(DBG_BSD_SC_EXTENDED_INFO, SYS_mmap) \| DBG_FUNC_NONE), fd, (uint32_t)(*retval), (uint32_t)user_size, error, `0`);
973	#if XNU_TARGET_OS_OSX
974	KERNEL_DEBUG_CONSTANT((BSDDBG_CODE(DBG_BSD_SC_EXTENDED_INFO2, SYS_mmap) \| DBG_FUNC_NONE), (uint32_t)(*retval >> `32`), (uint32_t)(user_size >> `32`),
975	(uint32_t)(file_pos >> `32`), (uint32_t)file_pos, `0`);
976	#endif /* XNU_TARGET_OS_OSX */
977	return error;
978	}
979
980	int
981	msync(__unused proc_t p, struct msync_args uap, int32_t retval)
982	{
983	__pthread_testcancel(presyscall: `1`);
984	return msync_nocancel(p, (struct msync_nocancel_args *)uap, retval);
985	}
986
987	int
988	msync_nocancel(__unused proc_t p, struct msync_nocancel_args uap, __unused int32_t retval)
989	{
990	mach_vm_offset_t addr;
991	mach_vm_size_t size;
992	int flags;
993	vm_map_t user_map;
994	int rv;
995	vm_sync_t sync_flags = `0`;
996
997	user_map = current_map();
998	addr = (mach_vm_offset_t) uap->addr;
999	size = (mach_vm_size_t) uap->len;
1000	#if XNU_TARGET_OS_OSX
1001	KERNEL_DEBUG_CONSTANT((BSDDBG_CODE(DBG_BSD_SC_EXTENDED_INFO, SYS_msync) \| DBG_FUNC_NONE), (uint32_t)(addr >> `32`), (uint32_t)(size >> `32`), `0`, `0`, `0`);
1002	#endif /* XNU_TARGET_OS_OSX */
1003	if (vm_map_range_overflows(map: user_map, addr, size)) {
1004	return EINVAL;
1005	}
1006	if (addr & vm_map_page_mask(map: user_map)) {
1007	/ UNIX SPEC: user address is not page-aligned, return EINVAL /
1008	return EINVAL;
1009	}
1010	if (size == `0`) {
1011	/*
1012	* We cannot support this properly without maintaining
1013	* list all mmaps done. Cannot use vm_map_entry as they could be
1014	* split or coalesced by indepenedant actions. So instead of
1015	* inaccurate results, lets just return error as invalid size
1016	* specified
1017	*/
1018	return EINVAL; / XXX breaks posix apps /
1019	}
1020
1021	flags = uap->flags;
1022	/ disallow contradictory flags /
1023	if ((flags & (MS_SYNC \| MS_ASYNC)) == (MS_SYNC \| MS_ASYNC)) {
1024	return EINVAL;
1025	}
1026
1027	if (flags & MS_KILLPAGES) {
1028	sync_flags \|= VM_SYNC_KILLPAGES;
1029	}
1030	if (flags & MS_DEACTIVATE) {
1031	sync_flags \|= VM_SYNC_DEACTIVATE;
1032	}
1033	if (flags & MS_INVALIDATE) {
1034	sync_flags \|= VM_SYNC_INVALIDATE;
1035	}
1036
1037	if (!(flags & (MS_KILLPAGES \| MS_DEACTIVATE))) {
1038	if (flags & MS_ASYNC) {
1039	sync_flags \|= VM_SYNC_ASYNCHRONOUS;
1040	} else {
1041	sync_flags \|= VM_SYNC_SYNCHRONOUS;
1042	}
1043	}
1044
1045	sync_flags \|= VM_SYNC_CONTIGUOUS; / complain if holes /
1046
1047	rv = mach_vm_msync(target_task: user_map, address: addr, size, sync_flags);
1048
1049	switch (rv) {
1050	case KERN_SUCCESS:
1051	break;
1052	case KERN_INVALID_ADDRESS: / hole in region being sync'ed /
1053	return ENOMEM;
1054	case KERN_FAILURE:
1055	return EIO;
1056	default:
1057	return EINVAL;
1058	}
1059	return `0`;
1060	}
1061
1062
1063	int
1064	munmap(__unused proc_t p, struct munmap_args uap, __unused int32_t retval)
1065	{
1066	mach_vm_offset_t user_addr;
1067	mach_vm_size_t user_size;
1068	kern_return_t result;
1069	vm_map_t user_map;
1070
1071	user_map = current_map();
1072	user_addr = (mach_vm_offset_t) uap->addr;
1073	user_size = (mach_vm_size_t) uap->len;
1074
1075	AUDIT_ARG(addr, user_addr);
1076	AUDIT_ARG(len, user_size);
1077
1078	if (user_addr & vm_map_page_mask(map: user_map)) {
1079	/ UNIX SPEC: user address is not page-aligned, return EINVAL /
1080	return EINVAL;
1081	}
1082
1083	if (vm_map_range_overflows(map: user_map, addr: user_addr, size: user_size)) {
1084	return EINVAL;
1085	}
1086
1087	if (user_size == `0`) {
1088	/ UNIX SPEC: size is 0, return EINVAL /
1089	return EINVAL;
1090	}
1091
1092	result = mach_vm_deallocate(target: user_map, address: user_addr, size: user_size);
1093	if (result != KERN_SUCCESS) {
1094	return EINVAL;
1095	}
1096	return `0`;
1097	}
1098
1099	int
1100	mprotect(__unused proc_t p, struct mprotect_args uap, __unused int32_t retval)
1101	{
1102	vm_prot_t prot;
1103	mach_vm_offset_t user_addr;
1104	mach_vm_size_t user_size;
1105	kern_return_t result;
1106	vm_map_t user_map;
1107	#if CONFIG_MACF
1108	int error;
1109	#endif
1110
1111	AUDIT_ARG(addr, uap->addr);
1112	AUDIT_ARG(len, uap->len);
1113	AUDIT_ARG(value32, uap->prot);
1114
1115	user_map = current_map();
1116	user_addr = (mach_vm_offset_t) uap->addr;
1117	user_size = (mach_vm_size_t) uap->len;
1118	prot = (vm_prot_t)(uap->prot & (VM_PROT_ALL \| VM_PROT_TRUSTED \| VM_PROT_STRIP_READ));
1119
1120	if (vm_map_range_overflows(map: user_map, addr: user_addr, size: user_size)) {
1121	return EINVAL;
1122	}
1123	if (user_addr & vm_map_page_mask(map: user_map)) {
1124	/ UNIX SPEC: user address is not page-aligned, return EINVAL /
1125	return EINVAL;
1126	}
1127
1128	#ifdef notyet
1129	/ Hmm .. /
1130	#if defined(VM_PROT_READ_IS_EXEC)
1131	if (prot & VM_PROT_READ) {
1132	prot \|= VM_PROT_EXECUTE;
1133	}
1134	#endif
1135	#endif /* notyet */
1136
1137	#if 3936456
1138	if (prot & (VM_PROT_EXECUTE \| VM_PROT_WRITE)) {
1139	prot \|= VM_PROT_READ;
1140	}
1141	#endif /* 3936456 */
1142
1143	#if CONFIG_MACF
1144	/*
1145	* The MAC check for mprotect is of limited use for 2 reasons:
1146	* Without mmap revocation, the caller could have asked for the max
1147	* protections initially instead of a reduced set, so a mprotect
1148	* check would offer no new security.
1149	* It is not possible to extract the vnode from the pager object(s)
1150	* of the target memory range.
1151	* However, the MAC check may be used to prevent a process from,
1152	* e.g., making the stack executable.
1153	*/
1154	error = mac_proc_check_mprotect(proc: p, addr: user_addr,
1155	size: user_size, prot);
1156	if (error) {
1157	return error;
1158	}
1159	#endif
1160
1161	if (prot & VM_PROT_TRUSTED) {
1162	#if CONFIG_DYNAMIC_CODE_SIGNING
1163	/ CODE SIGNING ENFORCEMENT - JIT support /
1164	/ The special protection value VM_PROT_TRUSTED requests that we treat*
1165	* this page as if it had a valid code signature.
1166	* If this is enabled, there MUST be a MAC policy implementing the
1167	* mac_proc_check_mprotect() hook above. Otherwise, Codesigning will be
1168	* compromised because the check would always succeed and thusly any
1169	* process could sign dynamically. */
1170	result = vm_map_sign(
1171	user_map,
1172	vm_map_trunc_page(user_addr,
1173	vm_map_page_mask(user_map)),
1174	vm_map_round_page(user_addr + user_size,
1175	vm_map_page_mask(user_map)));
1176	switch (result) {
1177	case KERN_SUCCESS:
1178	break;
1179	case KERN_INVALID_ADDRESS:
1180	/ UNIX SPEC: for an invalid address range, return ENOMEM /
1181	return ENOMEM;
1182	default:
1183	return EINVAL;
1184	}
1185	#else
1186	return ENOTSUP;
1187	#endif
1188	}
1189	prot &= ~VM_PROT_TRUSTED;
1190
1191	result = mach_vm_protect(target_task: user_map, address: user_addr, size: user_size,
1192	FALSE, new_protection: prot);
1193	switch (result) {
1194	case KERN_SUCCESS:
1195	return `0`;
1196	case KERN_PROTECTION_FAILURE:
1197	return EACCES;
1198	case KERN_INVALID_ADDRESS:
1199	/ UNIX SPEC: for an invalid address range, return ENOMEM /
1200	return ENOMEM;
1201	}
1202	return EINVAL;
1203	}
1204
1205
1206	int
1207	minherit(__unused proc_t p, struct minherit_args uap, __unused int32_t retval)
1208	{
1209	mach_vm_offset_t addr;
1210	mach_vm_size_t size;
1211	vm_inherit_t inherit;
1212	vm_map_t user_map;
1213	kern_return_t result;
1214
1215	AUDIT_ARG(addr, uap->addr);
1216	AUDIT_ARG(len, uap->len);
1217	AUDIT_ARG(value32, uap->inherit);
1218
1219	user_map = current_map();
1220	addr = (mach_vm_offset_t)uap->addr;
1221	size = (mach_vm_size_t)uap->len;
1222	inherit = uap->inherit;
1223	if (vm_map_range_overflows(map: user_map, addr, size)) {
1224	return EINVAL;
1225	}
1226	result = mach_vm_inherit(target_task: user_map, address: addr, size,
1227	new_inheritance: inherit);
1228	switch (result) {
1229	case KERN_SUCCESS:
1230	return `0`;
1231	case KERN_PROTECTION_FAILURE:
1232	return EACCES;
1233	}
1234	return EINVAL;
1235	}
1236
1237	int
1238	madvise(__unused proc_t p, struct madvise_args uap, __unused int32_t retval)
1239	{
1240	vm_map_t user_map;
1241	mach_vm_offset_t start;
1242	mach_vm_size_t size;
1243	vm_behavior_t new_behavior;
1244	kern_return_t result;
1245
1246	/*
1247	* Since this routine is only advisory, we default to conservative
1248	* behavior.
1249	*/
1250	switch (uap->behav) {
1251	case MADV_RANDOM:
1252	new_behavior = VM_BEHAVIOR_RANDOM;
1253	break;
1254	case MADV_SEQUENTIAL:
1255	new_behavior = VM_BEHAVIOR_SEQUENTIAL;
1256	break;
1257	case MADV_NORMAL:
1258	new_behavior = VM_BEHAVIOR_DEFAULT;
1259	break;
1260	case MADV_WILLNEED:
1261	new_behavior = VM_BEHAVIOR_WILLNEED;
1262	break;
1263	case MADV_DONTNEED:
1264	new_behavior = VM_BEHAVIOR_DONTNEED;
1265	break;
1266	case MADV_FREE:
1267	new_behavior = VM_BEHAVIOR_FREE;
1268	break;
1269	case MADV_ZERO_WIRED_PAGES:
1270	new_behavior = VM_BEHAVIOR_ZERO_WIRED_PAGES;
1271	break;
1272	case MADV_FREE_REUSABLE:
1273	new_behavior = VM_BEHAVIOR_REUSABLE;
1274	break;
1275	case MADV_FREE_REUSE:
1276	new_behavior = VM_BEHAVIOR_REUSE;
1277	break;
1278	case MADV_CAN_REUSE:
1279	new_behavior = VM_BEHAVIOR_CAN_REUSE;
1280	break;
1281	case MADV_PAGEOUT:
1282	#if MACH_ASSERT
1283	new_behavior = VM_BEHAVIOR_PAGEOUT;
1284	break;
1285	#else /* MACH_ASSERT */
1286	return ENOTSUP;
1287	#endif /* MACH_ASSERT */
1288	case MADV_ZERO:
1289	new_behavior = VM_BEHAVIOR_ZERO;
1290	break;
1291	default:
1292	return EINVAL;
1293	}
1294
1295	user_map = current_map();
1296	start = (mach_vm_offset_t) uap->addr;
1297	size = (mach_vm_size_t) uap->len;
1298	if (vm_map_range_overflows(map: user_map, addr: start, size)) {
1299	return EINVAL;
1300	}
1301	#if __arm64__
1302	if (start == `0` &&
1303	size != `0` &&
1304	(uap->behav == MADV_FREE \|\|
1305	uap->behav == MADV_FREE_REUSABLE)) {
1306	printf("** FOURK_COMPAT: %d[%s] "
1307	"failing madvise(0x%llx,0x%llx,%s)\n",
1308	proc_getpid(p), p->p_comm, start, size,
1309	((uap->behav == MADV_FREE_REUSABLE)
1310	? "MADV_FREE_REUSABLE"
1311	: "MADV_FREE"));
1312	DTRACE_VM3(fourk_compat_madvise,
1313	uint64_t, start,
1314	uint64_t, size,
1315	int, uap->behav);
1316	return EINVAL;
1317	}
1318	#endif /* __arm64__ */
1319
1320	result = mach_vm_behavior_set(target_task: user_map, address: start, size, new_behavior);
1321	switch (result) {
1322	case KERN_SUCCESS:
1323	return `0`;
1324	case KERN_INVALID_ADDRESS:
1325	return EINVAL;
1326	case KERN_NO_SPACE:
1327	return ENOMEM;
1328	case KERN_PROTECTION_FAILURE:
1329	return EPERM;
1330	case KERN_NO_ACCESS:
1331	return ENOTSUP;
1332	}
1333
1334	return EINVAL;
1335	}
1336
1337	int
1338	mincore(__unused proc_t p, struct mincore_args uap, __unused int32_t retval)
1339	{
1340	mach_vm_offset_t addr = `0`, first_addr = `0`, end = `0`, cur_end = `0`;
1341	vm_map_t map = VM_MAP_NULL;
1342	user_addr_t vec = `0`;
1343	int error = `0`;
1344	int64_t lastvecindex = `0`;
1345	int mincoreinfo = `0`;
1346	int pqueryinfo = `0`;
1347	uint64_t pqueryinfo_vec_size = `0`;
1348	vm_page_info_basic_t info = NULL;
1349	mach_msg_type_number_t count = `0`;
1350	char *kernel_vec = NULL;
1351	uint64_t req_vec_size_pages = `0`, cur_vec_size_pages = `0`, vecindex = `0`;
1352	kern_return_t kr = KERN_SUCCESS;
1353	int effective_page_shift, effective_page_size;
1354
1355	map = current_map();
1356
1357	/*
1358	* On systems with 4k kernel space and 16k user space, we will
1359	* use the kernel page size to report back the residency information.
1360	* This is for backwards compatibility since we already have
1361	* processes that depend on this behavior.
1362	*/
1363	if (vm_map_page_shift(map) < PAGE_SHIFT) {
1364	effective_page_shift = vm_map_page_shift(map);
1365	effective_page_size = vm_map_page_size(map);
1366	} else {
1367	effective_page_shift = PAGE_SHIFT;
1368	effective_page_size = PAGE_SIZE;
1369	}
1370
1371	/*
1372	* Make sure that the addresses presented are valid for user
1373	* mode.
1374	*/
1375	first_addr = addr = vm_map_trunc_page(uap->addr,
1376	vm_map_page_mask(map));
1377	end = vm_map_round_page(uap->addr + uap->len,
1378	vm_map_page_mask(map));
1379
1380	if (end < addr) {
1381	return EINVAL;
1382	}
1383
1384	if (end == addr) {
1385	return `0`;
1386	}
1387
1388	/*
1389	* We are going to loop through the whole 'req_vec_size' pages
1390	* range in chunks of 'cur_vec_size'.
1391	*/
1392
1393	req_vec_size_pages = (end - addr) >> effective_page_shift;
1394	cur_vec_size_pages = MIN(req_vec_size_pages, (MAX_PAGE_RANGE_QUERY >> effective_page_shift));
1395	size_t kernel_vec_size = cur_vec_size_pages;
1396
1397	kernel_vec = (char *)kalloc_data(kernel_vec_size, Z_WAITOK \| Z_ZERO);
1398
1399	if (kernel_vec == NULL) {
1400	return ENOMEM;
1401	}
1402
1403	/*
1404	* Address of byte vector
1405	*/
1406	vec = uap->vec;
1407
1408	pqueryinfo_vec_size = cur_vec_size_pages * sizeof(struct vm_page_info_basic);
1409
1410	info = (struct vm_page_info_basic *)kalloc_data(pqueryinfo_vec_size, Z_WAITOK);
1411
1412	if (info == NULL) {
1413	kfree_data(kernel_vec, kernel_vec_size);
1414	return ENOMEM;
1415	}
1416
1417	while (addr < end) {
1418	cur_end = addr + (cur_vec_size_pages * effective_page_size);
1419
1420	count = VM_PAGE_INFO_BASIC_COUNT;
1421	kr = vm_map_page_range_info_internal(map,
1422	start_offset: addr,
1423	end_offset: cur_end,
1424	effective_page_shift,
1425	VM_PAGE_INFO_BASIC,
1426	info: (vm_page_info_t) info,
1427	count: &count);
1428
1429	assert(kr == KERN_SUCCESS);
1430
1431	/*
1432	* Do this on a map entry basis so that if the pages are not
1433	* in the current processes address space, we can easily look
1434	* up the pages elsewhere.
1435	*/
1436	lastvecindex = -`1`;
1437
1438	for (; addr < cur_end; addr += effective_page_size) {
1439	pqueryinfo = info[lastvecindex + `1`].disposition;
1440
1441	mincoreinfo = `0`;
1442
1443	if (pqueryinfo & VM_PAGE_QUERY_PAGE_PRESENT) {
1444	mincoreinfo \|= MINCORE_INCORE;
1445	}
1446	if (pqueryinfo & VM_PAGE_QUERY_PAGE_REF) {
1447	mincoreinfo \|= MINCORE_REFERENCED;
1448	}
1449	if (pqueryinfo & VM_PAGE_QUERY_PAGE_DIRTY) {
1450	mincoreinfo \|= MINCORE_MODIFIED;
1451	}
1452	if (pqueryinfo & VM_PAGE_QUERY_PAGE_PAGED_OUT) {
1453	mincoreinfo \|= MINCORE_PAGED_OUT;
1454	}
1455	if (pqueryinfo & VM_PAGE_QUERY_PAGE_COPIED) {
1456	mincoreinfo \|= MINCORE_COPIED;
1457	}
1458	if ((pqueryinfo & VM_PAGE_QUERY_PAGE_EXTERNAL) == `0`) {
1459	mincoreinfo \|= MINCORE_ANONYMOUS;
1460	}
1461	/*
1462	* calculate index into user supplied byte vector
1463	*/
1464	vecindex = (addr - first_addr) >> effective_page_shift;
1465	kernel_vec[vecindex] = (char)mincoreinfo;
1466	lastvecindex = vecindex;
1467	}
1468
1469
1470	assert(vecindex == (cur_vec_size_pages - `1`));
1471
1472	error = copyout(kernel_vec, vec, cur_vec_size_pages * sizeof(char) / a char per page /);
1473
1474	if (error) {
1475	break;
1476	}
1477
1478	/*
1479	* For the next chunk, we'll need:
1480	* - bump the location in the user buffer for our next disposition.
1481	* - new length
1482	* - starting address
1483	*/
1484	vec += cur_vec_size_pages * sizeof(char);
1485	req_vec_size_pages = (end - addr) >> effective_page_shift;
1486	cur_vec_size_pages = MIN(req_vec_size_pages, (MAX_PAGE_RANGE_QUERY >> effective_page_shift));
1487
1488	first_addr = addr;
1489	}
1490
1491	kfree_data(info, pqueryinfo_vec_size);
1492	kfree_data(kernel_vec, kernel_vec_size);
1493
1494	if (error) {
1495	return EFAULT;
1496	}
1497
1498	return `0`;
1499	}
1500
1501	int
1502	mlock(__unused proc_t p, struct mlock_args uap, __unused int32_t retvalval)
1503	{
1504	vm_map_t user_map;
1505	vm_map_offset_t addr;
1506	vm_map_size_t size, pageoff;
1507	kern_return_t result;
1508
1509	AUDIT_ARG(addr, uap->addr);
1510	AUDIT_ARG(len, uap->len);
1511
1512	user_map = current_map();
1513	addr = (vm_map_offset_t) uap->addr;
1514	size = (vm_map_size_t)uap->len;
1515
1516	if (vm_map_range_overflows(map: user_map, addr, size)) {
1517	return EINVAL;
1518	}
1519
1520	if (size == `0`) {
1521	return `0`;
1522	}
1523
1524	pageoff = (addr & vm_map_page_mask(map: user_map));
1525	addr -= pageoff;
1526	size = vm_map_round_page(size + pageoff, vm_map_page_mask(user_map));
1527
1528	/ have to call vm_map_wire directly to pass "I don't know" protections /
1529	result = vm_map_wire_kernel(map: user_map, start: addr, end: addr + size, VM_PROT_NONE, VM_KERN_MEMORY_MLOCK, TRUE);
1530
1531	if (result == KERN_RESOURCE_SHORTAGE) {
1532	return EAGAIN;
1533	} else if (result == KERN_PROTECTION_FAILURE) {
1534	return EACCES;
1535	} else if (result != KERN_SUCCESS) {
1536	return ENOMEM;
1537	}
1538
1539	return `0`; / KERN_SUCCESS /
1540	}
1541
1542	int
1543	munlock(__unused proc_t p, struct munlock_args uap, __unused int32_t retval)
1544	{
1545	mach_vm_offset_t addr;
1546	mach_vm_size_t size;
1547	vm_map_t user_map;
1548	kern_return_t result;
1549
1550	AUDIT_ARG(addr, uap->addr);
1551	AUDIT_ARG(len, uap->len);
1552
1553	addr = (mach_vm_offset_t) uap->addr;
1554	size = (mach_vm_size_t)uap->len;
1555	user_map = current_map();
1556	if (vm_map_range_overflows(map: user_map, addr, size)) {
1557	return EINVAL;
1558	}
1559	/ JMM - need to remove all wirings by spec - this just removes one /
1560	result = mach_vm_wire_kernel(map: user_map, start: addr, size, VM_PROT_NONE, VM_KERN_MEMORY_MLOCK);
1561	return result == KERN_SUCCESS ? `0` : ENOMEM;
1562	}
1563
1564
1565	int
1566	mlockall(__unused proc_t p, __unused struct mlockall_args uap, __unused int32_t retval)
1567	{
1568	return ENOSYS;
1569	}
1570
1571	int
1572	munlockall(__unused proc_t p, __unused struct munlockall_args uap, __unused int32_t retval)
1573	{
1574	return ENOSYS;
1575	}
1576
1577	#if CONFIG_CODE_DECRYPTION
1578	int
1579	mremap_encrypted(__unused struct proc p, struct* mremap_encrypted_args uap, __unused int32_t retval)
1580	{
1581	mach_vm_offset_t user_addr;
1582	mach_vm_size_t user_size;
1583	kern_return_t result;
1584	vm_map_t user_map;
1585	uint32_t cryptid;
1586	cpu_type_t cputype;
1587	cpu_subtype_t cpusubtype;
1588	pager_crypt_info_t crypt_info;
1589	const char * cryptname = `0`;
1590	char *vpath;
1591	int len, ret;
1592	struct proc_regioninfo_internal pinfo;
1593	vnode_t vp;
1594	uintptr_t vnodeaddr;
1595	uint32_t vid;
1596
1597	AUDIT_ARG(addr, uap->addr);
1598	AUDIT_ARG(len, uap->len);
1599
1600	user_map = current_map();
1601	user_addr = (mach_vm_offset_t) uap->addr;
1602	user_size = (mach_vm_size_t) uap->len;
1603
1604	cryptid = uap->cryptid;
1605	cputype = uap->cputype;
1606	cpusubtype = uap->cpusubtype;
1607
1608	if (vm_map_range_overflows(map: user_map, addr: user_addr, size: user_size)) {
1609	return EINVAL;
1610	}
1611	if (user_addr & vm_map_page_mask(map: user_map)) {
1612	/ UNIX SPEC: user address is not page-aligned, return EINVAL /
1613	return EINVAL;
1614	}
1615
1616	switch (cryptid) {
1617	case CRYPTID_NO_ENCRYPTION:
1618	/ not encrypted, just an empty load command /
1619	return `0`;
1620	case CRYPTID_APP_ENCRYPTION:
1621	case CRYPTID_MODEL_ENCRYPTION:
1622	cryptname = "com.apple.unfree";
1623	break;
1624	case `0x10`:
1625	/ some random cryptid that you could manually put into*
1626	* your binary if you want NULL */
1627	cryptname = "com.apple.null";
1628	break;
1629	default:
1630	return EINVAL;
1631	}
1632
1633	if (NULL == text_crypter_create) {
1634	return ENOTSUP;
1635	}
1636
1637	ret = fill_procregioninfo_onlymappedvnodes( t: proc_task(p), arg: user_addr, pinfo: &pinfo, vp: &vnodeaddr, vid: &vid);
1638	if (ret == `0` \|\| !vnodeaddr) {
1639	/ No really, this returns 0 if the memory address is not backed by a file /
1640	return EINVAL;
1641	}
1642
1643	vp = (vnode_t)vnodeaddr;
1644	if ((vnode_getwithvid(vp, vid)) == `0`) {
1645	vpath = zalloc(view: ZV_NAMEI);
1646
1647	len = MAXPATHLEN;
1648	ret = vn_getpath(vp, pathbuf: vpath, len: &len);
1649	if (ret) {
1650	zfree(ZV_NAMEI, vpath);
1651	vnode_put(vp);
1652	return ret;
1653	}
1654
1655	vnode_put(vp);
1656	} else {
1657	return EINVAL;
1658	}
1659
1660	#if 0
1661	kprintf("%s vpath %s cryptid 0x%08x cputype 0x%08x cpusubtype 0x%08x range 0x%016llx size 0x%016llx\n",
1662	__FUNCTION__, vpath, cryptid, cputype, cpusubtype, (uint64_t)user_addr, (uint64_t)user_size);
1663	#endif
1664
1665	if (user_size == `0`) {
1666	printf("%s:%d '%s': user_addr 0x%llx user_size 0x%llx cryptid 0x%x ignored\n", __FUNCTION__, __LINE__, vpath, user_addr, user_size, cryptid);
1667	zfree(ZV_NAMEI, vpath);
1668	return `0`;
1669	}
1670
1671	/ set up decrypter first /
1672	crypt_file_data_t crypt_data = {
1673	.filename = vpath,
1674	.cputype = cputype,
1675	.cpusubtype = cpusubtype,
1676	.origin = CRYPT_ORIGIN_LIBRARY_LOAD,
1677	};
1678	result = text_crypter_create(&crypt_info, cryptname, (void*)&crypt_data);
1679	#if VM_MAP_DEBUG_APPLE_PROTECT
1680	if (vm_map_debug_apple_protect) {
1681	printf("APPLE_PROTECT: %d[%s] map %p [0x%llx:0x%llx] %s(%s) -> 0x%x\n",
1682	proc_getpid(p), p->p_comm,
1683	user_map,
1684	(uint64_t) user_addr,
1685	(uint64_t) (user_addr + user_size),
1686	__FUNCTION__, vpath, result);
1687	}
1688	#endif /* VM_MAP_DEBUG_APPLE_PROTECT */
1689	zfree(ZV_NAMEI, vpath);
1690
1691	if (result) {
1692	printf("%s: unable to create decrypter %s, kr=%d\n",
1693	__FUNCTION__, cryptname, result);
1694	if (result == kIOReturnNotPrivileged) {
1695	/ text encryption returned decryption failure /
1696	return EPERM;
1697	} else {
1698	return ENOMEM;
1699	}
1700	}
1701
1702	/ now remap using the decrypter /
1703	vm_object_offset_t crypto_backing_offset;
1704	crypto_backing_offset = -`1`; / i.e. use map entry's offset /
1705	result = vm_map_apple_protected(map: user_map,
1706	start: user_addr,
1707	end: user_addr + user_size,
1708	crypto_backing_offset,
1709	crypt_info: &crypt_info,
1710	cryptid);
1711	if (result) {
1712	printf("%s: mapping failed with %d\n", __FUNCTION__, result);
1713	}
1714
1715	if (result) {
1716	return EPERM;
1717	}
1718	return `0`;
1719	}
1720	#endif /* CONFIG_CODE_DECRYPTION */
1721

Browse the source code of xnu/bsd/kern/kern_mman.c