Skip to content

Commit

Permalink
kpf: Fix vm_map_protect on 18.2 for A8 devices
Browse files Browse the repository at this point in the history
The second register passed to bics can now be w{16-31} instead of w{0-15}
for A8 devices, relax the maskmatch to catch that case.

Signed-off-by: Nick Chan <[email protected]>
  • Loading branch information
asdfugil committed Nov 12, 2024
1 parent e1313a7 commit 4b02ff0
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions checkra1n/kpf/main.c
Original file line number Diff line number Diff line change
Expand Up @@ -507,7 +507,7 @@ static void kpf_vm_map_protect_patch(xnu_pf_patchset_t* xnu_text_exec_patchset)
// /x 00061f121f180071010000540000a837:10feffff1ffeffff1f0000ff1000f8ff
// /x e003302a1f041f72010000540000a837:f0fff0ff1ffeffff1f0000ff1000e8ff
// /x e003302a1f041f720100005400000035:f0fff0ff1ffeffff1f0000ff100000ff
// /x 1f00306a010000540000a837:1ffef0ff1f0000ff1000e8ff
// /x 1f00306a010000540000a837:1ffcf0ff1f0000ff1000e8ff
// /x e003302a00041f12:f0fff0ff10feffff
uint64_t matches_old[] = {
0x121f0600, // and w{0-15}, w{16-31}, 6
Expand Down Expand Up @@ -542,12 +542,12 @@ static void kpf_vm_map_protect_patch(xnu_pf_patchset_t* xnu_text_exec_patchset)
xnu_pf_maskmatch(xnu_text_exec_patchset, "vm_map_protect", matches_new, masks_new, sizeof(matches_new)/sizeof(uint64_t), false, (void*)kpf_vm_map_protect_branch_long);

uint64_t matches17[] = {
0x6a30001f, // bics wzr, w{0-15}, w{16-31}
0x6a30001f, // bics wzr, wN, w{16-31}
0x54000001, // b.ne 0x...
0x37a80000, // tbnz w{0-15}, {0x15 | 0x17}, 0x...
};
uint64_t masks17[] = {
0xfff0fe1f,
0xfff0fc1f,
0xff00001f,
0xffe80010,
};
Expand Down

0 comments on commit 4b02ff0

Please sign in to comment.