Move overlay handling to separate file, and introduce all the API cha…

…nges necessary for that

checkra1n/kpf-test/Makefile

@@ -15,8 +15,8 @@ RA1N := $(ROOT)/checkra1n/kpf
 KPF_H := $(wildcard $(RA1N)/*.h) $(wildcard $(INC)/*.h) $(wildcard $(SRC)/kernel/*.h) $(wildcard $(SRC)/drivers/*.h)
 KPF_C := main.c $(wildcard $(RA1N)/*.c) $(wildcard $(RA1N)/*.S) $(SRC)/drivers/xnu/xnu.c $(SRC)/drivers/xnu/xnu.S
 KPF_LD_FLAGS := -Wl,-fatal_warnings -Wl,-dead_strip $(KPF_LDFLAGS)
-KPF_CC_FLAGS := -std=gnu17 -Wall -Wstrict-prototypes -O3 -flto -I$(INC) -I$(SRC)/kernel -I$(SRC)/drivers -DCHECKRA1N_VERSION='"x.y.z"' -Diprintf=printf -Dpanic=realpanic \
- '-Djit_set_exec(m)=void pthread_jit_write_protect_np(int); pthread_jit_write_protect_np(m)' -DOVERRIDE_CACHEABLE_VIEW=0x800000000ULL -DDEV_BUILD $(KPF_CFLAGS) $(KPF_LD_FLAGS)
+KPF_CC_FLAGS := -std=gnu17 -Wall -Wstrict-prototypes -Werror=incompatible-function-pointer-types -O3 -flto -I$(INC) -I$(SRC)/kernel -I$(SRC)/drivers -DCHECKRA1N_VERSION='"x.y.z"' -Diprintf=printf -Dpanic=realpanic \
+ '-Djit_set_exec(m)=void pthread_jit_write_protect_np(int); pthread_jit_write_protect_np(m)' -DOVERRIDE_CACHEABLE_VIEW=0x800000000ULL -DDEV_BUILD -D_GNU_SOURCE $(KPF_CFLAGS) $(KPF_LD_FLAGS)
 
 ifeq ($(HOST_OS),Darwin)
  IOS_CC ?= xcrun -sdk iphoneos clang --target=arm64-apple-ios7.0

checkra1n/kpf-test/main.c

@@ -132,6 +132,11 @@ void command_register(const char* name, const char* desc, void (*cb)(const char*
  // nop
 }
 
+void* alloc_static(uint32_t size)
+{
+ return malloc(size);
+}
+
 void invalidate_icache(void)
 {
  // Kinda jank, but we know we're only gonna clean the JIT areas...

checkra1n/kpf/developer_mode.c

@@ -108,7 +108,7 @@ static void kpf_developer_mode_patch(xnu_pf_patchset_t *amfi_text_exec_patchset)
  xnu_pf_maskmatch(amfi_text_exec_patchset, "developer_mode", matches, masks, sizeof(matches)/sizeof(uint64_t), true, (void*)kpf_developer_mode_callback);
 }
 
-static void kpf_developer_mode_init(struct mach_header_64 *hdr, xnu_pf_range_t *cstring)
+static void kpf_developer_mode_init(struct mach_header_64 *hdr, xnu_pf_range_t *cstring, checkrain_option_t kpf_flags, checkrain_option_t checkra1n_flags)
 {
  struct mach_header_64 *amfi = xnu_pf_get_kext_header(hdr, "com.apple.driver.AppleMobileFileIntegrity");
  xnu_pf_range_t *amfi_cstring = xnu_pf_section(amfi, "__TEXT", "__cstring");

checkra1n/kpf/kpf.h

@@ -38,10 +38,10 @@
 
 #ifdef DEV_BUILD
 # define DEVLOG(msg, ...) do { printf(msg "\n", ##__VA_ARGS__); } while(0)
-# define panic_at(addr, msg, ...) do { panic(msg " (0x%llx)", ##__VA_ARGS__, xnu_ptr_to_va(addr)); } while(0)
+# define panic_at(addr, msg, ...) do { panic(msg " (0x%llx)", ##__VA_ARGS__, xnu_ptr_to_va((addr))); } while(0)
 #else
 # define DEVLOG(msg, ...) do {} while (0)
-# define panic_at(addr, msg, ...) do { panic(msg, ##__VA_ARGS__); } while (0)
+# define panic_at(addr, msg, ...) do { (void)(addr); panic(msg, ##__VA_ARGS__); } while (0)
 #endif
 
 // Common enough that we want defines for these
@@ -66,8 +66,8 @@ typedef const struct
 // shc_emit returns the actual number of instructions that were emitted.
 typedef const struct
 {
- void (*init)(struct mach_header_64 *hdr, xnu_pf_range_t *cstring);
- void (*finish)(struct mach_header_64 *hdr);
+ void (*init)(struct mach_header_64 *hdr, xnu_pf_range_t *cstring, checkrain_option_t kpf_flags, checkrain_option_t checkra1n_flags); // Flags are input only
+ void (*finish)(struct mach_header_64 *hdr, checkrain_option_t *checkra1n_flags); // Flags are output only
  uint32_t (*shc_size)(void);
  uint32_t (*shc_emit)(uint32_t *shellcode_area);
  kpf_patch_t patches[];
@@ -115,12 +115,15 @@ extern kpf_component_t kpf_dyld;
 extern kpf_component_t kpf_launch_constraints;
 extern kpf_component_t kpf_mach_port;
 extern kpf_component_t kpf_nvram;
+extern kpf_component_t kpf_overlay;
 extern kpf_component_t kpf_trustcache;
 extern kpf_component_t kpf_vfs;
 extern kpf_component_t kpf_vm_prot;
 
 /********** ********** ********** ********** ********** Exports ********** ********** ********** ********** **********/
 
+void kpf_overlay_cmd(const char *cmd, char *args);
+
 uint64_t kpf_vfs__vfs_context_current(void);
 uint64_t kpf_vfs__vnode_lookup(void);
 uint64_t kpf_vfs__vnode_put(void);

checkra1n/kpf/launch_constraints.c

@@ -86,7 +86,7 @@ static void kpf_launch_constraints_patch(xnu_pf_patchset_t *patchset)
  xnu_pf_maskmatch(patchset, "launch_constraints", matches, masks, sizeof(matches)/sizeof(uint64_t), true, (void*)kpf_launch_constraints_callback);
 }
 
-static void kpf_launch_constraints_init(struct mach_header_64 *hdr, xnu_pf_range_t *cstring)
+static void kpf_launch_constraints_init(struct mach_header_64 *hdr, xnu_pf_range_t *cstring, checkrain_option_t kpf_flags, checkrain_option_t checkra1n_flags)
 {
  const char constraints_string[] = "mac_proc_check_launch_constraints";
  const char *constraints_string_match = memmem(cstring->cacheable_base, cstring->size, constraints_string, sizeof(constraints_string));

checkra1n/kpf/mach_port.c

@@ -495,7 +495,7 @@ static void kpf_task_conversion_eval_patch(xnu_pf_patchset_t *xnu_text_exec_patc
  xnu_pf_maskmatch(xnu_text_exec_patchset, "task_conversion_eval", matches_imm, masks_imm, sizeof(matches_imm)/sizeof(uint64_t), false, (void*)kpf_task_conversion_eval_callback_imm);
 }
 
-static void kpf_mach_port_init(struct mach_header_64 *hdr, xnu_pf_range_t *cstring)
+static void kpf_mach_port_init(struct mach_header_64 *hdr, xnu_pf_range_t *cstring, checkrain_option_t kpf_flags, checkrain_option_t checkra1n_flags)
 {
  const char kmap_port_string[] = "userspace has control access to a"; // iOS 14 had broken panic strings
  const char *kmap_port_string_match = memmem(cstring->cacheable_base, cstring->size, kmap_port_string, sizeof(kmap_port_string) - 1); // don't match null byte
@@ -520,7 +520,7 @@ static void kpf_mach_port_patches(xnu_pf_patchset_t *xnu_text_exec_patchset)
  kpf_task_conversion_eval_patch(xnu_text_exec_patchset);
 }
 
-static void kpf_mach_port_finish(struct mach_header_64 *hdr)
+static void kpf_mach_port_finish(struct mach_header_64 *hdr, checkrain_option_t *checkra1n_flags)
 {
  if(need_convert_port_to_map_patch && !found_convert_port_to_map)
  {