SPUFirmwareValidation segfaults when finding xrefs on iPadOS 15 beta 6 #7
Description
Trying to patch SPUFirmwareValidation on iPadOS 15 beta 6 (M1 iPad Pro) gives the following error:
Darwin Kernel Version 21.0.0: Tue Aug 10 09:24:12 PDT 2021; root:xnu-8019.12.2~20/RELEASE_ARM64_T8101
$ lldb -- ~/Documents/repos/Kernel64Patcher/Kernel64Patcher kernelcache_ipados15b6.macho kernelcache_patched_ipados15b6.macho -a -s -r -p
(lldb) target create "/Users/zhuowei/Documents/repos/Kernel64Patcher/Kernel64Patcher"
Current executable set to '/Users/zhuowei/Documents/repos/Kernel64Patcher/Kernel64Patcher' (x86_64).
(lldb) settings set -- target.run-args "kernelcache_ipados15b6.macho" "kernelcache_patched_ipados15b6.macho" "-a" "-s" "-r" "-p"
(lldb) run
Process 28943 launched: '/Users/zhuowei/Documents/repos/Kernel64Patcher/Kernel64Patcher' (x86_64)
main: Starting...
Kernel: Adding AMFI_get_out_of_my_way patch...
get_amfi_out_of_my_way_patch: Entering ...
get_amfi_out_of_my_way_patch: Kernel-8019 inputted
get_amfi_out_of_my_way_patch: Found Internal Error: No cdhash found. str loc at 0x403413
get_amfi_out_of_my_way_patch: Found Internal Error: No cdhash found. str ref at 0x17ad674
get_amfi_out_of_my_way_patch: Patching AMFI at 0x17a9224
Kernel: Adding SPUFirmwareValidation patch...
get_SPUFirmwareValidation_patch: Entering ...
get_SPUFirmwareValidation_patch: Found "%s: firmware validation failed %d" @%s:%d" str loc at 0x637781
get_SPUFirmwareValidation_patch: Found "%s: firmware validation failed %d" @%s:%d" ref at 0x26d1c58
Process 28943 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x1054e9000)
frame #0: 0x0000000100005a36 Kernel64Patcher`xref64code(buf="\xcf\xfa\xed\xfe\f", start=0, end=18446744069421734940, what=40705052) at patchfinder64.c:435:23
432
433 end &= ~3;
434 for (i = start & ~3; i < end; i += 4) {
-> 435 uint32_t op = *(uint32_t *)(buf + i);
436 if ((op & 0x7C000000) == 0x14000000) {
437 addr_t where = follow_call64(buf, i);
438 //printf("%llx: B[L] 0x%llx\n", i + kerndumpbase, kerndumpbase + where);
Target 0: (Kernel64Patcher) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x1054e9000)
* frame #0: 0x0000000100005a36 Kernel64Patcher`xref64code(buf="\xcf\xfa\xed\xfe\f", start=0, end=18446744069421734940, what=40705052) at patchfinder64.c:435:23
frame #1: 0x000000010000604e Kernel64Patcher`get_SPUFirmwareValidation_patch(kernel_buf=0x0000000102000000, kernel_len=55477560) at Kernel64Patcher.c:36:18
frame #2: 0x0000000100006e51 Kernel64Patcher`main(argc=7, argv=0x00007ffeefbff7f8) at Kernel64Patcher.c:272:13
frame #3: 0x00007fff203aef3d libdyld.dylib`start + 1
frame #4: 0x00007fff203aef3d libdyld.dylib`start + 1
(lldb) print buf
(const uint8_t *) $0 = 0x0000000102000000 "\xcf\xfa\xed\xfe\f"
(lldb) print i
(addr_t) $1 = 55480320
(lldb) frame 1
invalid command 'frame 1'.
(lldb) up
frame #1: 0x000000010000604e Kernel64Patcher`get_SPUFirmwareValidation_patch(kernel_buf=0x0000000102000000, kernel_len=55477560) at Kernel64Patcher.c:36:18
33 printf("%s: Could not find firmware validation function start\n",__FUNCTION__);
34 return -1;
35 }
-> 36 xref_stuff = xref64code(kernel_buf,0,(addr_t)GET_OFFSET(kernel_len, beg_func), beg_func);
37 if(!xref_stuff) {
38 printf("%s: Could not find previous xref\n",__FUNCTION__);
39 return -1;
(lldb) print beg_func
(addr_t) $2 = 40705052
(lldb)