Fix amfi_ret jump offset computing

.github/workflows/ci.yml

@@ -1,4 +1,4 @@
-name: CI
+name: Build KPF & Pongo
 
 on:
   # Trigger on all pushes and pull requests
@@ -10,43 +10,53 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-20.04
+    runs-on: macos-latest
     steps:
-      - name: Install toolchain
-        run: |
-          echo 'deb https://assets.checkra.in/debian /' | sudo tee /etc/apt/sources.list.d/checkra1n.list
-          sudo apt-key adv --fetch-keys https://assets.checkra.in/debian/archive.key
-          sudo apt-get update
-          sudo apt-get install -y ld64 cctools-strip
-      - name: Voodoo magic
-        id: voodoo
-        uses: actions/cache@v2
-        with:
-          key: ${{ github.event_name }}-${{ github.ref }}-${{ github.run_id }}
-          restore-keys: |
-            push-${{ github.ref }}-
-            push-
-          path: |
-            **
       - name: Checkout repository
-        if: steps.voodoo.outputs.cache-hit != 'true'
         uses: actions/checkout@v2
         with:
-          submodules: true
+          fetch-depth: 0
+
       - name: Update repository
-        if: steps.voodoo.outputs.cache-hit == 'true'
         run: |
+          git submodule update --init --recursive
           git fetch --all
           git reset --hard origin/$(git branch --show-current)
           git submodule update --recursive --remote
-      - name: Compile
-        run: EMBEDDED_CC='clang-10' EMBEDDED_AR='llvm-ar-10' EMBEDDED_RANLIB='llvm-ranlib-10' make all
-      - name: Archive
-        uses: actions/upload-artifact@v2
+
+      - name: Compile KPF and Pongo
+        run: |
+          make
+
+      - name: Prepare upload directory
+        run: |
+          mkdir upload
+          mv build/Pongo.bin upload/
+          mv build/checkra1n-kpf-pongo upload/
+
+      - name: Compile KPF and Pongo Development
+        run: |
+          make clean
+          make DEV_BUILD=1
+
+      - name: Prepare upload directory Development
+        run: |
+          mv build/Pongo.bin upload/Pongo.bin.development
+          mv build/checkra1n-kpf-pongo upload/checkra1n-kpf-pongo.development
+
+      - name: Get branch name
+        id: branch-name
+        uses: tj-actions/branch-names@v7
+
+      - name: Upload artifact
+        uses: wangyucode/[email protected]
         with:
-          name: PongoOS
-          path: |
-            build/checkra1n-kpf-pongo
-            build/Pongo
-            build/Pongo.bin
-            build/PongoConsolidated.bin
+          host: ${{ secrets.NICKCHAN_FTP_HOST }}
+          port: ${{ secrets.NICKCHAN_FTP_PORT }}
+          username: palera1n
+          password: ${{ secrets.NICKCHAN_FTP_PASS }}
+          forceUpload: true
+          dryRun: false
+          localDir: 'upload'
+          remoteDir: "/palera1n/artifacts/kpf/${{ steps.branch-name.outputs.ref_branch || github.ref }}"
+

Makefile

@@ -105,7 +105,7 @@ endif
 
 # General options
 EMBEDDED_LD_FLAGS           ?= -nostdlib -Wl,-dead_strip -Wl,-Z $(EMBEDDED_LDFLAGS)
-EMBEDDED_CC_FLAGS           ?= --target=arm64-apple-ios12.0 -std=gnu17 -Wall -Wstrict-prototypes -Werror=incompatible-function-pointer-types -flto -ffreestanding -nostdlibinc -fno-blocks -U__nonnull -DTARGET_OS_OSX=0 -DTARGET_OS_MACCATALYST=0 -D_GNU_SOURCE -D__DYNAMIC_REENT__ -DDER_TAG_SIZE=8 -I$(LIB)/include $(EMBEDDED_LD_FLAGS) $(EMBEDDED_CFLAGS)
+EMBEDDED_CC_FLAGS           ?= --target=arm64-apple-ios12.0 -std=gnu17 -Wall -Wstrict-prototypes -Werror=incompatible-function-pointer-types -flto -ffreestanding -nostdlibinc -fno-blocks -U__nonnull -DTARGET_OS_OSX=0 -DTARGET_OS_MACCATALYST=0 -D_GNU_SOURCE -D__DYNAMIC_REENT__ -DDER_TAG_SIZE=8 -Wno-strict-prototypes -I$(LIB)/include $(EMBEDDED_LD_FLAGS) $(EMBEDDED_CFLAGS)
 
 ifdef DEV_BUILD
     EMBEDDED_CC_FLAGS       += -DDEV_BUILD

checkra1n/kpf-test/.gitignore

@@ -1,2 +1,5 @@
 /kpf-test.ios
 /kpf-test.macos
+/kpf-test.linux
+shellcode_S_linux.S
+xnu_S_linux.S

checkra1n/kpf-test/Makefile

@@ -15,8 +15,11 @@ RA1N                    := $(ROOT)/checkra1n/kpf
 KPF_H                   := $(wildcard $(RA1N)/*.h) $(wildcard $(INC)/*.h) $(wildcard $(SRC)/kernel/*.h) $(wildcard $(SRC)/drivers/*.h)
 KPF_C                   := main.c $(wildcard $(RA1N)/*.c) $(wildcard $(RA1N)/*.S) $(SRC)/drivers/xnu/xnu.c $(SRC)/drivers/xnu/xnu.S
 KPF_LD_FLAGS            := -Wl,-fatal_warnings -Wl,-dead_strip $(KPF_LDFLAGS)
-KPF_CC_FLAGS            := -std=gnu17 -Wall -Wstrict-prototypes -Werror=incompatible-function-pointer-types -O3 -flto -I$(INC) -I$(SRC)/kernel -I$(SRC)/drivers -DCHECKRA1N_VERSION='"x.y.z"' -Diprintf=printf -Dpanic=realpanic \
+KPF_CC_FLAGS            := -std=gnu17 -Wall -Wno-strict-prototypes -Werror=incompatible-function-pointer-types -O3 -flto -I$(INC) -I$(SRC)/kernel -I$(SRC)/drivers -DCHECKRA1N_VERSION='"x.y.z"' -Diprintf=printf -Dpanic=realpanic \
                            '-Djit_set_exec(m)=void pthread_jit_write_protect_np(int); pthread_jit_write_protect_np(m)' -DOVERRIDE_CACHEABLE_VIEW=0x800000000ULL -DDEV_BUILD -D_GNU_SOURCE $(KPF_CFLAGS) $(KPF_LD_FLAGS)
+KPF_LD_FLAGS_LINUX      := 
+KPF_CC_FLAGS_LINUX      := -std=gnu17 -Wall -Wno-strict-prototypes -O3 -flto -I$(INC) -I$(SRC)/kernel -I$(SRC)/drivers -DCHECKRA1N_VERSION='"x.y.z"' -Diprintf=printf -Dpanic=realpanic \
+                           -DOVERRIDE_CACHEABLE_VIEW=0x800000000ULL '-Djit_set_exec(m)=void pthread_jit_write_protect_np(int);' -DDEV_BUILD -D_GNU_SOURCE -Iinclude $(KPF_CFLAGS) $(KPF_LD_FLAGS_LINUX)
 
 ifeq ($(HOST_OS),Darwin)
 	IOS_CC              ?= xcrun -sdk iphoneos clang --target=arm64-apple-ios7.0
@@ -26,6 +29,7 @@ else
 ifeq ($(HOST_OS),Linux)
 # TODO: macOS target
 	IOS_CC              ?= arm64-apple-ios12.0.0-clang -arch arm64
+	LINUX_CC            ?= clang
 	SIGN                ?= ldid -Sent.plist
 endif
 endif
@@ -42,5 +46,17 @@ kpf-test.ios: Makefile $(KPF_C) $(KPF_H)
 kpf-test.macos: Makefile $(KPF_C) $(KPF_H)
 	$(MACOS_CC) -o $@ $(KPF_C) $(KPF_CC_FLAGS)
 
+shellcode_S_linux.S: $(RA1N)/shellcode.S Makefile
+	sed -e 's/_pf_jit/pf_jit/g' -e 's/_dyld_shc/dyld_shc/g' -e 's/_sandbox/sandbox/g' \
+	-e 's/_fsctl_shc/fsctl_shc/g' -e 's/_kdi_shc/kdi_shc/g' -e 's/_nvram_shc/nvram_shc/g' \
+	-e 's/_launchd_execve_hook/launchd_execve_hook/g' $< > $@
+
+xnu_S_linux.S: $(SRC)/drivers/xnu/xnu.S Makefile
+	sed -e 's/_pf_jit/pf_jit/g' $< > $@
+
+kpf-test.linux: Makefile $(KPF_C) $(KPF_H) shellcode_S_linux.S xnu_S_linux.S
+	$(LINUX_CC) -o $@ main.c -lbsd -g $(wildcard $(RA1N)/*.c) $(SRC)/drivers/xnu/xnu.c shellcode_S_linux.S xnu_S_linux.S $(KPF_CC_FLAGS_LINUX)
+
 clean:
-	rm -f kpf-test.ios kpf-test.macos
+	rm -f kpf-test.ios kpf-test.macos kpf-test.linux
+	rm -f shellcode_S_linux.S xnu_S_linux.S

checkra1n/kpf-test/include/mach-o/loader.h

@@ -0,0 +1,146 @@
+/*
+ * Copyright (c) 1999-2010 Apple Inc.  All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+/* Mach-O declarations for non-Apple targets */
+#ifndef __APPLE__
+#ifndef _LOADER_H_
+#define _LOADER_H_
+
+#include <stdint.h>
+typedef int32_t integer_t;
+
+// <mach/machine.h>
+typedef integer_t       cpu_type_t;
+typedef integer_t       cpu_subtype_t;
+#define CPU_ARCH_ABI64	0x01000000		/* 64 bit ABI */
+#define CPU_TYPE_ARM		((cpu_type_t) 12)
+#define CPU_TYPE_ARM64          (CPU_TYPE_ARM | CPU_ARCH_ABI64)
+#define ARM_THREAD_STATE64 6 
+
+#define _STRUCT_ARM_THREAD_STATE64	struct __darwin_arm_thread_state64
+_STRUCT_ARM_THREAD_STATE64
+{
+	uint64_t    __x[29];	/* General purpose registers x0-x28 */
+	uint64_t    __fp;		/* Frame pointer x29 */
+	uint64_t    __lr;		/* Link register x30 */
+	uint64_t    __sp;		/* Stack pointer x31 */
+	uint64_t    __pc;		/* Program counter */
+	uint32_t    __cpsr;	/* Current program status register */
+};
+
+// <mach/vm_prot.h>
+typedef int             vm_prot_t;
+
+// <mach-o/fat.h>
+#define FAT_MAGIC	0xcafebabe
+#define FAT_CIGAM	0xbebafeca	/* NXSwapLong(FAT_MAGIC) */
+struct fat_header {
+	uint32_t	magic;		/* FAT_MAGIC */
+	uint32_t	nfat_arch;	/* number of structs that follow */
+};
+
+struct fat_arch {
+	cpu_type_t	cputype;	/* cpu specifier (int) */
+	cpu_subtype_t	cpusubtype;	/* machine specifier (int) */
+	uint32_t	offset;		/* file offset to this object file */
+	uint32_t	size;		/* size of this object file */
+	uint32_t	align;		/* alignment as a power of 2 */
+};
+
+// Everything below is from <mach-o/loader.h>
+#define MH_MAGIC_64 0xfeedfacf
+#define SG_NORELOC      0x4
+#define LC_REQ_DYLD 0x80000000
+#define LC_RPATH       (0x1c | LC_REQ_DYLD)    /* runpath additions */
+#define LC_BUILD_VERSION 0x32 /* build for platform min OS version */
+#define	LC_SEGMENT_64	0x19
+
+#define PLATFORM_MACOS 1
+#define PLATFORM_IOS 2
+#define PLATFORM_TVOS 3
+#define PLATFORM_WATCHOS 4
+#define PLATFORM_BRIDGEOS 5
+#define PLATFORM_MACCATALYST 6
+#define PLATFORM_IOSSIMULATOR 7
+#define PLATFORM_TVOSSIMULATOR 8
+#define PLATFORM_WATCHOSSIMULATOR 9
+#define PLATFORM_DRIVERKIT 10
+
+#define	LC_UNIXTHREAD	0x5	/* unix thread (includes a stack) */
+
+struct mach_header_64 {
+	uint32_t	magic;		/* mach magic number identifier */
+	cpu_type_t	cputype;	/* cpu specifier */
+	cpu_subtype_t	cpusubtype;	/* machine specifier */
+	uint32_t	filetype;	/* type of file */
+	uint32_t	ncmds;		/* number of load commands */
+	uint32_t	sizeofcmds;	/* the size of all the load commands */
+	uint32_t	flags;		/* flags */
+	uint32_t	reserved;	/* reserved */
+};
+
+struct segment_command_64 { /* for 64-bit architectures */
+	uint32_t	cmd;		/* LC_SEGMENT_64 */
+	uint32_t	cmdsize;	/* includes sizeof section_64 structs */
+	char		segname[16];	/* segment name */
+	uint64_t	vmaddr;		/* memory address of this segment */
+	uint64_t	vmsize;		/* memory size of this segment */
+	uint64_t	fileoff;	/* file offset of this segment */
+	uint64_t	filesize;	/* amount to map from the file */
+	vm_prot_t	maxprot;	/* maximum VM protection */
+	vm_prot_t	initprot;	/* initial VM protection */
+	uint32_t	nsects;		/* number of sections in segment */
+	uint32_t	flags;		/* flags */
+};
+
+struct build_version_command {
+    uint32_t	cmd;		/* LC_BUILD_VERSION */
+    uint32_t	cmdsize;	/* sizeof(struct build_version_command) plus */
+				/* ntools * sizeof(struct build_tool_version) */
+    uint32_t	platform;	/* platform */
+    uint32_t	minos;		/* X.Y.Z is encoded in nibbles xxxx.yy.zz */
+    uint32_t	sdk;		/* X.Y.Z is encoded in nibbles xxxx.yy.zz */
+    uint32_t	ntools;		/* number of tool entries following this */
+};
+
+struct load_command {
+	uint32_t cmd;		/* type of load command */
+	uint32_t cmdsize;	/* total size of command in bytes */
+};
+
+struct section_64 { /* for 64-bit architectures */
+	char		sectname[16];	/* name of this section */
+	char		segname[16];	/* segment this section goes in */
+	uint64_t	addr;		/* memory address of this section */
+	uint64_t	size;		/* size in bytes of this section */
+	uint32_t	offset;		/* file offset of this section */
+	uint32_t	align;		/* section alignment (power of 2) */
+	uint32_t	reloff;		/* file offset of relocation entries */
+	uint32_t	nreloc;		/* number of relocation entries */
+	uint32_t	flags;		/* flags (section type and attributes)*/
+	uint32_t	reserved1;	/* reserved (for offset or index) */
+	uint32_t	reserved2;	/* reserved (for count or sizeof) */
+	uint32_t	reserved3;	/* reserved */
+};
+
+#endif
+#endif