Section A.7. Miscellaneous Changes

A.7. Miscellaneous Changes

Finally, let us look at a few miscellaneous system-level changes introduced in the x86 version of Mac OS X.

A.7.1. No Dual-Mapped Kernel Address Space

The kernel is not mapped into the address space of each taskit has its own 4GB address space. As we saw earlier, this is also the case with the PowerPC version of Mac OS X. Previous versions of Darwin/x86 (including the prototype x86-based Apple machines) did map the kernel into each user address space. An important reason for the change is the need to support video drivers for graphics cards with large amounts of physical memory. In a system with such a card (perhaps even multiple cards), if the driver wishes to map the entire memory of the card(s), a limited kernel address space would be problematic.

A.7.2. Nonexecutable Stack

The processors used in the x86-based Macintosh computers support a per-page nonexecutable bit, which can be used to implement a nonexecutable stack. The latter is one approach to countering the stack overflow class of security attacks. The approach can be generalized to making any kind of buffers nonexecutable, so that even if an attacker manages to introduce rogue code into a program's address space, it simply cannot be executed. This bit is enabled on the x86 version of Mac OS X. The program shown in Figure A5 attempts to "execute" the stack, which contains illegal instructions (all zeros). The program will fail with an illegal instruction error on the PowerPC. In contrast, on the x86, access to the memory would be disallowed for execution, and the program would fail with a bus error.

Figure A5. Testing a nonexecutable stack on the x86 version of Mac OS X

// runstack.c #include <sys/types.h> typedef void (* funcp_t)(void); int main(void) {     funcp_t funcp;     uint32_t stackarray[] = { 0 };     funcp = (funcp_t)stackarray;     funcp();     return 0; } $ gcc -Wall -o runstack runstack.c $ machine ppc970 $ ./runstack zsh: illegal hardware instruction  ./runstack $ machine i486 $ ./runstack Bus error

Note, however, that a program can programmatically change a page's protection value to allow for execution. For example, the vm_protect() Mach call (see Chapter 8 for details) can be used for this purpose.

// stackarray not executable ... vm_protect(mach_task_self(), stackarray, 4, FALSE, VM_PROT_ALL); // stackarray executable now ...

A.7.3. Thread Creation

In Section 7.3.1.2, we saw an example (Figure 720) of creating a Mach thread within an existing task. Thread creation on x86 is largely identical, except that setup of the thread's initial state is x86-specific. Figure A6 shows an excerpt from the x86 version of the my_thread_setup() function from Figure 720.

Figure A6. Setting up a newly created thread's state on the x86 version of Mac OS X

void my_thread_setup(thread_t th) {     kern_return_t          kr;     mach_msg_type_number_t count;     i386_thread_state_t    state = { 0 };     uintptr_t             *stack = threadStack;     ...     count = i386_THREAD_STATE_COUNT;     kr = thread_get_state(th, i386_THREAD_STATE,                           (thread_state_t)&state, &count);     ...     //// setup of machine-dependent thread state     // stack (grows from high memory to low memory)     stack += PAGE_SIZE;     // arrange arguments, if any, while ensuring 16-byte stack alignment     *--stack = 0;     state.esp = (uintptr_t)stack;     // where to begin execution     state.eip = (unsigned int)my_thread_routine;     kr = thread_set_state(th, i386_THREAD_STATE, (thread_state_t)&state,                           i386_THREAD_STATE_COUNT);     ... }

A.7.4. System Calls

When we discussed PowerPC system call processing in Chapter 6, we saw that in order to invoke a system call, the call number is passed in GPR0, and the sc instruction is executed. On the x86, the system call number is passed in the EAX register, and the sysenter instruction is used to enter the system call. Figure A7 shows an assembly-language excerpt for invoking a system call.

Figure A7. Invoking a system call on the x86 version of Mac OS X

movl    $N,%eax ; we are invoking system call number N ... popl    %edx movl    %esp,%ecx sysenter ...

A.7.5. No /dev/mem or /dev/kmem

Beginning with the first x86 version of Mac OS X, the /dev/mem and /dev/kmem devices are no longer available. Consequently, interfaces such as kvm(3) are also not available. Rather than accessing raw kernel memory, user programs are now expected to use only published interfacessuch as the I/O Kit user library and the sysctl interfaceto access kernel information.

This book's accompanying web site provides information about writing a kernel extension that provides /dev/kmem's functionality.

A.7.6. A New I/O Kit Plane

The I/O Registry has a new planethe ACPI plane (IOACPIPlane)on the x86 version of Mac OS X. The ACPI plane's root node, called acpi, is an instance of the IOPlatformExpertDevice class.

Advanced Configuration and Power Interface (ACPI) exists as an interface for allowing the operating system to direct configuration and power management on the computer.

$ ioreg -p IOACPIPlane -w 0 +-o acpi  <class IOPlatformExpertDevice, ...>     +-o CPU0@0  <class IOACPIPlatformDevice, ...>     +-o CPU1@1  <class IOACPIPlatformDevice, ...>     +-o _SB  <class IOACPIPlatformDevice, ...>       +-o PWRB  <class IOACPIPlatformDevice, ...>       +-o PCI0@0  <class IOACPIPlatformDevice, ...>         +-o PDRC  <class IOACPIPlatformDevice, ...>         +-o GFX0@20000  <class IOACPIPlatformDevice, ...>         | +-o VGA@300  <class IOACPIPlatformDevice, ...>         | +-o TV@200  <class IOACPIPlatformDevice, ...>         +-o HDEF@1b0000  <class IOACPIPlatformDevice, ...>         ...         +-o SATA@1f0002  <class IOACPIPlatformDevice, ...>         | +-o PRID@0  <class IOACPIPlatformDevice, ...>         | | +-o P_D0@0  <class IOACPIPlatformDevice, ...>         | | +-o P_D1@1  <class IOACPIPlatformDevice, ...>         | +-o SECD@1  <class IOACPIPlatformDevice, ...>         |   +-o S_D0@0  <class IOACPIPlatformDevice, ...>         |   +-o S_D1@1  <class IOACPIPlatformDevice, ...>         +-o SBUS@1f0003  <class IOACPIPlatformDevice, ...>