macOS 10.14.5 kernel panics when using HC_INSERT_LIBRARY
steven-michaud opened this issue · 6 comments
The current version of HookCase (3.1) triggers a kernel panic on macOS 10.14.5 when you try to use HC_INSERT_LIBRARY to insert a hook library in any process. The HookCase kext does load, but the kernel panics the first time you try to use it (via HC_INSERT_LIBRARY). This behavior is new with macOS 10.4.5. It doesn't happen with earlier versions of Mojave (10.14), and doesn't happen even with the latest updates for High Sierra (10.13) and Sierra (10.12).
Shinvou reported this issue with a 10.14.5 beta (#8 (comment)). I'd hoped that it might get fixed in the 10.14.5 release, but apparently it hasn't.
I'll be working on this.
I also didn't look into it but I'd bet this has something todo with the new speculative execution attacks on Intel chips. https://threatpost.com/apple-patches-intel-side-channel-ios-macos/144743/
You're probably right. The same thought occurred to me, and yesterday I searched through the 10.14.5 kernel's assembly code on "cr3". I discovered that Apple has changed the offset of at least one "cr3" variable in the cpu_data structure. This kind of change normally only takes place between major versions. The last time I've seen similarly large changes in a new minor version was when Apple landed a workaround for the Intel Meltdown bug in macOS 10.13.2.
I also discovered that the kernel panic happens on the first call to copyout(), which is used to copy stuff from kernel space to user space. Apple's workaround for Meltdown involved fiddling with the CR3 register to make it harder to access kernel memory from a user-level program. I suspect they've done it again, but this time to make it harder to access user memory from the kernel.
I'll need to decipher Apple's new workaround from the 10.14.5 kernel binary. It took me a couple of months to figure out how to work around Apple's last Intel workaround. But their new workaround seems simpler, and with luck I should be able to get to the bottom of it in a couple of weeks.
If past performance is any guide, Apple will soon backport its new Intel workaround to the two previous major versions of macOS -- High Sierra (10.13) and Sierra (10.12). When/if this happens, it will break HookCase on those versions of macOS. Rather than trying to anticipate exactly what Apple will do, I'll wait for this to happen and deal with it then.
Turns out Apple did change an important data structure (cpu_data) in macOS 10.14.5, as part of their workaround for Intel's MDS bug. I also found out that they changed more data structures (_task and thread) in the 10.14.2 minor update, though only in the development and debug kernels. But they didn't deliberately try to make it harder to access user space from the kernel. The panic at the first call to copyout() was just a side effect of the changes to cpu_data.
This bug should now be fixed. Let me know, shinvou, if you have any trouble.
Everything works as expected. Thank you very much for fixing it that quick and for your continuous development.
You're most welcome :-)