alephsecurity · xliee · Nov 20, 2024 · Nov 20, 2024
diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
@@ -169,6 +169,7 @@ static inline tcg_target_ulong cpu_tb_exec(CPUState *cpu, TranslationBlock *itb)
     }
 #endif /* DEBUG_DISAS */
 
+    qemu_thread_jit_execute();
     ret = tcg_qemu_tb_exec(env, tb_ptr);
     cpu->can_do_io = 1;
     last_tb = (TranslationBlock *)(ret & ~TB_EXIT_MASK);
@@ -357,7 +358,7 @@ static inline void tb_add_jump(TranslationBlock *tb, int n,
                                TranslationBlock *tb_next)
 {
     uintptr_t old;
-
+    qemu_thread_jit_write();
     assert(n < ARRAY_SIZE(tb->jmp_list_next));
     qemu_spin_lock(&tb_next->jmp_lock);
 

diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
@@ -1064,6 +1064,10 @@ static inline void *alloc_code_gen_buffer(void)
 #  endif
 # endif
 
+#if defined(__APPLE__) && defined(MAC_OS_VERSION_11_0)
+    flags |= MAP_JIT;
+#endif
+
     buf = mmap((void *)start, size, prot, flags, -1, 0);
     if (buf == MAP_FAILED) {
         return NULL;
@@ -1475,7 +1479,9 @@ static void do_tb_phys_invalidate(TranslationBlock *tb, bool rm_from_page_list)
 
 static void tb_phys_invalidate__locked(TranslationBlock *tb)
 {
+    qemu_thread_jit_write();
     do_tb_phys_invalidate(tb, true);
+    qemu_thread_jit_execute();
 }
 
 /* invalidate one TB
@@ -1677,6 +1683,7 @@ TranslationBlock *tb_gen_code(CPUState *cpu,
 #endif
 
     assert_memory_lock();
+    qemu_thread_jit_write();
 
     phys_pc = get_page_addr_code(env, pc);
 

diff --git a/hw/arm/guest-socket.c b/hw/arm/guest-socket.c
@@ -99,8 +99,8 @@ int32_t qc_handle_bind(CPUState *cpu, int32_t sckt, struct sockaddr *g_addr,
                             sizeof(addr), 0);
 
         if ((retval = bind(guest_svcs_fds[sckt], (struct sockaddr *) &addr,
-                           addrlen)) < 0) {
-            guest_svcs_errno = errno;
+                           addrlen) < 0)) {
+            guest_svcs_errno = darwin_error(errno);
         } else {
             cpu_memory_rw_debug(cpu, (target_ulong) g_addr, (uint8_t*) &addr,
                                 sizeof(addr), 1);

diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
@@ -605,6 +605,9 @@ extern int qemu_icache_linesize_log;
 extern int qemu_dcache_linesize;
 extern int qemu_dcache_linesize_log;
 
+void qemu_thread_jit_write(void);
+void qemu_thread_jit_execute(void);
+
 /*
  * After using getopt or getopt_long, if you need to parse another set
  * of options, then you must reset optind.  Unfortunately the way to

diff --git a/tcg/tcg.c b/tcg/tcg.c
@@ -1059,6 +1059,7 @@ void tcg_prologue_init(TCGContext *s)
     s->pool_labels = NULL;
 #endif
 
+    qemu_thread_jit_write();
     /* Generate the prologue.  */
     tcg_target_qemu_prologue(s);
 

diff --git a/util/osdep.c b/util/osdep.c
@@ -109,6 +109,9 @@ int qemu_mprotect_none(void *addr, size_t size)
 {
 #ifdef _WIN32
     return qemu_mprotect__osdep(addr, size, PAGE_NOACCESS);
+#elif defined(__APPLE__) && defined(__arm64__)
+ /* Workaround mprotect (RWX->NONE) issue on Big Sur 11.2 */
+ return 0;
 #else
     return qemu_mprotect__osdep(addr, size, PROT_NONE);
 #endif
@@ -547,3 +550,25 @@ writev(int fd, const struct iovec *iov, int iov_cnt)
     return readv_writev(fd, iov, iov_cnt, true);
 }
 #endif
+
+#if defined(__APPLE__) && defined(MAC_OS_VERSION_11_0)
+static inline void qemu_thread_jit_write_protect(bool enabled)
+{
+    if (pthread_jit_write_protect_supported_np()) {
+        pthread_jit_write_protect_np(enabled);
+    }
+}
+
+void qemu_thread_jit_execute(void)
+{
+    qemu_thread_jit_write_protect(true);
+}
+
+void qemu_thread_jit_write(void)
+{
+    qemu_thread_jit_write_protect(false);
+}
+#else
+void qemu_thread_jit_write(void) {}
+void qemu_thread_jit_execute(void) {}
+#endif