From 6c4165c7feec3b0c159ecffddae314b6b8b30ed2 Mon Sep 17 00:00:00 2001 From: Lakr Date: Fri, 6 Mar 2026 23:11:14 +0800 Subject: [PATCH] docs: fix formatting in kernel_patch_jb MD files Apply whitespace and formatting cleanups across research/kernel_patch_jb/*.md: add missing blank lines for readability, remove extraneous trailing blank lines, and adjust a small inline spacing/punctuation in patch_vm_map_protect.md. No semantic changes to content. --- research/kernel_patch_jb/patch_dounmount.md | 2 +- research/kernel_patch_jb/patch_mac_mount.md | 1 - research/kernel_patch_jb/patch_shared_region_map.md | 1 + research/kernel_patch_jb/patch_spawn_validate_persona.md | 2 +- research/kernel_patch_jb/patch_task_for_pid.md | 1 + research/kernel_patch_jb/patch_vm_map_protect.md | 3 +-- 6 files changed, 5 insertions(+), 5 deletions(-) diff --git a/research/kernel_patch_jb/patch_dounmount.md b/research/kernel_patch_jb/patch_dounmount.md index b97e32f..2e38440 100644 --- a/research/kernel_patch_jb/patch_dounmount.md +++ b/research/kernel_patch_jb/patch_dounmount.md @@ -48,6 +48,7 @@ On PCC 26.1 research the validated sequence is: The previous repo matcher had drifted to `0xCA81FC` on research. That drift was treated as a red flag because: + - it did **not** match upstream, - it matched a later teardown sequence with shape `mov x0, #0 ; mov w1, #0x10 ; mov x2, #0 ; bl ...`, - that later sequence does **not** correspond to the upstream `coveredvp` cleanup gate in either IDA or XNU source structure. @@ -175,4 +176,3 @@ Both variants emit exactly one patch: - Release/generalization rationale: the panic string is stable in stripped kernels, and the local 8-instruction shape is tight enough to stay cheap and robust across PCC 26.1 release / likely 26.3 release. - Performance note: one string-xref resolution plus a single function-local linear scan. - Focused PCC 26.1 research dry-run: `hit`, 1 write at `0x00CA8134`. - diff --git a/research/kernel_patch_jb/patch_mac_mount.md b/research/kernel_patch_jb/patch_mac_mount.md index ce7438f..5c2bb75 100644 --- a/research/kernel_patch_jb/patch_mac_mount.md +++ b/research/kernel_patch_jb/patch_mac_mount.md @@ -115,4 +115,3 @@ - Release/generalization rationale: the string keeps the search local to the right source module, while the paired semantic patterns identify the same function without relying on symbols. That combination should survive 26.1 release / likely 26.3 release better than a raw offset. - Performance note: one string anchor plus a bounded neighborhood scan (~`0x9000` bytes) instead of a whole-kernel semantic walk. - Focused PCC 26.1 research dry-run: `hit`, 2 writes at `0x00CA5D54` and `0x00CA5D88`. - diff --git a/research/kernel_patch_jb/patch_shared_region_map.md b/research/kernel_patch_jb/patch_shared_region_map.md index 0bf1986..7ea41dc 100644 --- a/research/kernel_patch_jb/patch_shared_region_map.md +++ b/research/kernel_patch_jb/patch_shared_region_map.md @@ -44,6 +44,7 @@ On PCC 26.1 research the validated sequence is: The older local analysis focused on a later fallback compare after the preboot lookup succeeded. That older focus is rejected because: + - it did **not** match the known-good upstream site, - XNU source first checks `srfmp->vp->v_mount != rdir_vp->v_mount` before any preboot lookup, - IDA on PCC 26.1 research still shows that first root-vs-process-root compare exactly at the upstream offset, diff --git a/research/kernel_patch_jb/patch_spawn_validate_persona.md b/research/kernel_patch_jb/patch_spawn_validate_persona.md index b1947b2..9e9a7c9 100644 --- a/research/kernel_patch_jb/patch_spawn_validate_persona.md +++ b/research/kernel_patch_jb/patch_spawn_validate_persona.md @@ -62,6 +62,7 @@ This helper is a compact persona validation subroutine in the spawn/exec policy ### Conclusion The upstream pair is the correct semantic gate because: + - it is the exact pair patched by the known-good upstream tool, - both branches converge on the helper's deny path, - they live in the small validation helper reached from the outer spawn entitlement wrapper, @@ -105,4 +106,3 @@ The upstream pair is the correct semantic gate because: - Release/generalization rationale: entitlement strings are stable across stripped kernels, and the dual-load/dual-cbz shape is tiny and source-backed. - Performance note: one string-xref resolution plus a very small helper-local scan. - Focused PCC 26.1 research dry-run: `hit`, 2 writes at `0x00FA7024` and `0x00FA702C`. - diff --git a/research/kernel_patch_jb/patch_task_for_pid.md b/research/kernel_patch_jb/patch_task_for_pid.md index 3d7868b..6c6c14d 100644 --- a/research/kernel_patch_jb/patch_task_for_pid.md +++ b/research/kernel_patch_jb/patch_task_for_pid.md @@ -40,6 +40,7 @@ On PCC 26.1 research the validated sequence is: The previous local rework had diverged to two later deny-return rewrites in small helper functions. That divergence is rejected because: + - it does **not** match the known-good upstream site, - the XNU source still explicitly says `/* Always check if pid == 0 */` and immediately returns failure, - IDA on PCC 26.1 research still shows the same early `cbz wPid, fail` gate at the exact upstream offset, diff --git a/research/kernel_patch_jb/patch_vm_map_protect.md b/research/kernel_patch_jb/patch_vm_map_protect.md index 1c0152a..c551f53 100644 --- a/research/kernel_patch_jb/patch_vm_map_protect.md +++ b/research/kernel_patch_jb/patch_vm_map_protect.md @@ -23,7 +23,7 @@ - Nearby validated block in IDA: - `mov w9, #6` - `bics wzr, w9, w20` - - `b.ne #0xbc0274` ← patched + - `b.ne #0xbc0274` ← patched - `tbnz w8, #0x16, #0xbc0274` - ... - `and w20, w20, #0xfffffffb` @@ -243,4 +243,3 @@ goto guarded_path; // unconditional - Release/generalization rationale: the panic string and the local BICS/TBNZ/write-clear shape are source-backed and should survive stripped release kernels with low matcher cost. - Performance note: one string-xref resolution and one function-local scan with a short semantic confirmation window. - Focused PCC 26.1 research dry-run: `hit`, 1 write at `0x00BC024C`. -