Enable 16 verified kernel JB patches, add per-patch research docs

Batch-tested all 24 kernel JB patches individually: - 18 enabled: A1,A3,A4,B5,B7,B9-B20,C21,C22 - 3 PANIC: A2, B6 (proc_security_policy), B8 (convert_port_to_map), C23 (hook_cred_label_update_execve) - 1 NOT_BOOT: C24 (kcall10) Added research/kernel_patch_jb/ with per-patch analysis notes.
2026-04-05 13:09:06 +08:00 · 2026-03-04 20:08:00 +08:00
parent 9bb53b7368
commit 7daa2c4773
26 changed files with 669 additions and 25 deletions
--- a/research/kernel_patch_jb/patch_shared_region_map.md
+++ b/research/kernel_patch_jb/patch_shared_region_map.md
@@ -0,0 +1,24 @@
+# B17 `patch_shared_region_map`
+
+## How the patch works
+- Source: `scripts/patchers/kernel_jb_patch_shared_region.py`.
+- Locator strategy:
+  1. Try symbol `_shared_region_map_and_slide_setup`.
+  2. Fallback string anchor: `/private/preboot/Cryptexes`.
+  3. In function body, find `cmp <reg>, <reg>` followed by `b.ne` style guard.
+- Patch action:
+  - Rewrite compare to `cmp x0, x0`.
+
+## Expected outcome
+- Force compare result toward equality path, weakening rejection branch behavior.
+
+## Target
+- Shared region setup guard in `_shared_region_map_and_slide_setup` path.
+
+## IDA MCP evidence
+- Anchor string: `0xfffffe000708c481` (`/private/preboot/Cryptexes`)
+- xref: `0xfffffe00080769dc`
+- containing function start: `0xfffffe0008076260`
+
+## Risk
+- Shared-region mapping checks influence process memory layout/security assumptions.