XNU kernelcache plugin slows down /x by orders of magnitude

[Siguza]

Work environment

Questions	Answers
OS/arch/bits (mandatory)	macOS 10.15.6
File format of the file you reverse (mandatory)	Mach-O
Architecture/bits of the file (mandatory)	arm64/arm64e
r2 -v full output, not truncated (mandatory)	radare2 4.6.0-git 25116 @ darwin-x86-64 git.4.4.0-787-g16a91fbe5 commit: 16a91fbe5ac930575ee6b24d3a3b25d0085688c1 build: 2020-10-06__01:49:45

Expected behavior

Less than 5 seconds with -Fmach064:

% time r2 -q -c '/x 0010c09a:00fce0ff' -Fmach064 iOS-14.0.1-18A393-j307ap,j308ap
Searching 4 bytes in [0xfffffff009cec000-0xfffffff009d10608]
hits: 0
Searching 4 bytes in [0xfffffff009bc4000-0xfffffff009cec000]
hits: 0
Searching 4 bytes in [0xfffffff009ba4000-0xfffffff009bc4000]
hits: 0
Searching 4 bytes in [0xfffffff009a54000-0xfffffff009ba4000]
hits: 0
Searching 4 bytes in [0xfffffff009a50000-0xfffffff009a54000]
hits: 0
Searching 4 bytes in [0xfffffff009a4c000-0xfffffff009a50000]
hits: 0
Searching 4 bytes in [0xfffffff009a48000-0xfffffff009a4c000]
hits: 0
Searching 4 bytes in [0xfffffff009a44000-0xfffffff009a48000]
hits: 0
Searching 4 bytes in [0xfffffff009a24000-0xfffffff009a44000]
hits: 0
Searching 4 bytes in [0xfffffff007b50000-0xfffffff009a24000]
hits: 5
Searching 4 bytes in [0xfffffff0077c8000-0xfffffff007b50000]
hits: 0
Searching 4 bytes in [0xfffffff007004000-0xfffffff0077c8000]
hits: 2
0xfffffff007b84b46 hit0_0 1a12c89a
0xfffffff007edb81e hit0_1 0b12c99a
0xfffffff008370295 hit0_2 0113cb9a
0xfffffff00910c4d3 hit0_3 4a11d59a
0xfffffff00911514a hit0_4 0111cc9a
0xfffffff0070ad17c hit0_5 ed10c19a
0xfffffff0070d3d3f hit0_6 f311cb9a
r2 -q -c '/x 0010c09a:00fce0ff' -Fmach064 iOS-14.0.1-18A393-j307ap,j308ap  4.74s user 0.09s system 98% cpu 4.887 total

Actual behavior

More than 6 minutes with -Fkernelcache:

% time r2 -q -c '/x 0010c09a:00fce0ff' -Fkernelcache iOS-14.0.1-18A393-j307ap,j308ap
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
reconstructing chained fixups
Searching 4 bytes in [0xfffffff009cec000-0xfffffff009d10608]
hits: 0
Searching 4 bytes in [0xfffffff009bc4000-0xfffffff009cec000]
hits: 0
Searching 4 bytes in [0xfffffff009ba4000-0xfffffff009bc4000]
hits: 0
Searching 4 bytes in [0xfffffff009a54000-0xfffffff009ba4000]
hits: 0
Searching 4 bytes in [0xfffffff009a50000-0xfffffff009a54000]
hits: 0
Searching 4 bytes in [0xfffffff009a4c000-0xfffffff009a50000]
hits: 0
Searching 4 bytes in [0xfffffff009a48000-0xfffffff009a4c000]
hits: 0
Searching 4 bytes in [0xfffffff009a44000-0xfffffff009a48000]
hits: 0
Searching 4 bytes in [0xfffffff009a24000-0xfffffff009a44000]
hits: 0
Searching 4 bytes in [0xfffffff007b50000-0xfffffff009a24000]
hits: 5
Searching 4 bytes in [0xfffffff0077c8000-0xfffffff007b50000]
hits: 0
Searching 4 bytes in [0xfffffff007004000-0xfffffff0077c8000]
hits: 2
0xfffffff007b84b46 hit0_0 1a12c89a
0xfffffff007edb81e hit0_1 0b12c99a
0xfffffff008370295 hit0_2 0113cb9a
0xfffffff00910c4d3 hit0_3 4a11d59a
0xfffffff00911514a hit0_4 0111cc9a
0xfffffff0070ad17c hit0_5 ed10c19a
0xfffffff0070d3d3f hit0_6 f311cb9a
r2 -q -c '/x 0010c09a:00fce0ff' -Fkernelcache iOS-14.0.1-18A393-j307ap,j308ap  398.41s user 1.05s system 98% cpu 6:45.33 total

Steps to reproduce the behavior

Here's the kernel I'm using: iOS-14.0.1-18A393-j307ap,j308ap.gz
And the commands I'm running:

time r2 -q -c '/x 0010c09a:00fce0ff' -Fmach064 iOS-14.0.1-18A393-j307ap,j308ap
time r2 -q -c '/x 0010c09a:00fce0ff' -Fkernelcache iOS-14.0.1-18A393-j307ap,j308ap

[mrmacete]

i'll look into that and see where the bottleneck is.

in the short term, in this case i think if you're only interested in searching into executable sections you can just e search.in=io.maps.x before searching and it should be way faster, like:

r2 -q -e search.in=io.maps.x -c '/x 0010c09a:00fce0ff' -Fkernelcache iOS-14.0.1-18A393-j307ap.j308ap

[Siguza]

You're right, that does work around the issue. Thanks. :D