[KC] KernelCache view fails to find strings in loaded images due to segments having incorrect flags

[bdash]

Version and Platform (required):

• Binary Ninja Version: 5.2.8223-dev Ultimate, 3afa844d
• OS: macos
• OS Version: 26.0
• CPU Architecture: arm64

Bug Description:
After loading an image from a kernel cache, it should be possible to see its strings in the Strings pane.

Steps To Reproduce:

1. Load a kernel cache. I used 22G5064d__iPhone15,2/kernelcache.release.iPhone15,2
2. Load an image via the triage view. I picked com.apple.security.sandbox.
3. Edit -> Go To Address… and enter com.apple.security.sandbox::__TEXT.__cstring
4. Search for one of the strings you see in the Strings pane.

Expected Behavior:
Strings!

Actual Behavior:
No strings :-(

This is a consequence of zero being passed as the flag argument to AddAutoSegment. That marks the segment as not readable, which causes the string analysis to skip its contents.

KernelCacheController::ApplyImage should be using SegmentFlagsFromMachOProtections(segment.initprot, segment.maxprot) instead of segment.flags when adding the segment.

[bdash]

Fixed in 5.2.8235-dev and newer.

[bdash]

If you have a BNDB containing a kernelcache that was initially created prior to 5.2.8235-dev you can use the script at https://gist.github.com/bdash/b5b114300fd453569f9773335eb15cea to copy the correct permissions from a freshly-opened kernelcache and apply them to your existing database.