The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

Difference between revisions of "BPF STX Kernel Write Exploit"

From The iPhone Wiki
Jump to: navigation, search
m
Line 24: Line 24:
 
This bug was actually fixed in FreeBSD. [http://svn.freebsd.org/viewvc/base/head/sys/net/bpf_filter.c?r1=182380&r2=182379&pathrev=182380]
  
This bug was actually fixed in FreeBSD. [http://svn.freebsd.org/viewvc/base/head/sys/net/bpf_filter.c?r1=182380&r2=182379&pathrev=182380]
   
{{stub|firmware}}
 +
{{stub|exploits}}
 
[[Category:Exploits]]
  
[[Category:Exploits]]

Revision as of 21:25, 24 December 2012

bpf has a little virtual machine that executes packet filters. The machine includes a "scratch area" which is stored as an array on the stack. There are two instructions that write to that array: 

       case BPF_ST:
           mem[pc->k] = A;                                                
           continue;                                                      
       
       case BPF_STX:
           mem[pc->k] = X;
           continue;

bpf_validate runs first to check the program, and handles BPF_ST correctly, but forgets to handle BPF_STX: 

       /*
        * Check that memory operations use valid addresses.
        */
       if ((BPF_CLASS(p->code) == BPF_ST ||
            (BPF_CLASS(p->code) == BPF_LD &&
             (p->code & 0xe0) == BPF_MEM)) &&
           p->k >= BPF_MEMWORDS)
           return 0;

This allows arbitrary locations on the stack to be modified.

This bug was actually fixed in FreeBSD. [1]

[[File:|30px]] This exploits article is a "stub", an incomplete page. Please add more content to this article and remove this tag.
Retrieved from "https://www.theiphonewiki.com/w/index.php?title=BPF_STX_Kernel_Write_Exploit&oldid=28892"