Difference between revisions of "ARM Exception Vector Info Leak"

This is CVE-2013-0978. This vulnerability is used by evasi0n in order to defeat KASLR. Since iOS6 the kernel base address is randomized at 2⁹ possible locations. Actually it is not fully randomized due to the ARM vector table residing at a fixed address. The vector table is held at address zero and at runtime relocated to 0xffff0000 by setting the V-bit in CP15 c1. The following ARM vector table entries exist:

evasi0n calls the Data Abort exception from a separate thread and catches the exception. In the exception handler, in_state->__pc is saved to global.exception_pc and leaks the base address because this exception was called from com.apple.iokit.IOUSBDeviceFamily.

In the exception handler it is also possible to get 4 bytes at a chosen address, so this is additionally an info leak for arbitrary memory.

Apple's description in the iOS 6.1.3 security fixes:

Kernel
Impact: A local user may be able to determine the address of structures in the kernel
Description: An information disclosure issue existed in the ARM prefetch abort handler. This issue was addressed by panicking if the prefetch abort handler is not being called from an abort context.

References

• Analysis by kernelpool
• Apple's iOS 6.1.3 security fixes
• Apple's iOS 5.2.1 (Apple TV) security fixes
• NIST Reference CVE-2013-0978
• Mitre Reference CVE-2013-0978