Difference between revisions of "ARM Exception Vector Info Leak"

From The iPhone Wiki
Jump to: navigation, search
(initial page - description needs to get improved)
 
(mention second info leak)
Line 31: Line 31:
   
 
[[evasi0n]] calls the ''Data Abort'' exception from a separate thread and catches the exception. In the exception handler, <code>in_state->__pc</code> is saved to <code>global.exception_pc</code> and leaks the base address because this exception was called from <code>com.apple.iokit.IOUSBDeviceFamily</code>.
 
[[evasi0n]] calls the ''Data Abort'' exception from a separate thread and catches the exception. In the exception handler, <code>in_state->__pc</code> is saved to <code>global.exception_pc</code> and leaks the base address because this exception was called from <code>com.apple.iokit.IOUSBDeviceFamily</code>.
  +
  +
In the exception handler it is also possible to get 4&nbsp;bytes at a chosen address, so this is additionally an info leak for arbitrary memory.
   
 
== References ==
 
== References ==

Revision as of 23:38, 25 February 2013

This vulnerability is used by evasi0n in order to defeat KASLR. Since iOS6 the kernel base address is randomized at 2^9 possible locations. Actually it is not fully randomized due to the ARM vector table residing at a fixed address. The vector table is held at address zero and at runtime relocated to 0xffff0000 by setting the V-bit in CP15 c1. The following ARM vector table entries exist:

Offset Handler
00 Reset
04 Undefined Instruction
08 Supervisor Call (SVC)
0C Prefetch Abort
10 Data Abort
14 Reserved
18 Interrupt (IRQ)
1C Fast Interrupt (FIQ)

evasi0n calls the Data Abort exception from a separate thread and catches the exception. In the exception handler, in_state->__pc is saved to global.exception_pc and leaks the base address because this exception was called from com.apple.iokit.IOUSBDeviceFamily.

In the exception handler it is also possible to get 4 bytes at a chosen address, so this is additionally an info leak for arbitrary memory.

References