The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

BPF STX Kernel Write Exploit

From The iPhone Wiki
Revision as of 21:25, 24 December 2012 by 5urd (talk | contribs)
Jump to: navigation, search

bpf has a little virtual machine that executes packet filters. The machine includes a "scratch area" which is stored as an array on the stack. There are two instructions that write to that array: 

       case BPF_ST:
           mem[pc->k] = A;                                                
           continue;                                                      
       
       case BPF_STX:
           mem[pc->k] = X;
           continue;

bpf_validate runs first to check the program, and handles BPF_ST correctly, but forgets to handle BPF_STX: 

       /*
        * Check that memory operations use valid addresses.
        */
       if ((BPF_CLASS(p->code) == BPF_ST ||
            (BPF_CLASS(p->code) == BPF_LD &&
             (p->code & 0xe0) == BPF_MEM)) &&
           p->k >= BPF_MEMWORDS)
           return 0;

This allows arbitrary locations on the stack to be modified.

This bug was actually fixed in FreeBSD. [1]

[[File:|30px]] This exploits article is a "stub", an incomplete page. Please add more content to this article and remove this tag.
Retrieved from "https://www.theiphonewiki.com/w/index.php?title=BPF_STX_Kernel_Write_Exploit&oldid=28892"