Stack Cookies

From The iPhone Wiki
Jump to: navigation, search

Since iOS6 a generated stack cookie is placed directly after the saved registers at the bottom of the stack frame. A pointer to the cookie is saved at the top of the stack frame or in a register if it is convenient. The space above the stack pointer is used for called functions if necessary.

In the function epilog the saved stack cookie is verified. The generated value is found by following the saved pointer. A verification failure results in a kernel panic.

800051FC __epilog                         ; CODE XREF: sub_80004F98+2B4vj
800051FC                                  ; sub_80004F98+486vj
800051FC          LDR     R0, [SP,#0x2CC+stack_cookie_ptr]
800051FE          LDR     R0, [R0]
80005200          LDR     R1, [SP,#0x2CC+stack_cookie]
80005202          CMP     R0, R1          ; check stack cookie validity
80005204          ITTTT EQ
80005206          MOVEQ   R0, R4
80005208          ADDEQ.W SP, SP, #0x2B4
8000520C          POPEQ.W {R8,R10,R11}
80005210          POPEQ   {R4-R7,PC}
80005212          BL      ___stack_chk_fail

References