Difference between revisions of "ARM Exception Vector Info Leak"

Revision as of 23:38, 25 February 2013

This vulnerability is used by evasi0n in order to defeat KASLR. Since iOS6 the kernel base address is randomized at 2^9 possible locations. Actually it is not fully randomized due to the ARM vector table residing at a fixed address. The vector table is held at address zero and at runtime relocated to 0xffff0000 by setting the V-bit in CP15 c1. The following ARM vector table entries exist:

Offset	Handler
`00`	Reset
`04`	Undefined Instruction
`08`	Supervisor Call (SVC)
`0C`	Prefetch Abort
`10`	Data Abort
`14`	Reserved
`18`	Interrupt (IRQ)
`1C`	Fast Interrupt (FIQ)

evasi0n calls the Data Abort exception from a separate thread and catches the exception. In the exception handler, in_state->__pc is saved to global.exception_pc and leaks the base address because this exception was called from com.apple.iokit.IOUSBDeviceFamily.

In the exception handler it is also possible to get 4 bytes at a chosen address, so this is additionally an info leak for arbitrary memory.

References

Analysis by kernelpool

@@ Line 31: / Line 31: @@
 [[evasi0n]] calls the ''Data Abort'' exception from a separate thread and catches the exception. In the exception handler, <code>in_state->__pc</code> is saved to <code>global.exception_pc</code> and leaks the base address because this exception was called from <code>com.apple.iokit.IOUSBDeviceFamily</code>.
+In the exception handler it is also possible to get 4&nbsp;bytes at a chosen address, so this is additionally an info leak for arbitrary memory.
 == References ==

Difference between revisions of "ARM Exception Vector Info Leak"

Revision as of 23:38, 25 February 2013

References

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Miscellaneous

Tools