The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "ARM Exception Vector Info Leak"
(initial page - description needs to get improved) |
(No difference)
|
Revision as of 23:30, 25 February 2013
This vulnerability is used by evasi0n in order to defeat KASLR. Since iOS6 the kernel base address is randomized at 2^9 possible locations. Actually it is not fully randomized due to the ARM vector table residing at a fixed address. The vector table is held at address zero and at runtime relocated to 0xffff0000
by setting the V-bit in CP15 c1. The following ARM vector table entries exist:
Offset | Handler |
---|---|
00
|
Reset |
04
|
Undefined Instruction |
08
|
Supervisor Call (SVC) |
0C
|
Prefetch Abort |
10
|
Data Abort |
14
|
Reserved |
18
|
Interrupt (IRQ) |
1C
|
Fast Interrupt (FIQ) |
evasi0n calls the Data Abort exception from a separate thread and catches the exception. In the exception handler, in_state->__pc
is saved to global.exception_pc
and leaks the base address because this exception was called from com.apple.iokit.IOUSBDeviceFamily
.