|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
ARM Exception Vector Info Leak
This vulnerability is used by evasi0n in order to defeat KASLR. Since iOS6 the kernel base address is randomized at 2^9 possible locations. Actually it is not fully randomized due to the ARM vector table residing at a fixed address. The vector table is held at address zero and at runtime relocated to 0xffff0000 by setting the V-bit in CP15 c1. The following ARM vector table entries exist:
| Offset | Handler |
|---|---|
00
|
Reset |
04
|
Undefined Instruction |
08
|
Supervisor Call (SVC) |
0C
|
Prefetch Abort |
10
|
Data Abort |
14
|
Reserved |
18
|
Interrupt (IRQ) |
1C
|
Fast Interrupt (FIQ) |
evasi0n calls the Data Abort exception from a separate thread and catches the exception. In the exception handler, in_state->__pc is saved to global.exception_pc and leaks the base address because this exception was called from com.apple.iokit.IOUSBDeviceFamily.
In the exception handler it is also possible to get 4 bytes at a chosen address, so this is additionally an info leak for arbitrary memory.
