The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Stack Cookies
Since iOS6 a generated stack cookie is placed directly after the saved registers at the bottom of the stack frame. A pointer to the cookie is saved at the top of the stack frame or in a register if it is convenient. The space above the stack pointer is used for called functions if necessary.
In the function epilog the saved stack cookie is verified. The generated value is found by following the saved pointer. A verification failure results in a kernel panic.
800051FC __epilog ; CODE XREF: sub_80004F98+2B4vj 800051FC ; sub_80004F98+486vj 800051FC LDR R0, [SP,#0x2CC+stack_cookie_ptr] 800051FE LDR R0, [R0] 80005200 LDR R1, [SP,#0x2CC+stack_cookie] 80005202 CMP R0, R1 ; check stack cookie validity 80005204 ITTTT EQ 80005206 MOVEQ R0, R4 80005208 ADDEQ.W SP, SP, #0x2B4 8000520C POPEQ.W {R8,R10,R11} 80005210 POPEQ {R4-R7,PC} 80005212 BL ___stack_chk_fail