![]() From our tests it seems that the race probability changed a bit since the proc lock is now taken but that is not a big deal. You can even test it with our old PoC (but you may need to tweak the parameters). At this point the kernel worker may already have raced the main thread and freed the allocation (see our previous blogpost for more details).Īs a consequence, the exact same vulnerability is back, with the same primitives. Indeed, taking the lock with aio_proc_lock_spin(p) is irrelevant here to prevent the race. But we also spot that they fixed it wrongly and reintroduced lightspeed! We also notice that they reworked the way they take the proc lock a bit. We observe that if no I/O were issued in the LIO_NOWAIT case (lio_context->io_issued = 0), the context is now freed again, preventing the allocation to remain in memory. * If no IOs were issued must free it (rdar://problem/45717887) */ int lio_listio(proc_t p, struct lio_listio_args *uap, int *retval )Īio_enqueue_work(p, entryp, 1) // I/O enqueuing And here is the fix from the xnu-6153.4.3 sources (that has not changed since). So they fixed it during the early version of iOS 13. We don't know if the XNU developers read the Synacktiv blog, but it turned out that they were bothered by the memory leak, and they even opened a radar issue about it. As the conclusion of the blogpost we were wondering if Apple would fix it or not. ![]() In the blogpost we explained that, while the issue was fixed, a memory leak was introduced, and it was now possible to force the kernel to panic. So when iOS 12 came out this vulnerability died and the lio_listio implementation was correct, right? Well, not really. We were wondering if someone would make something out of it, and were thrilled to see that both the JakeBlair420 team ( and 1 were successful in doing so. This vulnerability was patched early in iOS 12 and 11.4.1 was the last vulnerable iOS version. You can read all the details about it in our post. This vulnerability started as a racy UaF in the syscall lio_listio that allows the liberation of a kernel object twice. TL DR Disclosure of an old new XNU kernel bug that was reintroduced with iOS 13 Quick recap of the situationĭuring late 2018, we published the details about a XNU kernel vulnerability that we dubbed lightspeed.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |