{"id":17901,"date":"2017-05-04T16:54:40","date_gmt":"2017-05-04T20:54:40","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=17901"},"modified":"2021-07-06T17:16:39","modified_gmt":"2021-07-06T21:16:39","slug":"exception-oriented-exploitation-on-ios","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2017\/05\/04\/exception-oriented-exploitation-on-ios\/","title":{"rendered":"Exception-oriented Exploitation on iOS"},"content":{"rendered":"<p><a href=\"https:\/\/googleprojectzero.blogspot.com\/2017\/04\/exception-oriented-exploitation-on-ios.html\">Ian Beer<\/a> (via <a href=\"https:\/\/twitter.com\/jgordonshare\/status\/858856165832351744\">John Gordon<\/a>):<\/p>\n<blockquote cite=\"https:\/\/googleprojectzero.blogspot.com\/2017\/04\/exception-oriented-exploitation-on-ios.html\"><p>My guess is that the developer copy-pasted the code for the entire function then tried to add the extra level of indirection but forgot to change the third argument to the copyin call shown above. They built XNU and looked at the compiler error messages. XNU builds with clang, which gives you fancy error messages like this:<\/p>\n<pre>error: no member named 'recipes_size' in 'struct mach_voucher_extract_attr_recipe_args'; did you mean 'recipe_size'?\nif (copyin(args->recipes, (void *)krecipes, args->recipes_size)) {\n                                                  ^~~~~~~~~~~~\n                                                  recipe_size<\/pre>\n<p>Clang assumes that the developer has made a typo and typed an extra &lsquo;s&rsquo;. Clang doesn&rsquo;t realize that its suggestion is semantically totally wrong and will introduce a critical memory corruption issue. I think that the developer took clang&rsquo;s suggestion, removed the &lsquo;s&rsquo;, rebuilt and the code compiled without errors.<\/p>\n<p>[&#8230;]<\/p>\n<p>Perhaps most importantly: I think this bug would have been caught in development if the code had any tests. As well as having a critical security bug the code just doesn&rsquo;t work at all for a recipe with a size greater than 256. On MacOS such a test would immediately kernel panic. I find it consistently surprising that the coding standards for such critical codebases don&rsquo;t enforce the development of even basic regression tests.<\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Ian Beer (via John Gordon): My guess is that the developer copy-pasted the code for the entire function then tried to add the extra level of indirection but forgot to change the third argument to the copyin call shown above. They built XNU and looked at the compiler error messages. XNU builds with clang, which [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2021-07-06T21:16:42Z","apple_news_api_id":"3e7349f9-9346-4caa-b975-5d24536c2e58","apple_news_api_modified_at":"2021-07-06T21:16:42Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/APnNJ-ZNGTKq5dV0kU2wuWA","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[4],"tags":[131,230,255,2095,31,1380,281,71,48],"class_list":["post-17901","post","type-post","status-publish","format-standard","hentry","category-programming-category","tag-bug","tag-clang","tag-compiler","tag-exploit","tag-ios","tag-ios-10","tag-mach","tag-programming","tag-security"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/17901","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=17901"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/17901\/revisions"}],"predecessor-version":[{"id":17902,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/17901\/revisions\/17902"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=17901"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=17901"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=17901"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}