iOS Kernel Heap Armageddon - Hakim
iOS Kernel Heap Armageddon - Hakim
iOS Kernel Heap Armageddon - Hakim
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
_MALLOC() in <strong>iOS</strong> 5.x<br />
void *_MALLOC(size_t size, int type, int flags)<br />
{<br />
struct _mhead *hdr;<br />
size_t memsize = sizeof (*hdr) + size;<br />
int overflow = memsize < size ? 1 : 0;<br />
}<br />
...<br />
if (flags & M_NOWAIT) {<br />
if (overflow)<br />
return (NULL);<br />
hdr = (void *)kalloc_noblock(memsize);<br />
} else {<br />
if (overflow)<br />
panic("_MALLOC: overflow detected, size %llu", size);<br />
hdr = (void *)kalloc(memsize);<br />
...<br />
}<br />
...<br />
hdr->mlen = memsize;<br />
return (hdr->dat);<br />
integer overflow<br />
detection<br />
attacker can use<br />
overflow to panic<br />
kernel<br />
M_WAIT<br />
Stefan Esser • <strong>iOS</strong> <strong>Kernel</strong> <strong>Heap</strong> <strong>Armageddon</strong> REVISITED • July 2012 •<br />
25