iOS Kernel Heap Armageddon
31.12.2012 Views
Share Embed Flag

iOS Kernel Heap Armageddon

iOS Kernel Heap Armageddon

iOS Kernel Heap Armageddon

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
reverse.put.as

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

_MALLOC() in <strong>iOS</strong> 4.x<br />

void *_MALLOC(size_t size, int type, int flags)<br />

{<br />

struct _mhead *hdr;<br />

size_t memsize = sizeof (*hdr) + size;<br />

}<br />

if (type >= M_LAST)<br />

panic("_malloc TYPE");<br />

if (size == 0)<br />

return (NULL);<br />

if (flags & M_NOWAIT) {<br />

hdr = (void *)kalloc_noblock(memsize);<br />

} else {<br />

hdr = (void *)kalloc(memsize);<br />

...<br />

}<br />

...<br />

hdr->mlen = memsize;<br />

return (hdr->dat);<br />

refuses to allocate<br />

0 byte big blocks<br />

Stefan Esser • <strong>iOS</strong> <strong>Kernel</strong> <strong>Heap</strong> <strong>Armageddon</strong> • April 2012 •<br />

possible integer overflow<br />

with huge size values<br />

struct _mhead {<br />

size_t mlen;<br />

char dat[0];<br />

}<br />

21

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!