iOS Kernel Heap Armageddon
31.12.2012 Views
Share Embed Flag

iOS Kernel Heap Armageddon

iOS Kernel Heap Armageddon

iOS Kernel Heap Armageddon

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
reverse.put.as

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

How does the parser work? (V)<br />

• key parser object is then converted to an internal OSString object<br />

• new operator will allocate 20 bytes for OSString object via kalloc()<br />

• OSString contructor will create a copy of the string with kalloc()<br />

• string in parser key object will be freed with kern_os_free()<br />

0x00<br />

0x04<br />

0x08<br />

0x0C<br />

0x10<br />

0x14<br />

vtable ptr + 8<br />

retainCount<br />

flags<br />

length<br />

string ptr<br />

kalloc()ed memory<br />

Allocations so far:<br />

// Dict<br />

kern_os_alloc(44) = kalloc(44+4)<br />

// Key<br />

kern_os_alloc(7+1) = kalloc(7+1+4)<br />

kern_os_alloc(44) = kalloc(44+4)<br />

kalloc(20)<br />

kalloc(7+1)<br />

kern_os_free(x, 7+1) = kfree(x, 7+1+4)<br />

Stefan Esser • <strong>iOS</strong> <strong>Kernel</strong> <strong>Heap</strong> <strong>Armageddon</strong> • April 2012 •<br />

79

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!