Ian Beer, Project Zero (Originally posted on Project Zero blog 2021-02-04)
Disclosure or Patch Date: 5 November 2020
Product: Apple iOS
Affected Versions: iOS 14.1 and previous
First Patched Version: iOS 14.2
Issue/Bug Report: https://bugs.chromium.org/p/project-zero/issues/detail?id=2108
Patch CL: N/A
Bug-Introducing CL: N/A
Reporter(s): Ian Beer of Google Project Zero
Exploit sample: N/A
Did you have access to the exploit sample when doing the analysis? Yes
Bug class: Information leak
Vulnerability details: A kernel memory disclosure vulnerability due to an incorrect size calculation when receiving mach messages and requesting an invalid combination of trailer elements. The vulnerability gives the attacker the ability to leak stale data from various kalloc size classes.
Patch analysis: N/A
Thoughts on how this vuln might have been found (fuzzing, code auditing, variant analysis, etc.): This vulnerability probably could have been found by fuzzing if the fuzzer was set up to discover uninitialized memory (the underlying allocation isn't free; just those four bytes never get written to before they're read.) The bug could also have been found through manual analysis.
(Historical/present/future) context of bug:
Is the exploit method known? Yes
Exploit method: Groom the target kalloc size class to contain the pointer you wish to disclose at the right offset; in this case using out-of-line port descriptors to fill arbitrary sized kalloc allocations with pointers to ports. Free those allocations and reallocate them as mach messages then trigger the vulnerability when receiving those messages to read 4 bytes of the target pointer. Adjust the size of the message to leak the other 4 bytes.
The Next Steps
Areas/approach for variant analysis (and why): Auditing other complex structures which get copied out to userspace but aren't zero-initialized.
Found variants: N/A
The underlying feature where this vulnerability was found has long since been removed from XNU; the code should have been properly removed. Ensuring allocations which will be filled in and copied to userspace are zeroed out when allocated would be a good defense-in-depth measure which would have mitigated this issue.