# CVE-2020-27950: XNU Kernel Memory Disclosure in Mach Message Trailers
*Ian Beer, Project Zero (Originally posted on [Project Zero blog](https://googleprojectzero.blogspot.com/p/rca.html) 2021-02-04)*

## The Basics

**Disclosure or Patch Date:** 5 November 2020

**Product:** Apple iOS

**Advisory:** https://support.apple.com/en-us/HT211929 

**Affected Versions:** iOS 14.1 and previous

**First Patched Version:** iOS 14.2

**Issue/Bug Report:** https://bugs.chromium.org/p/project-zero/issues/detail?id=2108 

**Patch CL:** N/A

**Bug-Introducing CL:** N/A

**Reporter(s):** Ian Beer of Google Project Zero

## The Code

**Proof-of-concept:** https://bugs.chromium.org/p/project-zero/issues/detail?id=2108 

**Exploit sample:** N/A

**Did you have access to the exploit sample when doing the analysis?** Yes

## The Vulnerability

**Bug class:** Information leak

**Vulnerability details:** A kernel memory disclosure vulnerability due to an incorrect size calculation when receiving mach messages and requesting an invalid combination of trailer elements. The vulnerability gives the attacker the ability to leak stale data from various kalloc size classes.

**Patch analysis:** N/A

**Thoughts on how this vuln might have been found _(fuzzing, code auditing, variant analysis, etc.)_:** This vulnerability probably could have been found by fuzzing if the fuzzer was set up to discover uninitialized memory (the underlying allocation isn't free; just those four bytes never get written to before they're read.) The bug could also have been found through manual analysis.

**(Historical/present/future) context of bug:** 

## The Exploit

**Is the exploit method known?** Yes

**Exploit method:** Groom the target kalloc size class to contain the pointer you wish to disclose at the right offset; in this case using out-of-line port descriptors to fill arbitrary sized kalloc allocations with pointers to ports. Free those allocations and reallocate them as mach messages then trigger the vulnerability when receiving those messages to read 4 bytes of the target pointer. Adjust the size of the message to leak the other 4 bytes.

**Part of an exploit chain?** This vulnerability was used as a part of an iOS exploit chain. It was used after the Safari RCE ([CVE-2020-27930](CVE-2020-27930.md)) and before the kernel privilege escalation ([CVE-2020-27932](CVE-2020-27932.md)).

## The Next Steps

### Variant analysis

**Areas/approach for variant analysis (and why):** Auditing other complex structures which get copied out to userspace but aren't zero-initialized.

**Found variants:** N/A

### Structural improvements

The underlying feature where this vulnerability was found has long since been removed from XNU; the code should have been properly removed. Ensuring allocations which will be filled in and copied to userspace are zeroed out when allocated would be a good defense-in-depth measure which would have mitigated this issue.

### 0-day detection methods

## Other References