About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

CVE-2020-27932: iOS Kernel privesc with turnstiles - 398

Ian Beer - Project Zero (P0) Posted 5 Years Ago
  • The bug is a kernel type confusion between an ipc_port pointer and a host_notify_entry pointer due to failure to account for the semantics of IKOT_HOST_NOTIFY ports in turnstile code.
  • The kdata field is a large union with 6 different potential fields. In this case, the kernel did not catch that a situation that the port type could be changed from a special_reply_port to a host_notify by doing specific actions when interfacing with this code.
  • When the special_reply_port code gets used and it actually has a type confusion since it has been changed to a host_notify value. Using this, the author claims that an arbitrary read/write primitive would be possible.
  • Unions are incredibly dangerous! The author claims that there has been another type confusion in this exact area before. In general, unions are a good place for bugs, as type confusions lead to many dangerous findings.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed