Stack Cookies

Since iOS6 a generated stack cookie is placed directly after the saved registers at the bottom of the stack frame. A pointer to the cookie is saved at the top of the stack frame or in a register if it is convenient. The space above the stack pointer is used for called functions if necessary.

In the function epilog the saved stack cookie is verified. The generated value is found by following the saved pointer. A verification failure results in a kernel panic.

800051FC __epilog                        ; CODE XREF: sub_80004F98+2B4vj 800051FC                                 ; sub_80004F98+486vj 800051FC         LDR     R0, [SP,#0x2CC+stack_cookie_ptr] 800051FE         LDR     R0, [R0] 80005200         LDR     R1, [SP,#0x2CC+stack_cookie] 80005202         CMP     R0, R1          ; check stack cookie validity 80005204         ITTTT EQ 80005206          MOVEQ   R0, R4 80005208          ADDEQ.W SP, SP, #0x2B4 8000520C         POPEQ.W {R8,R10,R11} 80005210         POPEQ   {R4-R7,PC} 80005212         BL      ___stack_chk_fail