| Vulnerability in XNU | |
|---|---|
| Software | iOS |
| Vulnerable in | 15.0 - 15.4.1 |
| Fixed in | 15.5 |
| Disclosed | 16 May 2022 |
| Discovered by | Linus Henze |
| CVE | CVE-2022-26765 |
| Apple KB | HT213258 |
CVE-2022-26765, also known as badRecovery, is a PAC bypass used in Fugu15. It does not affect iOS 14, because the vulnerable code was introduced in iOS 15.0.
Thread fault handlers
Thread fault handlers are a mechanism used to handle expected faults during data access (e.g. accessing data at an invalid address). The thread can store a pointer to a fault handler and the kernel will jump to that if a fault occurs.
The vulnerability
In iOS 15, the hw_lck_ticket_reserve_orig_allow_invalid function had a recovery handler that would use a regular ret instruction, instead of verifying the pointer authentication code of the return address. Thus, by obtaining a signed thread fault handler pointer to this fault handler, you can perform an unauthenticated return in kernel mode.
In Fugu15, this is then used to sign a new thread fault handler for a gadget that will sign and jump to a pointer in x22. This new fault handler is then used to kickstart a proper kernel call routine, which is required to exploit tlbFail.
External links
- Fugu15 - The Journey to Jailbreaking iOS 15.4.1, presented by Linus Henze at OBTS 5.0
- badRecovery source from Fugu15
