| Vulnerability in XNU | |
|---|---|
| Software | iOS and macOS |
| Vulnerable in | ? - iOS 16.3.1, ? - macOS 13.2.1 |
| Fixed in | iOS 16.4, macOS 13.3 |
| Disclosed | 1 May 2023 |
| Discovered by | Félix Poulin-Bélanger |
| CVE | CVE-2023-23536 |
| Apple KB | HT102880 |
CVE-2023-23536, also known as PhysPuppet, is a Physical Use After Free vulnerability used in kfd. It is used in various jailbreaks, such as Dopamine and meowbrek2. The Vertex kernel exploit is also based off of the PhysPuppet vulnerability. It received a $52,500 Apple Security Bounty reward.
Background
In the XNU kernel, memory for processes is managed by allocating and deallocating physical memory pages. When a process requests memory, the kernel assigns physical memory pages and maps them to the process’s virtual address (VA) space. Once the memory is no longer needed, it’s deallocated, freeing up those physical memory pages for future use.
The vulnerability
The kernel has a flaw that allows the creation of memory mappings that aren't properly aligned with the underlying physical memory. This misalignment creates inconsistencies between the virtual addresses (used by the process) and the actual physical memory (managed by the kernel). The sequence of events leading to the vulnerability is as follows:
- A process requests the creation of a memory mapping with a size that isn’t a multiple of the page size (e.g., requesting 2 pages + a few extra bytes). The kernel rounds this up to the next full page size but still tracks the original, smaller size.
- This creates a mismatch between the regions where the memory being tracked doesn’t line up correctly with the actual physical memory allocated.
- The process can then map this misaligned memory into its address space - this will worsen the situation because misaligned memory can cause the process to access memory in places where it shouldn't be allowed to read or write to.
- Consequently, the kernel ends up managing memory that doesn’t correspond correctly to the physical pages it’s supposed to represent, leaving the virtual memory (VM) system in a somewhat broken state.
This memory can then be deallocated which leads to a Physical Use After Free condition. This is where the physical memory pages, which should have been freed for other uses, remain accessible through the original, misaligned mapping. An attacker can then exploit this to reuse the freed physical memory in order to build a kernel r/w primitive.
