XNU kernel panic triggered by mach_vm_read_overwrite from user-space
| Originator: | oleavr | ||
| Number: | rdar://19895557 | Date Originated: | 20-Feb-2015 00:17 AM |
| Status: | Open | Resolved: | |
| Product: | iOS | Product Version: | iOS 8.1.x (probably many other versions too) |
| Classification: | Reproducible: | Always |
Summary: When asking mach_vm_read_overwrite to read a range spanning COW -> PRV -> COW pages, a kernel panic is triggered. Please see the attached test-case, which crashes the XNU kernel on both iOS 8.1 and Mac OS X 10.10. This was discovered after www.frida.re triggered it by accident. Steps to Reproduce: 1. Run the xnu-panic universal binary on iOS or Mac OS X, or compile xnu-panic.c yourself and run it. Expected Results: No kernel panic. Actual Results: Kernel panic. Version: iOS 8.1.x (probably many other versions too) Notes: I can reproduce this 100% of the time on any of my devices. Configuration: Any hardware. Attachments: 'xnu-panic.c' and 'xnu-panic' were successfully uploaded. (Attachments not available here. See https://medium.com/@oleavr/diy-kernel-panic-os-x-and-ios-in-10-loc-c250d9649159 for details.)
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!