首页
社区
课程
招聘
[翻译]Pegasus三叉戟漏洞原理分析及Poc(CVE-2016-4656)第二部分
发表于: 2016-9-8 15:34 9353

[翻译]Pegasus三叉戟漏洞原理分析及Poc(CVE-2016-4656)第二部分

2016-9-8 15:34
9353
393 if (dict)
394 {
395         if (sym)
396         {
397                 DEBG("%s = %s\n", sym->getCStringNoCopy(), o->getMetaClass()->getClassName());
398                 if (o != dict) ok = dict->setObject(sym, o);
399                 o->release();
400                 sym->release();
401                 sym = 0;
402         }
403         else
404         {
405                 sym = OSDynamicCast(OSSymbol, o);
406                 ok = (sym != 0);
407         }
408 }
if (o != dict) ok = dict->setObject(sym, o, true);
--- OSSerializeBinary.cpp       2016-05-09 22:28:11.000000000 +0200
+++ OSSerializeBinaryPatched.cpp        2016-09-05 16:19:03.000000000 +0200
@@ -237,19 +237,21 @@

 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */

-#define setAtIndex(v, idx, o)                                                  \
+#define setAtIndex(v, idx, o, max)                                             \
        if (idx >= v##Capacity)                                                 \
        {                                                                       \
-               uint32_t ncap = v##Capacity + 64;                               \
-               typeof(v##Array) nbuf = (typeof(v##Array)) kalloc_container(ncap * sizeof(o));  \
-               if (!nbuf) ok = false;                                          \
-               if (v##Array)                                                   \
-               {                                                               \
-                       bcopy(v##Array, nbuf, v##Capacity * sizeof(o));         \
-                       kfree(v##Array, v##Capacity * sizeof(o));               \
-               }                                                               \
-               v##Array    = nbuf;                                             \
-               v##Capacity = ncap;                                             \
+               if (v##Capacity < max) {        \
+                       uint32_t ncap = v##Capacity + 64;                       \
+                       typeof(v##Array) nbuf = (typeof(v##Array)) kalloc_container(ncap * sizeof(o));  \
+                       if (!nbuf) ok = false;                                  \
+                       if (v##Array)                                           \
+                       {                                                       \
+                               bcopy(v##Array, nbuf, v##Capacity * sizeof(o));\
+                               kfree(v##Array, v##Capacity * sizeof(o));       \
+                       }                                                       \
+                       v##Array    = nbuf;                                     \
+                       v##Capacity = ncap;                                     \
+               } else ok = false;                                              \
        }                                                                       \
        if (ok) v##Array[idx] = o;

@@ -338,13 +340,12 @@
                    case kOSSerializeObject:
                                if (len >= objsIdx) break;
                                o = objsArray[len];
-                               o->retain();
                                isRef = true;
                                break;

                    case kOSSerializeNumber:
                                bufferPos += sizeof(long long);
-                               if (bufferPos > bufferSize) break;
+                               if (bufferPos > bufferSize || ((len != 32) && (len != 64) && (len != 16) && (len != 8))) break;
                        value = next[1];
                        value <<= 32;
                        value |= next[0];
@@ -354,7 +355,7 @@

                    case kOSSerializeSymbol:
                                bufferPos += (wordLen * sizeof(uint32_t));
-                               if (bufferPos > bufferSize)           break;
+                               if (bufferPos > bufferSize || len < 2)           break;
                                if (0 != ((const char *)next)[len-1]) break;
                        o = (OSObject *) OSSymbol::withCString((const char *) next);
                        next += wordLen;
@@ -386,8 +387,11 @@

                if (!isRef)
                {
-                       setAtIndex(objs, objsIdx, o);
-                       if (!ok) break;
+                       setAtIndex(objs, objsIdx, o, 0x1000000);
+                       if (!ok) {
+                               o->release();
+                               break;
+                       }
                        objsIdx++;
                }

@@ -395,33 +399,35 @@
                {
                        if (sym)
                        {
-                               DEBG("%s = %s\n", sym->getCStringNoCopy(), o->getMetaClass()->getClassName());
-                               if (o != dict) ok = dict->setObject(sym, o, true);
-                               o->release();
-                               sym->release();
-                               sym = 0;
+                               OSSymbol *sym2 = OSDynamicCast(OSSymbol, sym);
+                               if (!sym2 && (str = OSDynamicCast(OSString, sym)))
+                               {
+                                       sym2 = (OSSymbol *) OSSymbol::withString(str);
+                                       ok = (sym2 != 0);
+                                       if (!sym2) break;
+                               }
+
+                               if (o != dict) ok = dict->setObject(sym2, o);
+                               if (sym2 && sym2 != sym) {
+                                       sym2->release();
+                               }
                        }
                        else
                        {
-                               sym = OSDynamicCast(OSSymbol, o);
-                               if (!sym && (str = OSDynamicCast(OSString, o)))
-                               {
-                                   sym = (OSSymbol *) OSSymbol::withString(str);
-                                   o->release();
-                                   o = 0;
-                               }
-                               ok = (sym != 0);
+                               sym = o;
                        }
                }
                else if (array)
                {
                        ok = array->setObject(o);
-                   o->release();
                }
                else if (set)
                {
-                  ok = set->setObject(o);
-                  o->release();
+                       ok = set->setObject(o);
+               }
+               else if (result)
+               {
+                       ok = false;
                }
                else
                {
@@ -436,7 +442,7 @@
                        if (!end)
                        {
                                stackIdx++;
-                               setAtIndex(stack, stackIdx, parent);
+                               setAtIndex(stack, stackIdx, parent, 0x10000);
                                if (!ok) break;
                        }
                        DEBG("++stack[%d] %p\n", stackIdx, parent);
@@ -462,15 +468,19 @@
                        }
                }
        }
-       DEBG("ret %p\n", result);
-
-       if (objsCapacity)  kfree(objsArray,  objsCapacity  * sizeof(*objsArray));
-       if (stackCapacity) kfree(stackArray, stackCapacity * sizeof(*stackArray));

-       if (!ok && result)
+       if (!ok)
        {
-               result->release();
                result = 0;
        }
+       if (objsCapacity) {
+               uint32_t i;
+               for (i = (result?1:0); i < objsIndx; i++) {
+                       objsArray[i]->release();
+               }
+               kfree(objsArray,  objsCapacity  * sizeof(*objsArray));
+       }
+       if (stackCapacity) kfree(stackArray, stackCapacity * sizeof(*stackArray));
+
        return (result);
 }

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 5
支持
分享
最新回复 (5)
雪    币: 30
活跃值: (41)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
3
我也mark一记!
2016-9-8 16:55
0
雪    币: 341
活跃值: (138)
能力值: ( LV7,RANK:110 )
在线值:
发帖
回帖
粉丝
4
好东西.
2016-9-8 18:12
0
雪    币: 0
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
顶楼主!
2016-9-8 20:46
0
雪    币: 134
活跃值: (11)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
6
8个空格的缩进...
2016-9-9 08:53
0
雪    币: 3907
活跃值: (5817)
能力值: ( LV12,RANK:200 )
在线值:
发帖
回帖
粉丝
7
what do you mean ?
2016-9-9 09:43
0
游客
登录 | 注册 方可回帖
返回
//