Estimated reading time: 34 minutes
Executive Summary
Product Defects & Quality Assurance Issues are often expressed on X86_64 as General Protection Faults and on arm64e as possible pointer authentication failures [PAC Failure] and data abort exception errors in Apple Products.
User Controllable Input [UCI]
The common thread for this Article is that User Controllable Input [UCI] causes changes in State Machines that can be measured. An Exploit is a series of UCI causing changes in a State Machine that results with the Attacker obtaining Program Control.
Article Focus
The article focus is with respect to General Protection Faults and possible pointer authentication failure & data abort in iOS & macOS.
- Cherry Picked from xss.cx Data Warehouse
- Apple Closed Source Crashes
- arm64e slice
- X86_64 slice
- PAC Failure & data abort exception identified in 2021
- Apple Closed Source Crashes
- Apple Developer Tool Crashes with a working Proof of Concept [PoC] [Q4/2021]
- Apple History at unsafe handling of User Controllable Input [UCI] from CVE-2013-1034
- XNU Crash Analysis a la Crash Wrangler for potential Exploit Value
Table of contents
- Executive Summary
- User Controllable Input [UCI]
- Article Focus
- PAC Adoption
- Pointer Authentication
- Crash #1 – Apple Closed Source
- Crash #2 – Apple Closed Source
- Crash #3 – debugserver
- Crash #4 – debugserver
- Crash #5 – com.apple.security.cryptexd
- Crash #6 – Fixed Exploit
- Crash #7 clang compiler
- Crash #8 CVE-2013-1034
- UCI Summary
- Change Control
- UX
- External Links
- Author Note
PAC Adoption
For Developers, PAC adoption is easy, just follow the Instructions that Apple has Published here. Do not Roll Your Own PAC. Apple upstreamed a PAC implementation in October 2019. The arm64e ABI is not finalized or stable [Q3/2021]. We identified Undefined Behavior, General Protection Faults and pointer authentication failures as we detail in this Article.
Pointer Authentication
arm64e Pointer Authentication Codes attempt to prevent Return Oriented Programming [ROP] or Jump Oriented Programming [JOP] from working by adding a signature to every code pointer, and some select data pointers.
PAC Failure Distilled
PAC Failure & Data Abort Errors distilled for reference for these Crash Reports:
- A virtual method using a declaration that differs from its definition will trigger a pointer authentication failure in arm64e
- The ARM CPU interprets PAC Failures as memory corruption and sets a high-order bit in the Pointer, making the Pointer invalid and causing the Application to Crash
- A Data Abort Exception is a response to an invalid memory access from the Application
- The Fault Address Register (FAR) holds the Modified Virtual Address (MVA) of the access being attempted when a fault occurred
- Reading from or writing to a read- or write-protected page generates a SIGBUS
- Jumping to a non-executable page, accessing unmapped memory results in a SIGSEV
- There are cases where the kernel turns what would be a SIGBUS into a SIGSEGV (like overflowing the stack).
- XNU Crash Analysis & Vulnerability potential is a seperate Article
Program Counter
From Apple Documentation: focus on the program counter, a register that contains the address of the instruction that caused the memory access exception. On ARM CPU architectures, this is the pc register.
Memory vs Instruction Distilled
Case 1: Is pc != exception address, then Crash is invalid memory
Case 2: Is pc == exception address, then Crash is invalid instruction
Pointer Signatures
The Pointer Signature is stored in unused high bits of a 64-bit pointer (~25 bits today)
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A Aarm64e Signs a raw (unauthenticated) pointer, producing a signed pointer: PACIA Xd, Xn
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A Aarm64e Authenticates a signed pointer, producing a raw pointer. Verifies the signature and strips it on success: AUTDB Xd, Xn
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A APointers with an invalid signature can’t be authenticated: AUTDB Xd, Xn
X X X X X X X X X X X X X X X X X X X X X X X X A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A
Z Z Z Z X X X X X X X X X X X X X X X X X X X X A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A AThe Result of the invalid signature that can’t be authenticated on the arm64e slice is KERN_INVALID_ADDRESS: 0x11… –> 0x00… (possible pointer authentication failure) which can be similar to an EXC_I386_GPFLT Crash on the X86_64 Platform as shown below.
Crash #1 – Apple Closed Source
Here is Crash Report #1. This is an Apple Closed Source Application. Crashes 1 + 2 use the same PoC. The unredacted program is cryptexctl.
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00200002052fe490 -> 0x00000002052fe490 (possible pointer authentication failure)
Exception Note: EXC_CORPSE_NOTIFY
Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [13533]
VM Regions Near 0x2052fe490:
__AUTH_CONST 2052fd248-2052fde30 [ 3048] r--/rw- SM=COW /usr/lib/system/libsystem_c.dylib
--> __AUTH_CONST 2052fde30-2052ffa70 [ 7K] r--/rw- SM=COW /usr/lib/libc++.1.dylib
__AUTH_CONST 2052ffa70-205302c58 [ 12K] r--/rw- SM=COW /usr/lib/libc++abi.dylib
Application Specific Information:
dyld2 mode
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 redacted 0x00000001046c38e8 0x1046b4000 + 63720
1 redacted 0x00000001046c38d4 0x1046b4000 + 63700
2 redacted 0x00000001046c09e8 0x1046b4000 + 51688
3 libdyld.dylib 0x00000001969c9450 start + 4
Thread 0 crashed with ARM Thread State (64-bit):
x0: 0x0000000201ca4498 x1: 0x0000000201ca4160 x2: 0x000000016b74bb38 x3: 0x000000016b74bb90
x4: 0x0000000000000000 x5: 0x0000000000000000 x6: 0x0000000000000000 x7: 0x0000000000000000
x8: 0x0000000000000012 x9: 0xffffffffffffffff x10: 0x00000001046b4648 x11: 0x0000000080000028
x12: 0x0000000080000028 x13: 0x0000000000000000 x14: 0x0000000000000881 x15: 0x000000000000000c
x16: 0x00200002052fe458 x17: 0x634f000201ca4498 x18: 0x0000000000000000 x19: 0x000000016b74b830
x20: 0x000000016b74b838 x21: 0x0000000000000001 x22: 0x000000016b74b830 x23: 0x000000016b74b828
x24: 0x0000000000000000 x25: 0x000000016b74bb18 x26: 0x0000000000000000 x27: 0x0000000000000000
x28: 0x000000016b74bb08 fp: 0x000000016b74b510 lr: 0x78448001046c38d4
sp: 0x000000016b74b4e0 pc: 0x00000001046c38e8 cpsr: 0x80000000
far: 0x00200002052fe490 esr: 0x92000004
Binary Images:
0x1046b4000 - 0x104727fff +redacted
0x104a50000 - 0x104acffff dyldRoot Cause Analysis of Crash #1
Classic Crash Analysis is that Apple’s Pointer, 0x00200002052fe490, points to the __AUTH_CONST region of lib++.1.dylib at 0x00000002052fe490, the upper bits of the Pointer are incorrect. The error message ‘possible pointer authentication failure’ is thrown resulting in EXC_BAD_ACCESS (SIGSEGV). Note 0x002000 representing the invalid PAC. This Crash fits into Case 1: Is pc != exception address, the Crash is invalid memory access expressed as pc != FAR. The pc of 0x00000001046c38e8 is not equal to the FAR of 0x00200002052fe490. The Developers may also be calling a virtual method using a declaration that differs from its definition that will trigger a pointer authentication failure in arm64e.
CPU interprets PAC Failures as memory corruption
The CPU interprets PAC Failures as memory corruption and sets a high-order bit in the Pointer, making the Pointer invalid and causing the Application to Crash as detailed here. My gut says there is a Compiler Bug and/or c++ memory Bug too.
Crash #2 – Apple Closed Source
Here is Crash Report #2. This is the same Apple Closed Source Application. For Crashes 1 + 2 use the same PoC. The unredacted program is cryptexctl.
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00200002052fe490 -> 0x00000002052fe490 (possible pointer authentication failure)
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process: exc handler [13511]
VM Region Info: 0x2052fe490 is in 0x2052fde30-0x2052ffa70; bytes after start: 1632 bytes before end: 5599
REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
__AUTH_CONST 2052fd248-2052fde30 [ 3048] r--/rw- SM=COW ...ystem_c.dylib
---> __AUTH_CONST 2052fde30-2052ffa70 [ 7K] r--/rw- SM=COW ...ibc++.1.dylib
__AUTH_CONST 2052ffa70-205302c58 [ 12K] r--/rw- SM=COW ...bc++abi.dylib
Application Specific Information:
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 redacted 0x104c8b8e8 0x104c7c000 + 63720
1 redacted 0x104c8b8d4 0x104c7c000 + 63700
2 redacted 0x104c889e8 0x104c7c000 + 51688
3 libdyld.dylib 0x1969c9450 start + 4
Thread 0 crashed with ARM Thread State (64-bit):
x0: 0x0000000201ca4498 x1: 0x0000000201ca4160 x2: 0x000000016b183b50 x3: 0x000000016b183ba8
x4: 0x0000000000000000 x5: 0x0000000000000000 x6: 0x0000000000000000 x7: 0x0000000000000000
x8: 0x0000000000000012 x9: 0xffffffffffffffff x10: 0x0000000104c7c648 x11: 0x0000000080000028
x12: 0x0000000080000028 x13: 0x0000000000000000 x14: 0x0000000000000881 x15: 0x000000000000000c
x16: 0x00200002052fe458 x17: 0x634f000201ca4498 x18: 0x0000000000000000 x19: 0x000000016b183850
x20: 0x000000016b183858 x21: 0x0000000000000001 x22: 0x000000016b183850 x23: 0x000000016b183848
x24: 0x0000000000000000 x25: 0x000000016b183b30 x26: 0x0000000000000000 x27: 0x0000000000000000
x28: 0x000000016b183b20 fp: 0x000000016b183530 lr: 0xf767800104c8b8d4
sp: 0x000000016b183500 pc: 0x0000000104c8b8e8 cpsr: 0x80000000
far: 0x00200002052fe490 esr: 0x92000004 (Data Abort) byte read Translation fault
Binary Images:
0x104c7c000 - 0x104ceffff redacted
0x1969b1000 - 0x1969f2fff libdyld.dylib (*)
Root Cause Analysis of Crash #2
Classic Crash Analysis is that Apple’s Pointer, 0x00200002052fe490, points to the __AUTH_CONST region of lib++.1.dylib at 0x00000002052fe490, the upper bits of the Pointer are incorrect. The error message ‘possible pointer authentication failure’ is thrown resulting in EXC_BAD_ACCESS (SIGSEGV). Note 0x002000 representing the invalid PAC. This Crash fits into Case 1: Is pc != exception address, the Crash is invalid memory access expressed as pc != FAR. The pc of 0x00000001046c38e8 is not equal to the FAR of 0x00200002052fe490. The Developers may also be calling a virtual method using a declaration that differs from its definition that will trigger a pointer authentication failure in arm64e.
Exception Syndrome Register
Focusing on the Exception Syndrome Register [esr]: A data abort exception is an invalid memory access from the Application. This Crash fits into Case 1: Is pc != exception address, the Crash is invalid memory access expressed as pc != FAR. The pc of 0x0000000104c8b8e8 is not equal to the FAR of 0x00200002052fe490. The Apple Closed Source Application Crash is due to an Invalid Memory Operation expressed as (Data Abort) byte read Translation fault.
CPU interprets PAC Failures as memory corruption
The CPU interprets PAC Failures as memory corruption and sets a high-order bit in the Pointer, making the Pointer invalid and causing the Application to Crash as detailed here. My gut says there is a Compiler Bug and/or c++ memory Bug too.
Crash #3 – debugserver
Here is Crash Report #3. debugserver for iOS Research for Apple Security Research Device circa 2023.
Hardware Model: iPhone12,1
Process: debugserver [338]
Path: /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.TEzNH3/usr/bin/debugserver
Identifier: debugserver
Version: ???
Code Type: ARM-64 (Native)
Role: Unspecified
Parent Process: sh [323]
Coalition: com.example.cryptex.sshd [491]
Date/Time: 2021-08-26 11:41:24.9974 -0400
Launch Time: 2021-08-26 11:41:24.2901 -0400
OS Version: iPhone OS 15.0 (19A5337a)
Release Type: Beta
Baseband Version: 3.00.00
Report Version: 104
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x002000010257ce18 -> 0x000000010257ce18 (possible pointer authentication failure)
Exception Codes: 0x0000000000000001, 0x002000010257ce18
VM Region Info: 0x10257ce18 is in 0x10257c000-0x102588000; bytes after start: 3608 bytes before end: 45543
REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
__TEXT 102504000-10257c000 [ 480K] r-x/r-x SM=COW ...n/debugserver
---> __DATA_CONST 10257c000-102588000 [ 48K] r--/rw- SM=COW ...n/debugserver
__DATA 102588000-102994000 [ 4144K] rw-/rw- SM=COW ...n/debugserver
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: SIGNAL; [11]
Terminating Process: exc handler [338]
Terminating Process: exc handler [338]
Triggered by Thread: 0
Thread 0 name: main thread Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0 libc++.1.dylib 0x19c485b0c 0x19c47a000 + 47884
1 debugserver 0x102511a24 0x102504000 + 55844
2 debugserver 0x10250c698 0x102504000 + 34456
3 debugserver 0x10250e768 0x102504000 + 42856
4 dyld 0x102a69a24 0x102a50000 + 104996
Thread 0 crashed with ARM Thread State (64-bit):
x0: 0x0000000103a04470 x1: 0x0000000104009200 x2: 0x0000000104000000 x3: 0x0000000000000800
x4: 0x0000000000000120 x5: 0x0000000103904470 x6: 0x0000000000000029 x7: 0x000000000000003e
x8: 0x0000000103a04480 x9: 0x0000000000000000 x10: 0x0000000000000000 x11: 0x0000000000000a00
x12: 0x0000000000000001 x13: 0x0000000104000000 x14: 0x0000000000000001 x15: 0x0000000000000002
x16: 0x002000010257cdf8 x17: 0x634f000103a04470 x18: 0x0000000000000000 x19: 0x0000000103a04470
x20: 0x0000000000000400 x21: 0x000000016d8fa818 x22: 0x0000000000000000 x23: 0x0000000000000000
x24: 0x0000000104009200 x25: 0x0000000000000001 x26: 0x000000007fffffff x27: 0x00000001038120d0
x28: 0x0000000000000000 fp: 0x000000016d8fa7f0 lr: 0x0000000102511a24
sp: 0x000000016d8fa490 pc: 0x000000019c485b0c cpsr: 0x60000000
far: 0x002000010257ce18 esr: 0x92000004 (Data Abort) byte read Translation fault
Binary Images:
0x19c47a000 - 0x19c4ddfff libc++.1.dylib arm64e <15095115b2ab37719e86897521087066> /usr/lib/libc++.1.dylib
0x102504000 - 0x10257bfff debugserver arm64e <54186028cc6b35dfaf1be2fd9ab24404> /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.TEzNH3/usr/bin/debugserver
0x102a50000 - 0x102aa7fff dyld arm64e <1602b2f2df6234128bc6ece21486c3e0> /usr/lib/dyld
0x0 - 0xffffffffffffffff ??? unknown-arch <00000000000000000000000000000000> ???
EOFRoot Cause Analysis of Crash #3
By now you should be able to express your own opinion with respect to the Crash. What is your Root Cause Analysis of Crash #3?
Exception Syndrome Register
Focusing on the Exception Syndrome Register [esr]: A data abort exception is an invalid memory access from the Application. This Crash fits into Case 1: Is pc != exception address, the Crash is invalid memory access expressed as pc != FAR. The Apple Closed Source Application Crash is due to an Invalid Memory Operation expressed as (Data Abort) byte read Translation fault. The Developers may also be calling a virtual method using a declaration that differs from its definition that will trigger a pointer authentication failure in arm64e.
CPU interprets PAC Failures as memory corruption
The CPU interprets PAC Failures as memory corruption and sets a high-order bit in the Pointer, making the Pointer invalid and causing the Application to Crash as detailed here. My gut says there is a Compiler Bug and/or c++ memory Bug too.
Crash #4 – debugserver
Here is Crash Report #4 using debugserver for iOS Research on the Apple Security Research Device circa 2023.
Hardware Model: iPhone12,1
Process: debugserver [1226]
Path: /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.k6Rp0l/usr/bin/debugserver
Identifier: debugserver
Version: ???
Code Type: ARM-64 (Native)
Role: Unspecified
Parent Process: sh [1154]
Coalition: com.example.cryptex.sshd [492]
Date/Time: 2021-06-29 15:56:20.3585 -0400
Launch Time: 2021-06-29 15:56:16.8742 -0400
OS Version: iPhone OS 15.0 (19A5281h)
Release Type: Beta
Baseband Version: 2.50.04
Report Version: 104
Exception Type: EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000001, 0x00000001994654e0
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: SIGNAL; [5]
Terminating Process: exc handler [1226]
Terminating Process: exc handler [1226]
Triggered by Thread: 0
Thread 0 name: main thread Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0 libc++.1.dylib 0x1994654e0 std::__1::basic_ostream<char, std::__1::char_traits<char> >::sentry::sentry(std::__1::basic_ostream<char, std::__1::char_traits<char> >&) + 60
1 debugserver 0x104c60e8c std::__1::basic_ostream<char, std::__1::char_traits<char> >& std::__1::__put_character_sequence<char, std::__1::char_traits<char> >(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, char const*, unsigned long) + 56
2 debugserver 0x104c60e8c std::__1::basic_ostream<char, std::__1::char_traits<char> >& std::__1::__put_character_sequence<char, std::__1::char_traits<char> >(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, char const*, unsigned long) + 56
3 debugserver 0x104c4de9c RNBRemote::HandlePacket_qHostInfo(char const*) + 496
4 debugserver 0x104c57fa0 RNBRemote::HandleReceivedPacket(RNBRemote::PacketEnum*) + 356
5 debugserver 0x104c30b8c RNBRunLoopInferiorExecuting(RNBRemote*) + 392
6 debugserver 0x104c31fd8 main + 3772
7 dyld 0x10551371c start + 520
Thread 1 name: exception monitoring thread
Thread 1:
0 libsystem_kernel.dylib 0x1b7684594 mach_msg_trap + 8
1 libsystem_kernel.dylib 0x1b7684ff4 mach_msg + 76
2 debugserver 0x104c68590 MachException::Message::Receive(unsigned int, int, unsigned int, unsigned int) + 188
3 debugserver 0x104c77450 MachTask::ExceptionThread(void*) + 340
4 libsystem_pthread.dylib 0x1f235f200 _pthread_start + 148
5 libsystem_pthread.dylib 0x1f235ed5c thread_start + 8
Thread 2:
0 libsystem_pthread.dylib 0x1f235ed48 start_wqthread + 0
Thread 3:
0 libsystem_pthread.dylib 0x1f235ed48 start_wqthread + 0
Thread 4 name: kqueue thread
Thread 4:
0 libsystem_kernel.dylib 0x1b7687d1c kevent + 8
1 debugserver 0x104c347f4 kqueue_thread(void*) + 168
2 libsystem_pthread.dylib 0x1f235f200 _pthread_start + 148
3 libsystem_pthread.dylib 0x1f235ed5c thread_start + 8
Thread 5 name: child process status watcher thread
Thread 5:
0 libsystem_kernel.dylib 0x1b7685468 __psynch_cvwait + 8
1 libsystem_pthread.dylib 0x1f2362d60 _pthread_cond_wait + 1240
2 debugserver 0x104c3fc44 PThreadEvent::WaitForSetEvents(unsigned int, timespec const*) const + 60
3 debugserver 0x104c35b6c DNBProcessWaitForEvents(int, unsigned int, bool, timespec*) + 76
4 debugserver 0x104c40894 RNBContext::ThreadFunctionProcessStatus(void*) + 232
5 libsystem_pthread.dylib 0x1f235f200 _pthread_start + 148
6 libsystem_pthread.dylib 0x1f235ed5c thread_start + 8
Thread 6 name: read gdb-remote packets thread
Thread 6:
0 libsystem_kernel.dylib 0x1b7686ed8 read + 8
1 debugserver 0x104c644c8 RNBSocket::Read(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&) + 112
2 debugserver 0x104c58700 RNBRemote::ThreadFunctionReadRemoteData(void*) + 196
3 libsystem_pthread.dylib 0x1f235f200 _pthread_start + 148
4 libsystem_pthread.dylib 0x1f235ed5c thread_start + 8
Thread 0 crashed with ARM Thread State (64-bit):
x0: 0x000000016b1d6898 x1: 0x000000016b1d6950 x2: 0x0000000000000008 x3: 0x000000016b1d6920
x4: 0x0000000000000000 x5: 0x0000000000000000 x6: 0x0000000000000041 x7: 0x0000000105607080
x8: 0x0000000000000004 x9: 0x0000000000000001 x10: 0x000000016b1d6b28 x11: 0x666e4974736f4871
x12: 0x0000000000000001 x13: 0x00000000ffffffff x14: 0x000000000057014b x15: 0x000000000000014b
x16: 0x0020000104ca1468 x17: 0x0000000104ca1468 x18: 0x0000000000000000 x19: 0x000000016b1d6898
x20: 0x0000000104c8fafc x21: 0x0000000000000008 x22: 0x00000001056067e8 x23: 0x000000000100000c
x24: 0x0000000000000002 x25: 0x003d310104ca1468 x26: 0x0013060104ca1538 x27: 0x0000000000000000
x28: 0x00000001050b5000 fp: 0x000000016b1d6880 lr: 0x0b56050104c60e8c
sp: 0x000000016b1d6870 pc: 0x00000001994654e0 cpsr: 0x20000000
far: 0x0000000104c4dcac esr: 0xf200c472 (Breakpoint) pointer authentication trap DA
Binary Images:
0x199440000 - 0x1994a9fff libc++.1.dylib arm64e <f7a780c792db3cf8b8f1641bd5a643e4> /usr/lib/libc++.1.dylib
0x104c28000 - 0x104c9ffff debugserver arm64e <54186028cc6b35dfaf1be2fd9ab24404> /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.k6Rp0l/usr/bin/debugserver
0x1054f4000 - 0x10554bfff dyld arm64e <9bca7d9fe7ba314d8c36e3396b56ffa6> /usr/lib/dyld
0x1b7683000 - 0x1b76b6fff libsystem_kernel.dylib arm64e <0a00d7f34e8e3baabe575c21e07cc8aa> /usr/lib/system/libsystem_kernel.dylib
0x1f235e000 - 0x1f2369fff libsystem_pthread.dylib arm64e <95d7224a99ce3a7e94ab586530c23f5c> /usr/lib/system/libsystem_pthread.dylib
EOF
Root Cause Analysis of Crash #4
Focusing on the Exception Syndrome Register [esr]: (Breakpoint) pointer authentication trap DA is a Programmer Error that failed to properly Authenticate a pointer using key/discriminator A. That is a significant Compiler Bug! My gut says there is another Compiler Bug and/or c++ memory Bug too.
Crash #5 – com.apple.security.cryptexd
Here is Crash Report #5 using com.apple.security.cryptexd to conduct a Quality Assurance Audit. This initially looked like a Bug in Toybox, but my inexperience with arm64e quickly became evident. The process turned into a good learning experience.
Hardware Model: iPhone12,1
Process: toybox [457]
Path: /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.3o3V5D/usr/bin/toybox
Identifier: toybox
Version: ???
Code Type: ARM-64 (Native)
Role: Unspecified
Parent Process: sh [378]
Coalition: com.example.cryptex.sshd [286]
Date/Time: 2021-03-08 20:44:07.4887 -0500
Launch Time: 2021-03-08 20:44:07.4168 -0500
OS Version: iPhone OS 14.4 (18D52)
Release Type: User
Baseband Version: 2.03.04
Report Version: 104
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x6b726f7774656e50 -> 0x0000007774656e50 (possible pointer authentication failure)
VM Region Info: 0x7774656e50 is not in any region. Bytes after previous region: 32017575505
REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
commpage (reserved) 1000000000-7000000000 [384.0G] ---/--- SM=NUL ...(unallocated)
--->
UNUSED SPACE AT END
Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [457]
Triggered by Thread: 0
Thread 0 name: Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0 libsystem_platform.dylib 0x00000001d219fbc4 _platform_strlen + 4
1 libsystem_c.dylib 0x000000018faf016c __vfprintf + 4328
2 libsystem_c.dylib 0x000000018fb12e0c __v2printf + 396
3 libsystem_c.dylib 0x000000018fb13044 __xvprintf + 240
4 libsystem_c.dylib 0x000000018faeef80 vfprintf_l + 68
5 libsystem_c.dylib 0x000000018faed7b8 printf + 84
6 id 0x00000001023ca240 0x10239c000 + 188992
7 id 0x00000001023adf88 0x10239c000 + 73608
8 id 0x00000001023ad978 0x10239c000 + 72056
9 id 0x00000001023adfd0 0x10239c000 + 73680
10 libdyld.dylib 0x000000018632a6b0 start + 4
Thread 0 crashed with ARM Thread State (64-bit):
x0: 0x6b726f7774656e5f x1: 0x6b726f7774656e50 x2: 0x0000000000000000 x3: 0x000000016da632b3
x4: 0x000000016da62e70 x5: 0x000000016da63800 x6: 0x0000000000000031 x7: 0x0000000000000f50
x8: 0x6b726f7774656e5f x9: 0x000000018fb29aac x10: 0x0000000000000001 x11: 0x0000000000000003
x12: 0x0000000000000000 x13: 0x0000000000000000 x14: 0x0000000000000010 x15: 0x0000000000000001
x16: 0x00000001d219fbc0 x17: 0x000000018faf1de4 x18: 0x0000000000000000 x19: 0x000000016da62d60
x20: 0x0000000000000003 x21: 0x0000000000000073 x22: 0x00000001023e7526 x23: 0x000000000000000a
x24: 0x0000000000000000 x25: 0x00000001023e7524 x26: 0x6b726f7774656e5f x27: 0x0000000000000000
x28: 0x000000016da62e78 fp: 0x000000016da63130 lr: 0x000000018faf016c
sp: 0x000000016da62d60 pc: 0x00000001d219fbc4 cpsr: 0x20000000
esr: 0x92000004 (Data Abort) byte read Translation fault
Binary Images:
0x10239c000 - 0x1023e7fff id arm64e <5355f62ffbc5313781546fd6137f4656> /var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.3o3V5D/usr/bin/id
0x1026ec000 - 0x10275bfff dyld arm64e <1f4d7499ee603c5d9d542cd29e4e537c> /usr/lib/dyld
0x1862e6000 - 0x186328fff libdispatch.dylib arm64e <b92757b104343e9ba3acb6da6b81945c> /usr/lib/system/libdispatch.dylib
0x186329000 - 0x186363fff libdyld.dylib arm64e <21b19919133438bcb233896e929945e0> /usr/lib/system/libdyld.dylib
0x18fa87000 - 0x18faacfff libsystem_info.dylib arm64e <4141392213e530b7907d6662a1eab27e> /usr/lib/system/libsystem_info.dylib
0x18faad000 - 0x18fb2bfff libsystem_c.dylib arm64e <961a8fb0de8a3567b4375d99cd549fae> /usr/lib/system/libsystem_c.dylib
0x1964e3000 - 0x196506fff libsystem_malloc.dylib arm64e <bbade3853af53399b1d6180c6d33df9c> /usr/lib/system/libsystem_malloc.dylib
0x198594000 - 0x1985a3fff libsystem_networkextension.dylib arm64e <72e9b04cefb3311398130faa22fd28af> /usr/lib/system/libsystem_networkextension.dylib
0x19b70a000 - 0x19b740fff libobjc.A.dylib arm64e <fea23cff02cf34268a4f893396ce92ff> /usr/lib/libobjc.A.dylib
0x19b7a4000 - 0x19b802fff libc++.1.dylib arm64e <4a0b48d835483ad794c55e54ab10b6fa> /usr/lib/libc++.1.dylib
0x19b803000 - 0x19b81cfff libc++abi.dylib arm64e <2c28dce19a893752bcfc907e99183a63> /usr/lib/libc++abi.dylib
0x19d4c7000 - 0x19d4ddfff libsystem_trace.dylib arm64e <3520924c65a7351dadbea07268a9bca7> /usr/lib/system/libsystem_trace.dylib
0x1a162e000 - 0x1a1638fff libsystem_notify.dylib arm64e <cb00557eecb73b8ebee94de4a0b862aa> /usr/lib/system/libsystem_notify.dylib
0x1a16ec000 - 0x1a1760fff libcorecrypto.dylib arm64e <7282f135d28937129081a2b32fdb3622> /usr/lib/system/libcorecrypto.dylib
0x1a1862000 - 0x1a1878fff libsystem_asl.dylib arm64e <6861da31b33a393eadeaa36da03ba670> /usr/lib/system/libsystem_asl.dylib
0x1a8f26000 - 0x1a8f2dfff libsystem_symptoms.dylib arm64e <ee0315ac9aab3bd4ab86ede010db097a> /usr/lib/system/libsystem_symptoms.dylib
0x1b4622000 - 0x1b4653fff libsystem_kernel.dylib arm64e <b373b97b671e301ca6b7c9f92e17dca0> /usr/lib/system/libsystem_kernel.dylib
0x1b6f16000 - 0x1b6f17fff libSystem.B.dylib arm64e <7d42c8382a04372e9fccdc7a95ef88f4> /usr/lib/libSystem.B.dylib
0x1d1252000 - 0x1d1252fff libcharset.1.dylib arm64e <b28f9d663d723a4198566fd8d095045a> /usr/lib/libcharset.1.dylib
0x1d1336000 - 0x1d142bfff libiconv.2.dylib arm64e <03e7a7e4dde835508741edd69270af5f> /usr/lib/libiconv.2.dylib
0x1d1c3b000 - 0x1d1c53fff libresolv.9.dylib arm64e <51b76938e8c13d458dd30429749fef91> /usr/lib/libresolv.9.dylib
0x1d1ca0000 - 0x1d1ca3fff libutil.dylib arm64e <d77e2807eed438349e164bb8d9e1edcc> /usr/lib/libutil.dylib
0x1d1dbe000 - 0x1d1dcffff libz.1.dylib arm64e <9e35153333503f8bb9b567ec5881c5ef> /usr/lib/libz.1.dylib
0x1d2025000 - 0x1d202afff libcache.dylib arm64e <7567dfaa324e306aa66fc2dda88b033b> /usr/lib/system/libcache.dylib
0x1d202b000 - 0x1d2038fff libcommonCrypto.dylib arm64e <25abfbdfed4431f7a628bd742e231f31> /usr/lib/system/libcommonCrypto.dylib
0x1d2039000 - 0x1d203cfff libcompiler_rt.dylib arm64e <d33e74102bae373585edeb219279aa43> /usr/lib/system/libcompiler_rt.dylib
0x1d203d000 - 0x1d2045fff libcopyfile.dylib arm64e <fae70da0ebad33f293ac496dcbe46fea> /usr/lib/system/libcopyfile.dylib
0x1d212d000 - 0x1d212dfff liblaunch.dylib arm64e <2484228087bc30c68b69739b80187b10> /usr/lib/system/liblaunch.dylib
0x1d212e000 - 0x1d2133fff libmacho.dylib arm64e <4228e603576133778acefc84d49a4d2f> /usr/lib/system/libmacho.dylib
0x1d2134000 - 0x1d2136fff libremovefile.dylib arm64e <904853f042653abe93730a3ecdf39678> /usr/lib/system/libremovefile.dylib
0x1d2137000 - 0x1d2138fff libsystem_blocks.dylib arm64e <f285e167aaa73ab7a092085ca4d1a0c5> /usr/lib/system/libsystem_blocks.dylib
0x1d2139000 - 0x1d213bfff libsystem_collections.dylib arm64e <ea85747378323fa18286e5b16bc56a4e> /usr/lib/system/libsystem_collections.dylib
0x1d213c000 - 0x1d2140fff libsystem_configuration.dylib arm64e <230a7783b6ac3c7fba6991bdfa91823d> /usr/lib/system/libsystem_configuration.dylib
0x1d2141000 - 0x1d2153fff libsystem_containermanager.dylib arm64e <01ba22f7abce3319860fb76d10a0d6d9> /usr/lib/system/libsystem_containermanager.dylib
0x1d2154000 - 0x1d2155fff libsystem_coreservices.dylib arm64e <f83a3238b8303072ab9113587ed26129> /usr/lib/system/libsystem_coreservices.dylib
0x1d2156000 - 0x1d215ffff libsystem_darwin.dylib arm64e <63485fa6fe9235b783a00554e0194eba> /usr/lib/system/libsystem_darwin.dylib
0x1d2160000 - 0x1d2168fff libsystem_dnssd.dylib arm64e <591126c3ffdb3df8afb3cb5f5c3e79a0> /usr/lib/system/libsystem_dnssd.dylib
0x1d2169000 - 0x1d216bfff libsystem_featureflags.dylib arm64e <a5ca1f870aef3eee876e0c077d7638ee> /usr/lib/system/libsystem_featureflags.dylib
0x1d216c000 - 0x1d2199fff libsystem_m.dylib arm64e <c9e29eee8f90377795c625952802e491> /usr/lib/system/libsystem_m.dylib
0x1d219a000 - 0x1d21a0fff libsystem_platform.dylib arm64e <88fa2f54074d32c49f4879eb67e67b7b> /usr/lib/system/libsystem_platform.dylib
0x1d21a1000 - 0x1d21a1fff libsystem_product_info_filter.dylib arm64e <563ac8a6230f305bbada77870fec6204> /usr/lib/system/libsystem_product_info_filter.dylib
0x1d21a2000 - 0x1d21adfff libsystem_pthread.dylib arm64e <c939a2abd3b13b0a83c57ce2f4f339a9> /usr/lib/system/libsystem_pthread.dylib
0x1d21ae000 - 0x1d21b1fff libsystem_sandbox.dylib arm64e <d7ea594452b73c8882c4726694052a14> /usr/lib/system/libsystem_sandbox.dylib
0x1d21b2000 - 0x1d21bcfff libunwind.dylib arm64e <d08ac1cff13c37cf93066cc664058cf0> /usr/lib/system/libunwind.dylib
0x1d21bd000 - 0x1d21f3fff libxpc.dylib arm64e <cc048c8e1cad36c88a9615966103bd3a> /usr/lib/system/libxpc.dylib
EOF
Root Cause Analysis of Crash #5
Classic Crash Analysis is that the Toybox Pointer, 0x6b726f7774656e50, points to outerspace beyond the commpage at 0x0000007774656e50, the upper bits of the Pointer are incorrect. The error message ‘possible pointer authentication failure’ is thrown resulting in EXC_BAD_ACCESS (SIGSEGV). Note 0x6b726f representing the invalid PAC.
This Crash fits into Case 1: invalid memory access. The Toybox Crash is due to an Invalid Memory Operation expressed as (Data Abort) byte read Translation fault. The Developers may also be calling a virtual method using a declaration that differs from its definition that will trigger a pointer authentication failure in arm64e.
ABI Issue
Crash #5 has a Process Name of Toybox. But sometimes things are not as they appear. The Error Message: possible pointer authentication failure is an ABI Issue according to the information I received that caused me to Close the Issue with Toybox.
Learning
This was the Reply from Elliot at Toybox [Google] that got me thinking: “id certainly works for me on macOS/x86-64, but i don’t have any ARM Apple devices so i can’t test PAC/BTI (if this is a PAC failure, though i don’t think it actually is, since i think that’s saying you’re dying in the strlen() prolog rather than the epilog)”.
Schooled
Then, in another comment from Elliot, I really began to see I was Filing a Bug Report with the wrong Project, here is the quote that schooled me: “that might be interesting to work out whether this is an iOS vs macOS issue rather than an arm64e issue. (like i said, macOS x86-64 id works for me, through thousands of runs. but i don’t have any iOS, nor macOS arm64.)”
Similar Exception Code
The Debugger, debugserver with remote lldb threw the similar Exception Code of possible pointer authentication failure, data abort, pointer traps for DA key signing errors and more. At that moment it became obvious that I was wasting the time of the Toybox Maintainers for which I apologized. My Bad for not having properly analyzed the Crash Report.
CPU interprets PAC Failures as memory corruption
The CPU interprets PAC Failures as memory corruption and sets a high-order bit in the Pointer, making the Pointer invalid and causing the Application to Crash as detailed here. My gut says there is a Compiler Bug and/or c++ memory Bug too.
Crash #6 – Fixed Exploit
This Crash is a Replay PoC from a Bug that has been Fixed by Apple. I thought it is worth showing when a EXC_GUARD (SIGKILL) is seen in a Crash Report.
Hardware Model: iPhone12,1
Process: cx.xss.poc-tap-mach-port-001 [435]
Path: /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.5WZPyG/usr/bin/cx.xss.poc-tap-mach-port-001
Identifier: cx.xss.poc-tap-mach-port-001
Version: ???
Code Type: ARM-64 (Native)
Role: Unspecified
Parent Process: sh [420]
Coalition: com.example.cryptex.sshd [547]
Date/Time: 2021-10-06 18:54:23.9961 -0400
Launch Time: 2021-10-06 18:54:23.9754 -0400
OS Version: iPhone OS 15.1 (19B5060d)
Release Type: Beta
Baseband Version: 3.00.00
Report Version: 104
Exception Type: EXC_GUARD (SIGKILL)
Exception Subtype: GUARD_TYPE_MACH_PORT
Exception Message: ILLEGAL_MOVE on mach port 515 (guarded with 0x0000000000000000)
Exception Codes: 0x0000000000000203, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: GUARD; [2305843146652647939]
Triggered by Thread: 1
Thread 0 name: Dispatch queue: com.apple.main-thread
Thread 0:
0 cx.xss.poc-tap-mach-port-001 0x100215298 main + 740
1 cx.xss.poc-tap-mach-port-001 0x10021528c main + 728
2 dyld 0x100411a24 start + 520
Thread 1 Crashed:
0 libsystem_kernel.dylib 0x1b7846504 mach_msg_trap + 8
1 libsystem_kernel.dylib 0x1b7846b9c mach_msg + 76
2 cx.xss.poc-tap-mach-port-001 0x100215cfc tap_mach_port + 432
3 libsystem_pthread.dylib 0x1f0c8a9a4 _pthread_start + 148
4 libsystem_pthread.dylib 0x1f0c89ea0 thread_start + 8
Thread 1 crashed with ARM Thread State (64-bit):
x0: 0x000000001000000a x1: 0x0000000000000001 x2: 0x000000000000002c x3: 0x0000000000000000
x4: 0x0000000000000000 x5: 0x0000000000000000 x6: 0x0000000000000000 x7: 0x0000000000000000
x8: 0x00000000fffffbbf x9: 0x0000000000010680 x10: 0x0000000000000000 x11: 0x0000000000000000
x12: 0x0000000000000000 x13: 0x0000000000000000 x14: 0x0000000000000000 x15: 0x0000000000000000
x16: 0xffffffffffffffe1 x17: 0x0000000100218080 x18: 0x0000000000000000 x19: 0x0000000000000000
x20: 0x0000000000000000 x21: 0x0000000000000000 x22: 0x0000000000000000 x23: 0x000000016fc66930
x24: 0x0000000000000001 x25: 0x000000000000002c x26: 0x0000000000000001 x27: 0x0000000000000000
x28: 0x0000000000000000 fp: 0x000000016fc668f0 lr: 0x00000001b7846b9c
sp: 0x000000016fc668a0 pc: 0x00000001b7846504 cpsr: 0x60000000
far: 0x000000016fc70000 esr: 0x56000080 Address size fault
Binary Images:
0x100210000 - 0x100217fff cx.xss.poc-tap-mach-port-001 arm64e <06a5e10efa46350581b3a5395757c567> /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.5WZPyG/usr/bin/cx.xss.poc-tap-mach-port-001
0x1003f8000 - 0x10044ffff dyld arm64e <13216777f4be3a7bb470857e80ad3300> /usr/lib/dyld
0x1b7845000 - 0x1b7878fff libsystem_kernel.dylib arm64e <3e34d3ba781e3337a7220a7afc3acd7b> /usr/lib/system/libsystem_kernel.dylib
0x1f0c89000 - 0x1f0c94fff libsystem_pthread.dylib arm64e <9f8c2a4cc7e83932821480ccd53f2812> /usr/lib/system/libsystem_pthread.dylib
EOFRoot Cause Analysis of Crash #6
Classic Crash Analysis is that the Termination Reason: GUARD is obvious. The Kernel sees that the Application has attempted an ILLEGAL_MOVE in a mach port that is guarded and executes a SIGKILL. Apple has more info in guarded_test_framework.c.
Crash #7 clang compiler
FB9684776 | This is a Crash that Targets clang-1300.0.29.3. PoC for M1 & X86_64. Note that the arm64e slice Exception Code is (possible pointer authentication failure) and on X86_64 the Exception Code is EXC_I386_GPFLT for the same PoC. I initially Reported this to Feedback Aug 29, 2015 at 10:20 PM as FB5807939 that Apple chose not to Fix.
PoC
echo 'lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*' | clang -x c++ -c -Result
clang: error: unable to execute command: Segmentation fault: 11
clang: error: clang frontend command failed due to signal (use -v to see invocation)
Apple clang version 13.0.0 (clang-1300.0.29.3)M1 ARM Crash Report for Pointer Authentication Failure
Here is the Crash Report containing the M1 ARM Exception Code: possible pointer authentication failure as shown below:
Process: clang [41744]
Path: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang
Identifier: clang
Version: 13.0.0 (1300.0.29)
Code Type: ARM-64 (Native)
Parent Process: ??? [41743]
Responsible: iTerm2 [597]
User ID: 501
Date/Time: 2021-10-07 08:38:55.952 -0400
OS Version: macOS 11.6 (20G165)
Report Version: 12
System Integrity Protection: disabled
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x8000000000000000 -> 0x0000000000000000 (possible pointer authentication failure)
Exception Note: EXC_CORPSE_NOTIFY
Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [41744]
VM Regions Near 0:
-->
__TEXT 104960000-108420000 [ 58.8M] r-x/r-x SM=COW /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang
Application Specific Information:
dyld2 mode
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 clang 0x0000000106a4decc clang::TokenLexer::Lex(clang::Token&) + 248
1 clang 0x0000000106a4de88 clang::TokenLexer::Lex(clang::Token&) + 180
2 clang 0x0000000106a4aae4 clang::Preprocessor::Lex(clang::Token&) + 104
3 clang 0x0000000106a2a5b0 clang::Preprocessor::CachingLex(clang::Token&) + 164
4 clang 0x0000000106a4ab0c clang::Preprocessor::Lex(clang::Token&) + 144
5 clang 0x00000001062375f0 clang::Parser::ConsumeAnyToken(bool) + 160
6 clang 0x00000001062388f8 clang::Parser::SkipUntil(llvm::ArrayRef<clang::tok::TokenKind>, clang::Parser::SkipUntilFlags) + 716
7 clang 0x0000000107532628 clang::BalancedDelimiterTracker::diagnoseMissingClose() + 404
8 clang 0x000000010623daa0 clang::BalancedDelimiterTracker::consumeClose() + 480
9 clang 0x00000001061efde4 clang::Parser::ParsePostfixExpressionSuffix(clang::ActionResult<clang::Expr*, true>) + 2264
10 clang 0x00000001061f1320 clang::Parser::ParseCastExpression(clang::Parser::CastParseKind, bool, bool&, clang::Parser::TypeCastState, bool, bool*) + 196
11 clang 0x00000001061ef470 clang::Parser::ParseCastExpression(clang::Parser::CastParseKind, bool, clang::Parser::TypeCastState, bool, bool*) + 40
12 clang 0x00000001061ee7ac clang::Parser::ParseRHSOfBinaryExpression(clang::ActionResult<clang::Expr*, true>, clang::prec::Level) + 2356
13 clang 0x000000010620506c clang::Parser::ParseBraceInitializer() + 392
14 clang 0x00000001061d1de0 clang::Parser::ParseDeclarationAfterDeclaratorAndAttributes(clang::Declarator&, clang::Parser::ParsedTemplateInfo const&, clang::Parser::ForRangeInit*) + 4088
15 clang 0x00000001061cfe78 clang::Parser::ParseDeclGroup(clang::ParsingDeclSpec&, clang::DeclaratorContext, clang::SourceLocation*, clang::Parser::ForRangeInit*) + 1268
16 clang 0x000000010623b8d0 clang::Parser::ParseDeclOrFunctionDefInternal(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec&, clang::AccessSpecifier) + 264
17 clang 0x000000010623b448 clang::Parser::ParseDeclarationOrFunctionDefinition(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*, clang::AccessSpecifier) + 200
18 clang 0x000000010623a9ac clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*) + 2280
19 clang 0x0000000106239e48 clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&, bool) + 948
20 clang 0x00000001061bd8bc clang::ParseAST(clang::Sema&, bool, bool) + 308
21 clang 0x000000010591c77c clang::FrontendAction::Execute() + 60
22 clang 0x00000001058d20cc clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) + 1300
23 clang 0x0000000105964b60 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) + 1212
24 clang 0x00000001049669a8 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) + 1424
25 clang 0x00000001049655b0 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&) + 692
26 clang 0x00000001049652f4 driver_main(int, char const**) + 4056
27 clang 0x00000001049642fc main + 108
28 libdyld.dylib 0x0000000180a1d430 start + 4
Thread 0 crashed with ARM Thread State (64-bit):
x0: 0x0000000000000000 x1: 0x00000001418dc810 x2: 0x0000000000000000 x3: 0x0000000000000010
x4: 0x000000014162cd24 x5: 0x0000000000000009 x6: 0x0000000000000000 x7: 0x000000016b499b88
x8: 0x0000000000000026 x9: 0x0000000000000000 x10: 0x0000000000000005 x11: 0x000000000000003e
x12: 0x0000000141600000 x13: 0x000000002a2add88 x14: 0x000000002a2add28 x15: 0x00000000000060d0
x16: 0x00000000000060d0 x17: 0x00000000000010a0 x18: 0x0000000000000000 x19: 0x00000001418dc810
x20: 0x000000014162cd00 x21: 0x8000000000000000 x22: 0x0000000000000008 x23: 0x0000000000000001
x24: 0x00000001418dc810 x25: 0x0000000108171318 x26: 0x0000000000000018 x27: 0x0000000000000016
x28: 0x000000000000003d fp: 0x000000016b49a8f0 lr: 0x0000000106a4de88
sp: 0x000000016b49a8b0 pc: 0x0000000106a4decc cpsr: 0x20000000
far: 0x8000000000000000 esr: 0x92000006
Binary Images:
0x104960000 - 0x10841ffff +clang (13.0.0 - 1300.0.29) <57441989-D0D0-38DD-AE1E-AFE9C95C6FFF> /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang
0x10a1f8000 - 0x10a277fff dyld (852.2) <38657979-1ABE-3C9A-BF64-EF3B746216AB> /usr/lib/dyld
0x18075a000 - 0x18075bfff libsystem_blocks.dylib (79) <BA713F79-1620-38B2-8717-79849B8E897E> /usr/lib/system/libsystem_blocks.dylib
0x18075c000 - 0x180793fff libxpc.dylib (2038.120.1) <0E990C5D-C4F7-304A-9714-4409647CC2EF> /usr/lib/system/libxpc.dylib
0x180794000 - 0x1807abfff libsystem_trace.dylib (1277.120.1) <7A6B4800-8D94-3091-AC78-2D6B97A9B496> /usr/lib/system/libsystem_trace.dylib
0x1807ac000 - 0x18081ffff libcorecrypto.dylib (1000.140.4) <FAF9B49D-2583-34EF-850B-047F050ED996> /usr/lib/system/libcorecrypto.dylib
0x180820000 - 0x18084bfff libsystem_malloc.dylib (317.140.5) <A454F3F2-7BC4-3808-A60F-F5F4BC55577F> /usr/lib/system/libsystem_malloc.dylib
0x18084c000 - 0x180890fff libdispatch.dylib (1271.120.2) <4EDD5F72-2296-3891-B2A1-6741DB6C05C9> /usr/lib/system/libdispatch.dylib
0x180891000 - 0x1808cafff libobjc.A.dylib (824) <252C93CC-2D39-3C15-87F6-1336658B2F49> /usr/lib/libobjc.A.dylib
0x1808cb000 - 0x1808cdfff libsystem_featureflags.dylib (28.60.1) <61A79E0B-1836-376D-AC24-171B40A9FAE7> /usr/lib/system/libsystem_featureflags.dylib
0x1808ce000 - 0x18094ffff libsystem_c.dylib (1439.141.1) <9B3C0AD0-1E0B-39D1-BE25-B97F8EA7E623> /usr/lib/system/libsystem_c.dylib
0x180950000 - 0x1809abfff libc++.1.dylib (905.6) <BED05B96-CCAE-365A-B3F5-F8D72F5E77E1> /usr/lib/libc++.1.dylib
0x1809ac000 - 0x1809c3fff libc++abi.dylib (905.6) <3C5176E2-CE48-312B-97F6-23D4E7AFA43F> /usr/lib/libc++abi.dylib
0x1809c4000 - 0x1809f7fff libsystem_kernel.dylib (7195.141.6) <FA7E835C-CB30-3D98-9331-30CE6584423D> /usr/lib/system/libsystem_kernel.dylib
0x1809f8000 - 0x180a04fff libsystem_pthread.dylib (454.120.2) <BDC1C5DA-9499-3580-9588-2928DE2440DD> /usr/lib/system/libsystem_pthread.dylib
0x180a05000 - 0x180a46fff libdyld.dylib (852.2) <BE0B539A-2EDF-3A99-9632-731C5928BBAC> /usr/lib/system/libdyld.dylib
0x180a47000 - 0x180a4dfff libsystem_platform.dylib (254.80.2) <2CC11FAD-1E31-3533-B1D8-9CDDF5DFE595> /usr/lib/system/libsystem_platform.dylib
0x180a4e000 - 0x180a79fff libsystem_info.dylib (542.40.3) <3B5B9F97-ECFB-3F6E-9B85-D8C62A8B3205> /usr/lib/system/libsystem_info.dylib
0x182e0f000 - 0x182e19fff libsystem_darwin.dylib (1439.141.1) <9BF54A49-874D-3D91-B319-6B2F676FE42D> /usr/lib/system/libsystem_darwin.dylib
0x183252000 - 0x18325dfff libsystem_notify.dylib (279.40.4) <FA85C044-99A5-352D-B7AD-45FB31B295FF> /usr/lib/system/libsystem_notify.dylib
0x185231000 - 0x185240fff libsystem_networkextension.dylib (1295.140.3) <0FFACDE5-D546-306D-B9FA-06EC8FCAEEF9> /usr/lib/system/libsystem_networkextension.dylib
0x185296000 - 0x1852adfff libsystem_asl.dylib (385) <7F462B8A-541F-3195-9BAE-CDEDFA3BA8A4> /usr/lib/system/libsystem_asl.dylib
0x186807000 - 0x18680efff libsystem_symptoms.dylib (1431.140.1) <0B4FC817-CC87-31F2-872B-BD505D29F5EE> /usr/lib/system/libsystem_symptoms.dylib
0x188663000 - 0x188674fff libsystem_containermanager.dylib (318.100.4) <FCE2D8EA-A9D8-3A5D-A908-3E9C0AFFB941> /usr/lib/system/libsystem_containermanager.dylib
0x1892e1000 - 0x1892e5fff libsystem_configuration.dylib (1109.140.1) <9BC511C4-6613-3F1D-8592-7D3971B24921> /usr/lib/system/libsystem_configuration.dylib
0x1892e6000 - 0x1892eafff libsystem_sandbox.dylib (1441.141.4) <CABF63A0-DDAF-3A54-8447-1256DFFD2907> /usr/lib/system/libsystem_sandbox.dylib
0x189ca7000 - 0x189ca9fff libquarantine.dylib (119.40.2) <DE9BFFD7-62ED-38ED-BF58-388F192BE6FC> /usr/lib/system/libquarantine.dylib
0x18a20a000 - 0x18a20efff libsystem_coreservices.dylib (127.1) <F107780A-EFAD-3DC8-A62F-825DD954128E> /usr/lib/system/libsystem_coreservices.dylib
0x18a3f4000 - 0x18a405fff libz.1.dylib (76) <4838F5D2-C9BB-366A-9745-209A80BCC426> /usr/lib/libz.1.dylib
0x18a406000 - 0x18a433fff libsystem_m.dylib (3186.100.3) <092A6565-3BE3-3EEF-844E-B846793A4115> /usr/lib/system/libsystem_m.dylib
0x18a435000 - 0x18a43afff libmacho.dylib (980) <F6CBC87D-DC83-3E5F-A7C0-B0115E7D1BC1> /usr/lib/system/libmacho.dylib
0x18a453000 - 0x18a460fff libcommonCrypto.dylib (60178.120.3) <146E6A52-3060-32A1-9119-C3D6F8B5C57B> /usr/lib/system/libcommonCrypto.dylib
0x18a461000 - 0x18a46bfff libunwind.dylib (201) <2A01EF92-F92D-35F7-B638-8CBC6896DCAA> /usr/lib/system/libunwind.dylib
0x18a46c000 - 0x18a473fff liboah.dylib (203.58) <6802DEC1-9ED5-3667-BFE0-3BDDE8BB40E1> /usr/lib/liboah.dylib
0x18a474000 - 0x18a47cfff libcopyfile.dylib (173.40.2) <8477DD43-56AA-3422-BF23-4ADC7B98462F> /usr/lib/system/libcopyfile.dylib
0x18a47d000 - 0x18a480fff libcompiler_rt.dylib (102.2) <50E8F23E-3E63-31BF-BFC3-EE75D281B151> /usr/lib/system/libcompiler_rt.dylib
0x18a481000 - 0x18a483fff libsystem_collections.dylib (1439.141.1) <EA89016C-2C72-3531-84D9-2A696F2DAC85> /usr/lib/system/libsystem_collections.dylib
0x18a484000 - 0x18a486fff libsystem_secinit.dylib (87.60.1) <836B23E3-DF08-31C8-98AD-4A9B12A4B404> /usr/lib/system/libsystem_secinit.dylib
0x18a487000 - 0x18a489fff libremovefile.dylib (49.120.1) <687A6E36-0460-30BC-A675-7F83059AE2D9> /usr/lib/system/libremovefile.dylib
0x18a48a000 - 0x18a48afff libkeymgr.dylib (31) <C5D64EE9-AB76-3D4C-BC4F-2BE8415DC21A> /usr/lib/system/libkeymgr.dylib
0x18a48b000 - 0x18a493fff libsystem_dnssd.dylib (1310.140.1) <DEE0783F-DDC9-35A6-9F6E-6B8FE94FBF0A> /usr/lib/system/libsystem_dnssd.dylib
0x18a494000 - 0x18a499fff libcache.dylib (83) <2EA812B3-0565-35FA-BF54-DF98EF3DB5DE> /usr/lib/system/libcache.dylib
0x18a49a000 - 0x18a49bfff libSystem.B.dylib (1292.120.1) <1E75FCDF-2357-30FE-AAAD-5290BA722464> /usr/lib/libSystem.B.dylib
0x18d8b9000 - 0x18d8b9fff liblaunch.dylib (2038.120.1) <AA4E8477-1B82-357E-8275-FFED1F957AF9> /usr/lib/system/liblaunch.dylib
0x18fd6d000 - 0x18fd6dfff libsystem_product_info_filter.dylib (8.40.1) <14136F56-3690-3346-90A0-31FC34DF3E1B> /usr/lib/system/libsystem_product_info_filter.dylib
0x1a048d000 - 0x1a04bdfff libncurses.5.4.dylib (57) <0300C82B-7239-32FD-8A28-45A25D89EAAC> /usr/lib/libncurses.5.4.dylib
External Modification Summary:
Calls made by other processes targeting this process:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
Calls made by this process:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
Calls made by all processes on this machine:
task_for_pid: 5
thread_create: 0
thread_set_state: 14
VM Region Summary:
ReadOnly portion of Libraries: Total=577.7M resident=0K(0%) swapped_out_or_unallocated=577.7M(100%)
Writable regions: Total=282.7M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=282.7M(100%)
VIRTUAL REGION
REGION TYPE SIZE COUNT (non-coalesced)
=========== ======= =======
Kernel Alloc Once 32K 1
MALLOC 34.1M 12
MALLOC guard page 96K 5
MALLOC_MEDIUM (reserved) 240.0M 2 reserved VM address space (unallocated)
STACK GUARD 56.0M 1
Stack 8192K 2
VM_ALLOCATE 1.0G 1
__AUTH 45K 12
__AUTH_CONST 76K 40
__DATA 789K 40
__DATA_CONST 4446K 40
__DATA_DIRTY 73K 21
__LINKEDIT 514.2M 4
__OBJC_CONST 10K 5
__OBJC_RO 75.1M 1
__OBJC_RW 2576K 1
__TEXT 63.6M 46
shared memory 16K 1
=========== ======= =======
TOTAL 2.0G 235
TOTAL, minus reserved VM space 1.7G 235
X86_64 Crash Report for EXC_I386_GPFLT
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: EXC_I386_GPFLT
Exception Note: EXC_CORPSE_NOTIFY
Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [38987]
Application Specific Information:
dyld2 mode
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 clang 0x000000011078fa3f clang::TokenLexer::Lex(clang::Token&) + 223
1 clang 0x000000011078c3f3 clang::Preprocessor::Lex(clang::Token&) + 83
2 clang 0x000000010fe1beff clang::Parser::ConsumeAnyToken(bool) + 95
3 clang 0x000000010fe1d4eb clang::Parser::SkipUntil(llvm::ArrayRef<clang::tok::TokenKind>, clang::Parser::SkipUntilFlags) + 795
4 clang 0x0000000111596362 clang::BalancedDelimiterTracker::diagnoseMissingClose() + 738
5 clang 0x000000010fe234f6 clang::BalancedDelimiterTracker::consumeClose() + 566
6 clang 0x000000010fdc96c4 clang::Parser::ParsePostfixExpressionSuffix(clang::ActionResult<clang::Expr*, true>) + 2628
7 clang 0x000000010fdcb186 clang::Parser::ParseCastExpression(clang::Parser::CastParseKind, bool, bool&, clang::Parser::TypeCastState, bool, bool*) + 198
8 clang 0x000000010fdc8bc9 clang::Parser::ParseCastExpression(clang::Parser::CastParseKind, bool, clang::Parser::TypeCastState, bool, bool*) + 41
9 clang 0x000000010fdc74dd clang::Parser::ParseRHSOfBinaryExpression(clang::ActionResult<clang::Expr*, true>, clang::prec::Level) + 3261
10 clang 0x000000010fde3837 clang::Parser::ParseBraceInitializer() + 391
11 clang 0x000000010fda4a22 clang::Parser::ParseDeclarationAfterDeclaratorAndAttributes(clang::Declarator&, clang::Parser::ParsedTemplateInfo const&, clang::Parser::ForRangeInit*) + 5602
12 clang 0x000000010fda1f6a clang::Parser::ParseDeclGroup(clang::ParsingDeclSpec&, clang::DeclaratorContext, clang::SourceLocation*, clang::Parser::ForRangeInit*) + 1482
13 clang 0x000000010fe20c9b clang::Parser::ParseDeclOrFunctionDefInternal(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec&, clang::AccessSpecifier) + 283
14 clang 0x000000010fe20854 clang::Parser::ParseDeclarationOrFunctionDefinition(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*, clang::AccessSpecifier) + 244
15 clang 0x000000010fe1fb87 clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*) + 3015
16 clang 0x000000010fe1ecee clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&, bool) + 1070
17 clang 0x000000010fd8caaf clang::ParseAST(clang::Sema&, bool, bool) + 351
18 clang 0x000000010f4494bd clang::FrontendAction::Execute() + 45
19 clang 0x000000010f3ef043 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) + 899
20 clang 0x000000010f496222 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) + 1442
21 clang 0x000000010e2d3ba5 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) + 1653
22 clang 0x000000010e2d2a3e ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&) + 670
23 clang 0x000000010e2d278d driver_main(int, char const**) + 4397
24 clang 0x000000010e2d163e main + 126
25 libdyld.dylib 0x00007fff20473f3d start + 1
Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x000000002e517362 rbx: 0x6874656e696c6b61 rcx: 0x00007fa8b4704630 rdx: 0x0000000000000000
rdi: 0x0000000000007205 rsi: 0x00007fa8b5018001 rbp: 0x00007ffee192bff0 rsp: 0x00007ffee192bfc0
r8: 0x0000000000001eb4 r9: 0x00007fa8b441db80 r10: 0x00007fa8b4400000 r11: 0x0000000000000000
r12: 0x00000000b5018001 r13: 0x000000000000000d r14: 0x00007fa8b5018010 r15: 0x00007fa8b47049d0
rip: 0x000000011078fa3f rfl: 0x0000000000010202 cr2: 0x0000000110cc8450
Logical CPU: 0
Error Code: 0x00000000
Trap Number: 13
Root Cause Analysis of Crash #7
If you have read this far, you probably know the Issue: Unsafe Handling of User Controllable Input [UCI] that results in memory corruption on both slices arm64e and X86_64.
arm64e
The Developers may also be calling a virtual method using a declaration that differs from its definition that will trigger a pointer authentication failure in arm64e.
CPU interprets PAC Failures as memory corruption
The CPU interprets PAC Failures as memory corruption and sets a high-order bit in the Pointer, making the Pointer invalid and causing the Application to Crash as detailed here. My gut says there is a Compiler Bug and/or c++ memory Bug too.
X86_64 General Protection Fault
The General Protection Fault on X86_64 Platforms is expressed in a Crash Report as Exception Code: EXC_I386_GPFLT. Generally this is a memory corruption for code or data.
AST Representation
Drilling down for those interested in the AST Representation for this Clang Crash, let me break this into the PoC command line generating the output, then the Clang compiler Errors then ending with the ast-dump for M1 arm64e & X86_64 slices.
PoC Command Line for Crash #7
%
echo 'lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*' | clang -Xclang -ast-dump -fsyntax-only -x c++ -c -Clang Compiler Errors – M1 arm64e slice
<stdin>:1:1: error: unknown type name 'lshort'; did you mean 'short'?
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^~~~~~
short
<stdin>:1:29: error: invalid suffix 'LbreaklinethisQ' on integer constant
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:85: error: expected ';' after struct
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
;
<stdin>:1:69: error: '(anonymous struct at <stdin>:1:69)' cannot be defined in a parameter type
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:85: error: expected ')'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:68: note: to match this '('
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:85: error: expected ')'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:61: note: to match this '('
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:45: error: use of undeclared identifier 'namespaceifndef'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:101: error: use of undeclared identifier 'nullptrchar32_t'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:85: error: expected ']'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:60: note: to match this '['
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:116: error: expected '}'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:27: note: to match this '{'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:101: error: expected ';' after top level declarator
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
AST Dump – M1 arm64e slice
TranslationUnitDecl 0x14203ea08 <<invalid sloc>> <invalid sloc>
|-TypedefDecl 0x14203f920 <<invalid sloc>> <invalid sloc> implicit __int128_t '__int128'
| `-BuiltinType 0x14203efa0 '__int128'
|-TypedefDecl 0x14203f990 <<invalid sloc>> <invalid sloc> implicit __uint128_t 'unsigned __int128'
| `-BuiltinType 0x14203efc0 'unsigned __int128'
|-TypedefDecl 0x142808520 <<invalid sloc>> <invalid sloc> implicit __NSConstantString '__NSConstantString_tag'
| `-RecordType 0x142808290 '__NSConstantString_tag'
| `-CXXRecord 0x142808200 '__NSConstantString_tag'
|-TypedefDecl 0x142808588 <<invalid sloc>> <invalid sloc> implicit __SVInt8_t '__SVInt8_t'
| `-BuiltinType 0x14203f260 '__SVInt8_t'
|-TypedefDecl 0x1428085f0 <<invalid sloc>> <invalid sloc> implicit __SVInt16_t '__SVInt16_t'
| `-BuiltinType 0x14203f280 '__SVInt16_t'
|-TypedefDecl 0x142808658 <<invalid sloc>> <invalid sloc> implicit __SVInt32_t '__SVInt32_t'
| `-BuiltinType 0x14203f2a0 '__SVInt32_t'
|-TypedefDecl 0x1428086c0 <<invalid sloc>> <invalid sloc> implicit __SVInt64_t '__SVInt64_t'
| `-BuiltinType 0x14203f2c0 '__SVInt64_t'
|-TypedefDecl 0x142808728 <<invalid sloc>> <invalid sloc> implicit __SVUint8_t '__SVUint8_t'
| `-BuiltinType 0x14203f2e0 '__SVUint8_t'
|-TypedefDecl 0x142808790 <<invalid sloc>> <invalid sloc> implicit __SVUint16_t '__SVUint16_t'
| `-BuiltinType 0x14203f300 '__SVUint16_t'
|-TypedefDecl 0x1428087f8 <<invalid sloc>> <invalid sloc> implicit __SVUint32_t '__SVUint32_t'
| `-BuiltinType 0x14203f320 '__SVUint32_t'
|-TypedefDecl 0x142808860 <<invalid sloc>> <invalid sloc> implicit __SVUint64_t '__SVUint64_t'
| `-BuiltinType 0x14203f340 '__SVUint64_t'
|-TypedefDecl 0x1428088c8 <<invalid sloc>> <invalid sloc> implicit __SVFloat16_t '__SVFloat16_t'
| `-BuiltinType 0x14203f360 '__SVFloat16_t'
|-TypedefDecl 0x142808930 <<invalid sloc>> <invalid sloc> implicit __SVFloat32_t '__SVFloat32_t'
| `-BuiltinType 0x14203f380 '__SVFloat32_t'
|-TypedefDecl 0x142808998 <<invalid sloc>> <invalid sloc> implicit __SVFloat64_t '__SVFloat64_t'
| `-BuiltinType 0x14203f3a0 '__SVFloat64_t'
|-TypedefDecl 0x142808a00 <<invalid sloc>> <invalid sloc> implicit __SVBFloat16_t '__SVBFloat16_t'
| `-BuiltinType 0x14203f3c0 '__SVBFloat16_t'
|-TypedefDecl 0x142808a68 <<invalid sloc>> <invalid sloc> implicit __clang_svint8x2_t '__clang_svint8x2_t'
| `-BuiltinType 0x14203f3e0 '__clang_svint8x2_t'
|-TypedefDecl 0x142808ad0 <<invalid sloc>> <invalid sloc> implicit __clang_svint16x2_t '__clang_svint16x2_t'
| `-BuiltinType 0x14203f400 '__clang_svint16x2_t'
|-TypedefDecl 0x142808b38 <<invalid sloc>> <invalid sloc> implicit __clang_svint32x2_t '__clang_svint32x2_t'
| `-BuiltinType 0x14203f420 '__clang_svint32x2_t'
|-TypedefDecl 0x142808ba0 <<invalid sloc>> <invalid sloc> implicit __clang_svint64x2_t '__clang_svint64x2_t'
| `-BuiltinType 0x14203f440 '__clang_svint64x2_t'
|-TypedefDecl 0x142808c08 <<invalid sloc>> <invalid sloc> implicit __clang_svuint8x2_t '__clang_svuint8x2_t'
| `-BuiltinType 0x14203f460 '__clang_svuint8x2_t'
|-TypedefDecl 0x142808c70 <<invalid sloc>> <invalid sloc> implicit __clang_svuint16x2_t '__clang_svuint16x2_t'
| `-BuiltinType 0x14203f480 '__clang_svuint16x2_t'
|-TypedefDecl 0x142808cd8 <<invalid sloc>> <invalid sloc> implicit __clang_svuint32x2_t '__clang_svuint32x2_t'
| `-BuiltinType 0x14203f4a0 '__clang_svuint32x2_t'
|-TypedefDecl 0x142808d40 <<invalid sloc>> <invalid sloc> implicit __clang_svuint64x2_t '__clang_svuint64x2_t'
| `-BuiltinType 0x14203f4c0 '__clang_svuint64x2_t'
|-TypedefDecl 0x142808da8 <<invalid sloc>> <invalid sloc> implicit __clang_svfloat16x2_t '__clang_svfloat16x2_t'
| `-BuiltinType 0x14203f4e0 '__clang_svfloat16x2_t'
|-TypedefDecl 0x142808e10 <<invalid sloc>> <invalid sloc> implicit __clang_svfloat32x2_t '__clang_svfloat32x2_t'
| `-BuiltinType 0x14203f500 '__clang_svfloat32x2_t'
|-TypedefDecl 0x142808e78 <<invalid sloc>> <invalid sloc> implicit __clang_svfloat64x2_t '__clang_svfloat64x2_t'
| `-BuiltinType 0x14203f520 '__clang_svfloat64x2_t'
|-TypedefDecl 0x142808ee0 <<invalid sloc>> <invalid sloc> implicit __clang_svbfloat16x2_t '__clang_svbfloat16x2_t'
| `-BuiltinType 0x14203f540 '__clang_svbfloat16x2_t'
|-TypedefDecl 0x142808f48 <<invalid sloc>> <invalid sloc> implicit __clang_svint8x3_t '__clang_svint8x3_t'
| `-BuiltinType 0x14203f560 '__clang_svint8x3_t'
|-TypedefDecl 0x142808fb0 <<invalid sloc>> <invalid sloc> implicit __clang_svint16x3_t '__clang_svint16x3_t'
| `-BuiltinType 0x14203f580 '__clang_svint16x3_t'
|-TypedefDecl 0x142809018 <<invalid sloc>> <invalid sloc> implicit __clang_svint32x3_t '__clang_svint32x3_t'
| `-BuiltinType 0x14203f5a0 '__clang_svint32x3_t'
|-TypedefDecl 0x142809080 <<invalid sloc>> <invalid sloc> implicit __clang_svint64x3_t '__clang_svint64x3_t'
| `-BuiltinType 0x14203f5c0 '__clang_svint64x3_t'
|-TypedefDecl 0x1428090e8 <<invalid sloc>> <invalid sloc> implicit __clang_svuint8x3_t '__clang_svuint8x3_t'
| `-BuiltinType 0x14203f5e0 '__clang_svuint8x3_t'
|-TypedefDecl 0x142809150 <<invalid sloc>> <invalid sloc> implicit __clang_svuint16x3_t '__clang_svuint16x3_t'
| `-BuiltinType 0x14203f600 '__clang_svuint16x3_t'
|-TypedefDecl 0x142809a00 <<invalid sloc>> <invalid sloc> implicit __clang_svuint32x3_t '__clang_svuint32x3_t'
| `-BuiltinType 0x14203f620 '__clang_svuint32x3_t'
|-TypedefDecl 0x142809a68 <<invalid sloc>> <invalid sloc> implicit __clang_svuint64x3_t '__clang_svuint64x3_t'
| `-BuiltinType 0x14203f640 '__clang_svuint64x3_t'
|-TypedefDecl 0x142809ad0 <<invalid sloc>> <invalid sloc> implicit __clang_svfloat16x3_t '__clang_svfloat16x3_t'
| `-BuiltinType 0x14203f660 '__clang_svfloat16x3_t'
|-TypedefDecl 0x142809b38 <<invalid sloc>> <invalid sloc> implicit __clang_svfloat32x3_t '__clang_svfloat32x3_t'
| `-BuiltinType 0x14203f680 '__clang_svfloat32x3_t'
|-TypedefDecl 0x142809ba0 <<invalid sloc>> <invalid sloc> implicit __clang_svfloat64x3_t '__clang_svfloat64x3_t'
| `-BuiltinType 0x14203f6a0 '__clang_svfloat64x3_t'
|-TypedefDecl 0x142809c08 <<invalid sloc>> <invalid sloc> implicit __clang_svbfloat16x3_t '__clang_svbfloat16x3_t'
| `-BuiltinType 0x14203f6c0 '__clang_svbfloat16x3_t'
|-TypedefDecl 0x142809c70 <<invalid sloc>> <invalid sloc> implicit __clang_svint8x4_t '__clang_svint8x4_t'
| `-BuiltinType 0x14203f6e0 '__clang_svint8x4_t'
|-TypedefDecl 0x142809cd8 <<invalid sloc>> <invalid sloc> implicit __clang_svint16x4_t '__clang_svint16x4_t'
| `-BuiltinType 0x14203f700 '__clang_svint16x4_t'
|-TypedefDecl 0x142809d40 <<invalid sloc>> <invalid sloc> implicit __clang_svint32x4_t '__clang_svint32x4_t'
| `-BuiltinType 0x14203f720 '__clang_svint32x4_t'
|-TypedefDecl 0x142809da8 <<invalid sloc>> <invalid sloc> implicit __clang_svint64x4_t '__clang_svint64x4_t'
| `-BuiltinType 0x14203f740 '__clang_svint64x4_t'
|-TypedefDecl 0x142809e10 <<invalid sloc>> <invalid sloc> implicit __clang_svuint8x4_t '__clang_svuint8x4_t'
| `-BuiltinType 0x14203f760 '__clang_svuint8x4_t'
|-TypedefDecl 0x142809e78 <<invalid sloc>> <invalid sloc> implicit __clang_svuint16x4_t '__clang_svuint16x4_t'
| `-BuiltinType 0x14203f780 '__clang_svuint16x4_t'
|-TypedefDecl 0x142809ee0 <<invalid sloc>> <invalid sloc> implicit __clang_svuint32x4_t '__clang_svuint32x4_t'
| `-BuiltinType 0x14203f7a0 '__clang_svuint32x4_t'
|-TypedefDecl 0x142809f48 <<invalid sloc>> <invalid sloc> implicit __clang_svuint64x4_t '__clang_svuint64x4_t'
| `-BuiltinType 0x14203f7c0 '__clang_svuint64x4_t'
|-TypedefDecl 0x142809fb0 <<invalid sloc>> <invalid sloc> implicit __clang_svfloat16x4_t '__clang_svfloat16x4_t'
| `-BuiltinType 0x14203f7e0 '__clang_svfloat16x4_t'
|-TypedefDecl 0x14280a018 <<invalid sloc>> <invalid sloc> implicit __clang_svfloat32x4_t '__clang_svfloat32x4_t'
| `-BuiltinType 0x14203f800 '__clang_svfloat32x4_t'
|-TypedefDecl 0x14280a080 <<invalid sloc>> <invalid sloc> implicit __clang_svfloat64x4_t '__clang_svfloat64x4_t'
| `-BuiltinType 0x14203f820 '__clang_svfloat64x4_t'
|-TypedefDecl 0x14280a0e8 <<invalid sloc>> <invalid sloc> implicit __clang_svbfloat16x4_t '__clang_svbfloat16x4_t'
| `-BuiltinType 0x14203f840 '__clang_svbfloat16x4_t'
|-TypedefDecl 0x14280a150 <<invalid sloc>> <invalid sloc> implicit __SVBool_t '__SVBool_t'
| `-BuiltinType 0x14203f860 '__SVBool_t'
|-TypedefDecl 0x14280a1f8 <<invalid sloc>> <invalid sloc> implicit __builtin_ms_va_list 'char *'
| `-PointerType 0x14280a1b0 'char *'
| `-BuiltinType 0x14203eaa0 'char'
|-TypedefDecl 0x14280a268 <<invalid sloc>> <invalid sloc> implicit __builtin_va_list 'char *'
| `-PointerType 0x14280a1b0 'char *'
| `-BuiltinType 0x14203eaa0 'char'
|-TypedefDecl 0x14280a308 <<stdin>:1:1, col:16> col:16 s4 'short'
| `-BuiltinType 0x14203eae0 'short'
|-VarDecl 0x14280a370 <col:19, col:24> col:24 Kt 'bool'
`-CXXRecordDecl 0x14280a450 <col:69, col:84> col:69 struct definition
|-DefinitionData pass_in_registers empty aggregate standard_layout trivially_copyable pod trivial literal has_constexpr_non_copy_move_ctor can_const_default_init
| |-DefaultConstructor exists trivial constexpr needs_implicit defaulted_is_constexpr
| |-CopyConstructor simple trivial has_const_param needs_implicit implicit_has_const_param
| |-MoveConstructor exists simple trivial needs_implicit
| |-CopyAssignment simple trivial has_const_param needs_implicit implicit_has_const_param
| |-MoveAssignment exists simple trivial needs_implicit
| `-Destructor simple irrelevant trivial needs_implicit
`-AccessSpecDecl 0x14280a568 <col:76, col:83> col:76 privateClang Compiler Error – X86_64 slice
<stdin>:1:1: error: unknown type name 'lshort'; did you mean 'short'?
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^~~~~~
short
<stdin>:1:29: error: invalid suffix 'LbreaklinethisQ' on integer constant
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:85: error: expected ';' after struct
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
;
<stdin>:1:69: error: '(anonymous struct at <stdin>:1:69)' cannot be defined in a parameter type
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:85: error: expected ')'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:68: note: to match this '('
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:85: error: expected ')'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:61: note: to match this '('
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:45: error: use of undeclared identifier 'namespaceifndef'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:101: error: use of undeclared identifier 'nullptrchar32_t'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:85: error: expected ']'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:60: note: to match this '['
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:116: error: expected '}'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:27: note: to match this '{'
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
<stdin>:1:101: error: expected ';' after top level declarator
lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public -=--<*
^
AST Dump X86_64 slice
TranslationUnitDecl 0x7f8c3a81b608 <<invalid sloc>> <invalid sloc>
|-TypedefDecl 0x7f8c3a81bf00 <<invalid sloc>> <invalid sloc> implicit __int128_t '__int128'
| `-BuiltinType 0x7f8c3a81bba0 '__int128'
|-TypedefDecl 0x7f8c3a81bf70 <<invalid sloc>> <invalid sloc> implicit __uint128_t 'unsigned __int128'
| `-BuiltinType 0x7f8c3a81bbc0 'unsigned __int128'
|-TypedefDecl 0x7f8c3a81c2f0 <<invalid sloc>> <invalid sloc> implicit __NSConstantString '__NSConstantString_tag'
| `-RecordType 0x7f8c3a81c060 '__NSConstantString_tag'
| `-CXXRecord 0x7f8c3a81bfc8 '__NSConstantString_tag'
|-TypedefDecl 0x7f8c3a81c398 <<invalid sloc>> <invalid sloc> implicit __builtin_ms_va_list 'char *'
| `-PointerType 0x7f8c3a81c350 'char *'
| `-BuiltinType 0x7f8c3a81b6a0 'char'
|-TypedefDecl 0x7f8c3a8538f8 <<invalid sloc>> <invalid sloc> implicit __builtin_va_list '__va_list_tag [1]'
| `-ConstantArrayType 0x7f8c3a8538a0 '__va_list_tag [1]' 1
| `-RecordType 0x7f8c3a81c480 '__va_list_tag'
| `-CXXRecord 0x7f8c3a81c3f0 '__va_list_tag'
|-TypedefDecl 0x7f8c3a8539b0 <<stdin>:1:1, col:16> col:16 s4 'short'
| `-BuiltinType 0x7f8c3a81b6e0 'short'
|-VarDecl 0x7f8c3a853a18 <col:19, col:24> col:24 Kt 'bool'
`-CXXRecordDecl 0x7f8c3a853af8 <col:69, col:84> col:69 struct definition
|-DefinitionData pass_in_registers empty aggregate standard_layout trivially_copyable pod trivial literal has_constexpr_non_copy_move_ctor can_const_default_init
| |-DefaultConstructor exists trivial constexpr needs_implicit defaulted_is_constexpr
| |-CopyConstructor simple trivial has_const_param needs_implicit implicit_has_const_param
| |-MoveConstructor exists simple trivial needs_implicit
| |-CopyAssignment simple trivial has_const_param needs_implicit implicit_has_const_param
| |-MoveAssignment exists simple trivial needs_implicit
| `-Destructor simple irrelevant trivial needs_implicit
`-AccessSpecDecl 0x7f8c3a853c18 <col:76, col:83> col:76 privateCrash #7 AST Dump Observation
I observe that the AST Dump is not the same for arm64e vs. X86_64 when looking at AST Representations. This further supports the belief that the arm64e ABI is immature, unstable and under development [Q3/2021].
Crash #8 CVE-2013-1034
History of UCI Handling
Below is a brief review of CVE-2013-1034 that was within the Coverage Envelope of Burpsuite Pro [but not other tools] for Stored & Reflected XSS, XML & SQL Injection and other Unsafe Handling of USer Controllable Input, the dreaded UCI.
CVE-2013-1034 PoC
PROPFIND HTTP Method
PROPFIND /calendars/__uids__/{...}/ HTTP/1.1
Host: server.local
...[SNIP]...
Inject Signature: w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>" xmlns:I="http://apple.com/ns/ical/" xmlns:CS="http://calendarserver.org/ns/"><D:prop><D:displayname/><D:resourcetype/><D:current-user-privilege-set/><I:calendar-color/>
...[SNIP]...HTTP Response
...[SNIP]...
<schedule-default-calendar-URL xmlns='urn:ietf:params:xml:ns:caldav<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>'/>
...[SNIP]...Crash colladb
Process: collabd [45073]
Path: /Applications/Server.app/Contents/ServerRoot/usr/sbin/collabd
Identifier: collabd
Version: 238.17
Code Type: X86-64 (Native)
Date/Time: 2013-04-17
OS Version: Mac OS X 10.8.3 (12D78)
Report Version: 10
Crashed Thread: 4 ServiceRequest:[(null) (null)] Dispatch queue: com.apple.root.background-priority
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x00000001103e1fc8
VM Regions Near 0x1103e1fc8:
Stack 000000011035f000-00000001103e1000 [ 520K] rw-/rwx SM=COW thread 8
--> STACK GUARD 00000001103e1000-00000001103e2000 [ 4K] ---/rwx SM=NUL stack guard for thread 4
Stack 00000001103e2000-0000000110464000 [ 520K] rw-/rwx SM=COW thread 4
Thread 0:: Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x00007fff86a84686 mach_msg_trap + 10
1 libsystem_kernel.dylib 0x00007fff86a83c42 mach_msg + 70
2 com.apple.CoreFoundation 0x00007fff8891d233 __CFRunLoopServiceMachPort + 195
3 com.apple.CoreFoundation 0x00007fff88922916 __CFRunLoopRun + 1078
4 com.apple.CoreFoundation 0x00007fff889220e2 CFRunLoopRunSpecific + 290
5 com.apple.CoreFoundation 0x00007fff88930dd1 CFRunLoopRun + 97
6 collabd 0x000000010e8a4e39 main + 1316
7 libdyld.dylib 0x00007fff813317e1 start + 1
Thread 1:: Dispatch queue: com.apple.libdispatch-manager
0 libsystem_kernel.dylib 0x00007fff86a86d16 kevent + 10
1 libdispatch.dylib 0x00007fff85e01dea _dispatch_mgr_invoke + 883
2 libdispatch.dylib 0x00007fff85e019ee _dispatch_mgr_thread + 54
Thread 2:: com.apple.NSURLConnectionLoader
0 libsystem_kernel.dylib 0x00007fff86a84686 mach_msg_trap + 10
1 libsystem_kernel.dylib 0x00007fff86a83c42 mach_msg + 70
2 com.apple.CoreFoundation 0x00007fff8891d233 __CFRunLoopServiceMachPort + 195
3 com.apple.CoreFoundation 0x00007fff88922916 __CFRunLoopRun + 1078
4 com.apple.CoreFoundation 0x00007fff889220e2 CFRunLoopRunSpecific + 290
5 com.apple.Foundation 0x00007fff88ceab66 +[NSURLConnection(Loader) _resourceLoadLoop:] + 356
6 com.apple.Foundation 0x00007fff88d48cd2 __NSThread__main__ + 1345
7 libsystem_c.dylib 0x00007fff8610a7a2 _pthread_start + 327
8 libsystem_c.dylib 0x00007fff860f71e1 thread_start + 13
Thread 3:: com.apple.CFSocket.private
0 libsystem_kernel.dylib 0x00007fff86a86322 __select + 10
1 com.apple.CoreFoundation 0x00007fff88961f46 __CFSocketManager + 1302
2 libsystem_c.dylib 0x00007fff8610a7a2 _pthread_start + 327
3 libsystem_c.dylib 0x00007fff860f71e1 thread_start + 13
Thread 4 Crashed:: ServiceRequest:[(null) (null)] Dispatch queue: com.apple.root.background-priority
0 com.apple.CSService 0x000000010e93c137 -[CSJSONEncoder sanitizeObject:] + 20
1 com.apple.CSService 0x000000010e93c464 -[CSJSONEncoder sanitizeObject:] + 833
2 com.apple.CSService 0x000000010e93c464 -[CSJSONEncoder sanitizeObject:] + 833
3 com.apple.CSService 0x000000010e93c464 -[CSJSONEncoder sanitizeObject:] + 833
Root Cause Analysis of Crash #8
If you have read this far, you probably know the Issue: Unsafe Handling of User Controllable Input [UCI]. The Exploits were SQL Injection, Stored & Reflected XSS and other Vulnerabilities.
Other UCI PoC’s demonstrated that I could easily Exploit the collabd Application because I could control the memory layout, There were few barriers to macOS memory exploitation in CVE-2013-1034.
With the CVE-2013-1034 Target being User Agents, all Content was Served inside the Same Origin Policy [SOP] from that Server and the PostgreSQL Database was fully under Control.
UCI Summary
User Controllable Input [UCI] causes changes in State Machines that can be measured. Crash Reports give clues to a change in a State Machine but not Exploit Value. See Article titled XNU Crash Analysis for additional information. An Exploit is a series of UCI causing changes in a State Machine that results with the Attacker obtaining Program Control of the State Machine.
Change Control
These Product Defects were found with Unit Tests developed using Commodity Injection Signatures found here. Apple can and should do Quality & Security Assurance using Change Control Management Systems & Methods.
UX
These Quality Assurance Tests indicate flawed Apple Development Tools that negatively impacted the SRD User Experience. Developer Applications that Crash result in a poor User Experience for Consumers.
External Links
It is helpful to reference the man page for sigaction and links to signal.h and unix_signal.c. There is ux_exception.h and ux_exception.c for further consumption. GNU has a good overview of Signals too.
Author Note
This Article is a work in progress, and if you have a point of view, please share it. Corrections, Comments & Concerns welcome, DM @h02332.
Related Content
arm64e Best Practice Build checkin Chilling Effect Code Signing Crash CVE-2022-26730 Data Abort debugserver downgrade dylib Exploit First Boot Flash Flash Restoration help information collection IPSW Make man Non-Commercial Use output PAC Fail Permission PoC Policy Quickstart Revival rtfm sample SDK SRD SRDI srdutil Transparency upgrade X86_64