Tommy Muir Muirey03
Muirey03
/ CVE-2025-43520.txt
Created
March 20, 2026 10:45
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CVE-2025-43520 - DarkSword | |
| 1. cluster_read_ext and cluster_write_ext call cluster_io_type to determine what IO operation to perform | |
| 2. cluster_io_type calls vm_map_get_upl with UPL_QUERY_OBJECT_TYPE to query type of the vm_object that backs the user-supplied virtual address range | |
| 3. If this object is physically contiguous it returns IO_CONTIG, otherwise it returns IO_DIRECT or IO_COPY | |
| 4. If cluster_io_type returns IO_CONTIG, cluster_[read|write]_ext will call the "contig" variant, cluster_[read|write]_contig | |
| 5. cluster_[read|write]_contig then calls vm_map_get_upl a second time to get the UPL from the uio | |
| 6. It then grabs the first physical page from the UPL using upl_phys_page and performs a physical copy | |
| 7. This is a TOCTOU. An attacker can remap the virtual address range so that the region is no longer physically contiguous after the first call to vm_map_get_upl, causing an OOBR/OOBW to physmem |
Muirey03
/ classForConnection.c
Created
July 6, 2020 15:17
Get the class name of IOKit userclient connections using mach_port_kobject_description
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kern_return_t classForConnection(io_connect_t client, io_name_t cls) | |
| { | |
| kern_return_t (*mach_port_kobject_description)(mach_port_t, mach_port_t, uint32_t*, mach_vm_address_t*, char*); | |
| void* handle = dlopen("/usr/lib/system/libsystem_kernel.dylib", RTLD_NOLOAD); | |
| mach_port_kobject_description = (__typeof mach_port_kobject_description)dlsym(handle, "mach_port_kobject_description"); | |
| if (!mach_port_kobject_description) | |
| return KERN_NOT_SUPPORTED; | |
| char desc[512] = {0}; | |
| uint32_t type = 0; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| IOAcceleratorFamily null-deref: | |
| This bug was made aware to me by this panic log: | |
| https://www.reddit.com/r/jailbreakdevelopers/comments/dfs5cn/ios_system_panic_kernel_data_abort_very_strange/ | |
| IOAccelShared2::create_shmem() is an external method that a userspace client can call to request a shared memory mapping that | |
| will be used by other external methods. This method verifies that the size of the requested shared memory is no greater | |
| than 0x10000000 bytes, then registers this mapping with a unique "id" and returns the value of IOAccelDeviceShmem::getClientData() | |
| along with the associated id back to userspace. However, this check is not always small enough to ensure that the memory can be |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| UIImage* UIKitImage(NSString* imgName) | |
| { | |
| NSString* artworkPath = @"/System/Library/PrivateFrameworks/UIKitCore.framework/Artwork.bundle"; | |
| NSBundle* artworkBundle = [NSBundle bundleWithPath:artworkPath]; | |
| if (!artworkBundle) | |
| { | |
| artworkPath = @"/System/Library/Frameworks/UIKit.framework/Artwork.bundle"; | |
| artworkBundle = [NSBundle bundleWithPath:artworkPath]; | |
| } | |
| UIImage* img = [UIImage imageNamed:imgName inBundle:artworkBundle]; |