Kernel buffer overflow exposes iPhone 11 Pro to radio based attacks

Timon Gehr timon.gehr at gmx.ch
Fri Dec 4 09:24:43 UTC 2020


On 04.12.20 08:03, Walter Bright wrote:
> On 12/3/2020 8:13 PM, Adam D. Ruppe wrote:
>> On Friday, 4 December 2020 at 04:08:31 UTC, Walter Bright wrote:
>>> One of them, the simplest, is just execute a halt instruction.
>>
>> which wouldn't help kernel code at all fyi
> 
> Infinitely better than a buffer overflow.

In ring 0 where the kernel runs, `HLT` does not prevent the buffer 
overflow, it's just delayed until the next external interrupt.

Essentially, it would behave in a way similar to this:

if(i > a.length){
     Thread.sleep();
}
a.ptr[i]=x;

The only reason why `HLT` terminates execution of userspace code is that 
such code does not have sufficient permissions to execute the 
instruction; in the kernel, it would not do much.


More information about the Digitalmars-d mailing list