iOS 18.4 – dlsym considered harmful
a day ago
- #dlsym
- #iOS
- #PAC
- iOS 18.4 introduces a bug with dlsym() on devices supporting PAC (Pointer Authentication Code).
- The bug occurs when dynamically resolving and using certain functions like strcmp(), leading to crashes due to incorrect pointer signing.
- Investigations reveal the issue stems from a missing XPACI instruction in dyld, causing double signing of pointers in some cases.
- The problem is specific to functions with EXPORT_SYMBOL_FLAGS_STUB_AND_RESOLVER flag, such as strcmp, which uses lazy resolution.
- Experiments show that the bug can result in either unsigned pointers or pointers signed with invalid signatures, causing kernel protection failures.
- The root cause involves the resolver function's return value not being properly stripped before conversion, leading to incorrect PAC signatures.
- EnhancedPAC2 in Armv8.6-A architecture complicates the issue, as signatures are XORed with pointer bits, sometimes canceling each other out or producing invalid results.
- Not all applications are affected because dyld often skips the resolver step, avoiding the bug in many cases.
- The findings highlight deep internals of iOS's dynamic linking and PAC implementation, suggesting a need for Apple to address the issue in future updates.