View Single Post
Old 12-14-2017, 03:06 AM   #143 (permalink)
freebeard
Master EcoModder
 
freebeard's Avatar
 
Join Date: Aug 2012
Location: northwest of normal
Posts: 28,731
Thanks: 8,156
Thanked 8,937 Times in 7,379 Posts
Quote:
I'm used to an unbroken progression in technological usability.
You'll learn.

For one example... I think the Mac OS Finder is totally borked. In Column View if you change the sort it totally changes the column layout. I think they've fallen away from the 1984 Human Interface Guidelines under Tim Cook.

The Vulture was great today:
I, Robot? Aiiiee, ROBOT! RSA TLS crypto attack pwns Facebook, PayPal, 27 of 100 top domains
Intel to slap hardware lock on Management Engine code to thwart downgrade attacks
FREE zero-day for every reader: AT&T's DirecTV kit has a root hole
Hey, we've toned down the 'destroying society' shtick, Facebook insists
Google's Project Zero reveals Apple jailbreak exploit
That last one:
Quote:
Beer's step-by-step explanation is in the readme file of his PoC (linked in the Project Zero post):

First, he used a proc_pidlistuptrs bug to disclose the address of arbitrary ipc_ports;
Second, he triggered an out-of-bounds read for “various kalloc sizes” to identify “the most commonly-leaked kernel pointer”;
Next, he sent Mach messages to gather “a pretty large number of kalloc allocations;
With enough Mach port allocations, Beer gathered a page “containing only my ports”. The port address disclosure provided “a port which fits within particular bounds on a page. Once I've found it, I use the IOSurface bug to give myself a dangling pointer to that port”;
”I free the kalloc allocations made earlier and all the other ports then start making kalloc.4096 allocations (again via crafted mach messages);”
Careful reallocation (1 MB at a time) made garbage collection trigger and “collect the page that the dangling pointer points to”.

Beer continued that “the bsdinfo->pid trick” let him build an arbitary read to find the kernel task's vm_map and the kernel's ipc_space, allowing him to reallocate the kalloc.4096 buffer with a fake kernel task port.
Great stuff, you don't get that just anywhere. OTOH they have stories like:

How fast is a piece of string? Boffin shoots ADSL signal down twine

3.5Mb/s? The trick is to use salt water.
__________________
.
.
Without freedom of speech we wouldn't know who all the idiots are. -- anonymous poster

____________________
.
.
Three conspiracy theorists walk into a bar --You can't say that is a coincidence.
  Reply With Quote