Voucher_swap: Exploiting MIG reference counting in iOS 12

[0x0]

Curious to hear more about the "bypass Apple's implementation of ARMv8.3 Pointer Authentication (PAC) on A12 devices like the iPhone XS."

Is this new ARMv8.3 feature already broken?

[olliej]

I would guess holes in the coverage, or insufficient discrimination for authenticating.

But yeah, I’m looking forward to finding out what they exploited.

[saagarjha]

I haven’t used MIG much, but it’s always seemed like a security nightmare. It’s somewhat convenient, but the codegen part looks really sketchy and of course with separation like this it’s easy to forget memory management guidelines, etc.