The code snippets and conceptual analysis presented in this document are based on iOS 16.2.
The bug was disclosed and patched after Pwn2Own 2024 and was assigned CVE-2024-27834. Details of the patch can be found in the WebKit repository.
huyql109
/ CVE-2025-43520.txt
Created
March 21, 2026 06:54
— forked from Muirey03/CVE-2025-43520.txt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CVE-2025-43520 - DarkSword | |
| 1. cluster_read_ext and cluster_write_ext call cluster_io_type to determine what IO operation to perform | |
| 2. cluster_io_type calls vm_map_get_upl with UPL_QUERY_OBJECT_TYPE to query type of the vm_object that backs the user-supplied virtual address range | |
| 3. If this object is physically contiguous it returns IO_CONTIG, otherwise it returns IO_DIRECT or IO_COPY | |
| 4. If cluster_io_type returns IO_CONTIG, cluster_[read|write]_ext will call the "contig" variant, cluster_[read|write]_contig | |
| 5. cluster_[read|write]_contig then calls vm_map_get_upl a second time to get the UPL from the uio | |
| 6. It then grabs the first physical page from the UPL using upl_phys_page and performs a physical copy | |
| 7. This is a TOCTOU. An attacker can remap the virtual address range so that the region is no longer physically contiguous after the first call to vm_map_get_upl, causing an OOBR/OOBW to physmem |
huyql109
/ bypass_pac_in_jit_public.md
Created
February 22, 2026 15:20
— forked from WHW0x455/bypass_pac_in_jit_public.md
Bypass PAC in JIT - CVE-2024-27834
huyql109
/ Dockerfile
Created
June 21, 2023 02:36
— forked from badd1e/Dockerfile
Build v8 x64 on modern Linux
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Build v8 x64 on modern Linux | |
| # Time to run: about 1.2hrs at 8Gb RAM / 8 cores, Ubuntu 22.04 LTS | |
| # This dockerfile is part of Zero Day Engineering training materials on JavaScript engines internals and vulnerability research | |
| # https://zerodayengineering.com | |
| # @zerodaytraining | |
| FROM ubuntu:bionic | |
| MAINTAINER contact@zerodayengineering.com | |
| RUN apt-get update && apt-get upgrade |
huyql109
/ kmem_cache_alignment.md
Created
January 11, 2023 13:23
— forked from sam4k/kmem_cache_alignment.md
Kmem Cache Alignment
Understanding alignment, object size and objects per cache for special purposes caches in the SLUB allocator.
Let's take a look a filp, the special purpose cache for struct file, as an example.
Note: I'm using a 5.4 kernel as that's what I had on hand (newer kernels have like struct slab overlay and stuff)
Additional edit: I've simplified things here, focusing on filp, e.g. additional alignment on size and stuff can happen in calculate_sizes(), typically this is just aligning the size to word boundary (??)