Zhuowei Zhang
(replying to Oliver Hunt)
@ohunt @saagar one might be:
- macOS 14 added PAC to the user thread state pointer (https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/osfmk/arm/thread.h#L107)
- the Triangulation exploit uses thread_get_state for their kernel read, presumably by overwriting the user thread state pointer to point to other parts of the kernel memory
Not sure about the others - the presentation said that they used different ways to get kernel write depending on version, so I assume there's probably patches there as well.
- macOS 14 added PAC to the user thread state pointer (https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/osfmk/arm/thread.h#L107)
- the Triangulation exploit uses thread_get_state for their kernel read, presumably by overwriting the user thread state pointer to point to other parts of the kernel memory
Not sure about the others - the presentation said that they used different ways to get kernel write depending on version, so I assume there's probably patches there as well.
