Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
5 Minutes with the 

MacOS / iOS Zone Allocator
WhiskeyCon Singapore, March, 2017
| © 2017 by ANTID0TE All rights reserved
Who am I?
• Stefan Esser
• from Germany
• in Information Security since 1998
• Se...
| © 2017 by ANTID0TE All rights reserved
What is this talk about?
• between iOS 9.0 and iOS 9.1 the Zone Allocator had a b...
| © 2017 by ANTID0TE All rights reserved
iOS Zone Allocator Allocations in iOS <= 6
• memory page is split into elements
•...
| © 2017 by ANTID0TE All rights reserved
iOS Zone Allocator Allocations in iOS 7 & 8
• Apple added meta data to end of pag...
| © 2017 by ANTID0TE All rights reserved
iOS Zone Allocator Allocations in iOS 9
• Apple moved meta data to beginning of p...
| © 2017 by ANTID0TE All rights reserved
zcram() (I)
• first element positioned aligned after meta data
• following elemen...
| © 2017 by ANTID0TE All rights reserved
zcram() (II)
• checks in each iteration if end of element is still within page
• ...
| © 2017 by ANTID0TE All rights reserved
iOS Zone Allocator Allocations in iOS 9 >= 9.2
• Apple refactored code - freelist...
| © 2017 by ANTID0TE All rights reserved
iOS Zone Allocator Allocations in iOS 10
• Apple moved meta data out of page
• on...
Questions ?
www.antid0te.com
stefan@antid0te.com
© 2017 by ANTID0TE. All rights reserved
Upcoming SlideShare
Loading in …5
×

WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun

1,711 views

Published on

Lightning talk at WhiskeyCon 2017. Discusses a bug in the iOS 9 Zone Allocator that was wasting memory and caused an unexpected heap layout.

Published in: Technology
  • Be the first to comment

WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun

  1. 1. 5 Minutes with the 
 MacOS / iOS Zone Allocator WhiskeyCon Singapore, March, 2017
  2. 2. | © 2017 by ANTID0TE All rights reserved Who am I? • Stefan Esser • from Germany • in Information Security since 1998 • SektionEins GmbH from (2007 - 2016) • Antid0te UG (2013 - now) 2
  3. 3. | © 2017 by ANTID0TE All rights reserved What is this talk about? • between iOS 9.0 and iOS 9.1 the Zone Allocator had a bug • it was fixed later due to refactoring of zcram() • bug is not a security bug but influences heap layout • might cause trouble for previously working heap-feng-shui code 3
  4. 4. | © 2017 by ANTID0TE All rights reserved iOS Zone Allocator Allocations in iOS <= 6 • memory page is split into elements • in this example allocation size 64 • every single element is used • 64 elements per page 4
  5. 5. | © 2017 by ANTID0TE All rights reserved iOS Zone Allocator Allocations in iOS 7 & 8 • Apple added meta data to end of page • one less element (63) fits into a page • exactly what we expect due to
 the meta data at end 5
  6. 6. | © 2017 by ANTID0TE All rights reserved iOS Zone Allocator Allocations in iOS 9 • Apple moved meta data to beginning of page • block in beginning cannot be used • but why only 62 elements? • why is the last block still unused? • there must be something wrong 6
  7. 7. | © 2017 by ANTID0TE All rights reserved zcram() (I) • first element positioned aligned after meta data • following elements are added one by one 7 vm_offset_t first_element_offset; if (zone_page_metadata_size % ZONE_ELEMENT_ALIGNMENT == 0){ first_element_offset = zone_page_metadata_size; } else { first_element_offset = zone_page_metadata_size + 
 (ZONE_ELEMENT_ALIGNMENT - (zone_page_metadata_size % ZONE_ELEMENT_ALIGNMENT)); } for (pos_in_page = first_element_offset; 
 (newmem + pos_in_page + elem_size) < (vm_offset_t)(newmem + PAGE_SIZE); 
 pos_in_page += elem_size) { page_metadata->alloc_count++; zone->count++; /* compensate for free_to_zone */ free_to_zone(zone, newmem + pos_in_page, FALSE); zone->cur_size += elem_size; }
  8. 8. | © 2017 by ANTID0TE All rights reserved zcram() (II) • checks in each iteration if end of element is still within page • check is broken it uses < (newmem + PAGE_SIZE) • if element ends exactly on page boundary it is considered out of bound • must be <= (newmem + PAGE_SIZE) otherwise always loses last element 8 for (pos_in_page = first_element_offset; 
 (newmem + pos_in_page + elem_size) < (vm_offset_t)(newmem + PAGE_SIZE); pos_in_page += elem_size) { page_metadata->alloc_count++; zone->count++; /* compensate for free_to_zone */ free_to_zone(zone, newmem + pos_in_page, FALSE); zone->cur_size += elem_size; }
  9. 9. | © 2017 by ANTID0TE All rights reserved iOS Zone Allocator Allocations in iOS 9 >= 9.2 • Apple refactored code - freelist order now randomized • refactoring fixed bug • only meta data at beginning 
 not used • 63 elements fit per page 9
  10. 10. | © 2017 by ANTID0TE All rights reserved iOS Zone Allocator Allocations in iOS 10 • Apple moved meta data out of page • once again full page used for allocations • exactly 64 elements fit into page 10
  11. 11. Questions ? www.antid0te.com stefan@antid0te.com © 2017 by ANTID0TE. All rights reserved

×