你盡力了嗎 — 2

5

年后的再追問(wèn)王 宇A(yù)bout

meWang

YuSecurity

researcher.Serialentrepreneur,currentlyservingasCEO/CTOofaleadingdatasecuritycompany.Engineeringbackground.Consistentlydeliveringworld-classresearchachievementsbridgingindustryandacademia.Didyoupushyour

limits?Part1-Asasystem

architectCase#1:ThestorybehindIOMobileFrameBufferandCVE-2024-44199Case#2andCase#3:CVE-2020-3905and

CVE-2020-9928Case#1-Thestorybehind

IOMobileFrameBufferThestatisticaldataonIOMobileFrameBuffervulnerabilitiesindicatesthatthecompetitionbetweentheoffensiveanddefensivesidesoncereachedafever

pitch.Accordingtopubliclyavailablerecords,atotalofsixteenkernelvulnerabilitiesinIOMobileFrameBufferhavebeenreportedthroughoutitshistory.Amongthem,fourwereactivelyexploitedbyAPTgroups(CVE-2021-30807,CVE-2021-30883,CVE-2021-30983,CVE-2022-22587),twowereleveragedforiOSjailbreaktools(JailbreakMe3.0-CVE-2011-0227,Pangu9-CVE-2016-4654),andonewassuccessfullyutilizedtowinasecuritychallengecompetition(TianfuCup-

CVE-2021-30983).Thehistoricallandscapeofkernel

vulnerabilities2011-CVE-2011-0227(Comex,JailbreakMe

3.0)2012-

N/A2013-

N/A2014-

N/A2015-CVE-2015-1097(BarakGabai),CVE-2015-5843(Filippo

Bigarella)2016-CVE-2016-4654(TieleiWang-TeamPangu,Pangu

9)2017-CVE-2017-13879

(Apple)2018-CVE-2018-4335(Brandon

Azad)2019-

N/A2020-

N/AThehistoricallandscapeofkernelvulnerabilities

(cont)2021-CVE-2021-30807(ITWAPTattack/SaarAmar),CVE-2021-30883(ITWAPT

attack/TieleiWang-TeamPangu),CVE-2021-30983(TieleiWang-TeamPangu,TianfuCupCompetition),CVE-2021-30985(TieleiWang-TeamPangu),CVE-2021-30991(TieleiWang-TeamPangu),CVE-2021-30996(Saar

Amar)2022-CVE-2022-22587(ITWAPTattack/MeysamFirouzi/SiddharthAeri),CVE-2022-26768(AnAnonymousResearcher,HighlylikelyexploitedbyanITWAPTattack),CVE-2022-46690(JohnAakerblom),CVE-2022-46697(JohnAakerblom/Antonio

Zekic)2023-

N/A2024-Any

ideas?Imissedthat

era《IOMFB的一些陳芝麻》Pangu9

InternalsSelector0x53-

CVE-2021-30807WebContenttoEL1LPE-OOBRinAppleCLCDandIOMobileFrameBufferSelector0x4E-

CVE-2021-30883BindiffandPoCfortheIOMFBVulnerability,iOS15.0.2Theattacksurfaceshavebeen

removedCase#2and#3-CVE-2020-3905and

CVE-2020-9928CVE-2020-3905:IOBluetoothHCIUserClient::DispatchHCIWriteEncryptionMode(OpCode0xC22)KernelObjectRaceCondition

VulnerabilityPatchedviaSecurityUpdate2020-002,butthispatchcanbebypassed.CVE-2020-9928:IOBluetoothFamilyKernelObjectRaceConditionVulnerabilityTriggeredbyMixed

HCICommandsPatchedviaSecurityUpdate2020-004IOBluetoothHCIUserClient::DispatchHCIChangeLocalNameHackingIOBluetoothIOBluetoothFamilyHCI

gadgetsFollowthecallingsequence

below:DispatchHCIRequestCreateDispatchHCIReadLocalNameDispatchHCIChangeLocalNameDispatchHCI......DispatchHCIRequestDeleteAcallstackfrom"HackingIOBluetooth"

(selected)Thread

0x2f5

DispatchQueue

11001

samples

(1-1001)

priority31-46(base31)cputime

0.0228

_xpc_connection_call_event_handler+35(libxpc.dylib+44950)[0x7fff96b4bf96]4

???(blued+551462)

[0x105f63a26]4

???(blued+239559)

[0x105f177c7]4

_NSSetCharValueAndNotify+260(Foundation+448025)

[0x7fff82baa619]4

-[NSObject(NSKeyValueObservingPrivate)_changeValueForKey:key:key:usingBlock:]+60(Foundation+27629)

[0x7fff82b43bed]4

-[NSObject(NSKeyValueObservingPrivate)_changeValueForKeys:count:maybeOldValuesDict:usingBlock:]+944(Foundation+1579207)

[0x7fff82cbe8c7]4

NSKeyValueDidChange+486(Foundation+274052)

[0x7fff82b7fe84]4

NSKeyValueNotifyObserver+350(Foundation+275949)[0x7fff82b805ed]4

???(blued+112657)

[0x105ef8811]1

???(blued+117061)

[0x105ef9945]1

-[BroadcomHostControllerBroadcomHCILEAddAdvancedMatchingRuleWithAddress:address:blob:mask:RSSIThreshold:packetType:matchingCapacity:matchingRemaining:]+

2001

sendRawHCIRequest+246(IOBluetooth+344294)

[0x7fff830540e6]1

IOConnectCallStructMethod+56(IOKit+29625)

[0x7fff830ab3b9]1

IOConnectCallMethod+336(IOKit+29170)[0x7fff830ab1f2]1

io_connect_method+375(IOKit+531601)

[0x7fff83125c91]1

mach_msg_trap+10(libsystem_kernel.dylib+74570)

[0x7fff96a1f34a]*1

hndl_mach_scall64+22(kernel+638390)

[0xffffff800029bdb6]*1

mach_call_munger64+456(kernel+2011608)

[0xffffff80003eb1d8]*1

mach_msg_overwrite_trap+327(kernel+919415)

[0xffffff80002e0777]*1

ipc_kmsg_send+225(kernel+835505)

[0xffffff80002cbfb1]*1

ipc_kobject_server+412(kernel+980924)

[0xffffff80002ef7bc]*1

???(kernel+1827576)

[0xffffff80003be2f8]*1

is_io_connect_method+497(kernel+7259025)

[0xffffff80008ec391]*1

IOBluetoothHCIUserClient::externalMethod(unsignedint,IOExternalMethodArguments*,IOExternalMethodDispatch*,OSObject*,void*)+

257*1

IOCommandGate::runAction(int(*)(OSObject*,void*,void*,void*,void*),void*,void*,void*,void*)+314(kernel+7068058)

[0xffffff80008bd99a]*1

IOBluetoothHCIUserClient::SimpleDispatchWL(IOBluetoothHCIDispatchParams*)+918(IOBluetoothFamily+83308)

[0xffffff7f81eb856c]*1

IOBluetoothHostController::SendRawHCICommand(unsignedint,char*,unsignedint,unsignedchar*,unsignedint)+2423(IOBluetoothFamily+327391)

[0xffffff7f81ef3edf]*1

IOBluetoothHCIRequest::Start()+515(IOBluetoothFamily+114737)

[0xffffff7f81ec0031]*1

IOEventSource::sleepGate(void*,unsignedlonglong,unsignedint)+83(kernel+7062579)

[0xffffff80008bc433]*1

IOWorkLoop::sleepGate(void*,unsignedlonglong,unsignedint)+126(kernel+7057470)

[0xffffff80008bb03e]*1

lck_mtx_sleep_deadline+147(kernel+1019715)

[0xffffff80002f8f43]*1

thread_block_reason+222(kernel+1061566)

[0xffffff80003032be]*1

???(kernel+1066139)

[0xffffff800030449b]*1

machine_switch_context+

206Whatcanbereadfromthecall

stackThisisacompletecallstackforsendingrawvendor-specific

command.TheentryandexitofmacOSIOBluetoothFamilyHCIareroutinesIOBluetoothHCIUserClient::SimpleDispatchWLand

IOBluetoothHCIRequest::Start.HowtoensurethatBluetooth-relateddatastructuresaresafeinamultithreadedenvironment?IOCommandGate

mechanismClass

IOCommandGateSingle-threadedwork-loopclientrequestmechanism.Routine

IOCommandGate::runActionSinglethreadacalltoanactionwiththetarget

work-loop.Routine

IOCommandGate::commandSleepPutathreadthatiscurrentlyholdingthecommandgateto

sleep.Yes,youcansleepfora

whileRoutine

IOCommandGate::commandSleepPutathreadtosleepwaitingforaneventbutreleasethegate

first.Atthistime,theHCIrequestisNOTcompletedbytheBluetooth

controller.Soagain,howtoensuretheBluetooth-relateddatastructuresaresafeinthisow?Unfortunately,thisissuehasnotbeen

considered.IOBluetoothFamilyHCIrequest

flowRaceconditionowDataandstate

inconsistencyRecalltheWin32Kusermodecallback

mechanismWin32kcannotholdthelockwhencallingbacktousermode.Releasingthelockmeansthatthereisaowinwhichthekerneldatastructuresarenotprotected.Referencecountingandobjectlifecyclemanagementarevery

important.ANewCVE-2015-0057Exploit

Technology0057-Exploit-Technology-wp.pdfnt!KeUserModeCallbackand

nt!NtCallbackReturnCasestudyof

CVE-2020-9928(lldb)registerreadrdxrsiGeneralPurpose

Registers:rdx=0xffffff801270fcfa""Element%pfromzone%scaughtbeingfreedtowrongzone

%s\n"@/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu/xnu-4570.61.1/osfmk/kern/zalloc.c:3528"rsi=0xffffff8012749a40

"panic"(lldb)

btthread#1,stopreason=signal

SIGSTOPframe#0:0xffffff8011f7c8eakernel.development`panic_trap_to_debugger[inlined]current_cpu_datapframe#1:0xffffff8011f7c8eakernel.development`panic_trap_to_debugger[inlined]current_processorframe#2:0xffffff8011f7c8eakernel.development`panic_trap_to_debugger[inlined]DebuggerTrapWithStateframe#3:0xffffff8011f7c8ba

kernel.development`panic_trap_to_debuggerframe#4:0xffffff8011f7c6bckernel.development`panic(str=<unavailable>)atdebug.c:611:2

[opt]frame#5:0xffffff8011fd5f09kernel.development`zfree(zone=0xffffff80128c10d0,addr=0xffffff80403ae070)frame#6:0xffffff8011f89a69kernel.development`kfree(data=0xffffff80403ae070,

size=248)frame#7:0xffffff8012601739kernel.development`::IOFree(inAddress=<unavailable>,

size=248)frame#8:0xffffff7f94ebf90eIOBluetoothFamily`IOBluetoothHCIUserClient::SimpleDispatchWL+1676frame#9:0xffffff801263eb58kernel.development`IOCommandGate::runActionatIOCommandGate.cpp:217:11

[opt]frame#10:0xffffff7f94ebf266IOBluetoothFamily`IOBluetoothHCIUserClient::externalMethod+

228......Summaryofcase#2andcase

#3VulnerabilitieslikeCVE-2020-9928havebeenhiddeninplainsightforalongtimeandaffectallmacOSBluetoothHCI

handlers.Sometraditionalfuzzingmethodsaredifficulttofindthistypeof

vulnerability.SecurityUpdate2020-002canbe

bypassed.Didyoupushyour

limits?Part2-Asasoftware

engineerCase#4:

CVE-2020-10013Case#5:

CVE-2020-9833Case#6:

CVE-2022-26762Case#4-

CVE-2020-10013CVE-2020-10013AppleBCMWLANCoreDbgArbitraryMemoryWrite

VulnerabilityAboutthesecuritycontentofiOS14.0andiPadOS14.0AboutthesecuritycontentofmacOSCatalina

10.15.7,SecurityUpdate2020-005HighSierra,SecurityUpdate2020-005

MojaveBoundary

checkingAweirdkernel-spaceboundaryconditioncausedthis

vulnerability.Casestudyof

CVE-2020-10013Process1

stopped*thread#1,stopreason=signal

SIGSTOPframe#0:0xffffff8000398082kernel`bcopy+18kernel`bcopy:->0xffffff8000398082<+18>:

rep0xffffff8000398083<+19>:movsb(%rsi),%es:(%rdi)0xffffff8000398084<+20>:

retq(lldb)register

readGeneralPurpose

Registers:rcx=

0x0000000000000011rsi=0xffffff81b1d5e000rdi=

0xffffff80deadbeef(lldb)

bt*thread#1,stopreason=signal

SIGSTOP*frame#0:0xffffff8000398082kernel`bcopy+18frame#1:0xffffff800063abd4kernel`memmove+

20frame#2:0xffffff7f828e1a64AppleBCMWLANCore`AppleBCMWLANUserPrint+

260......Summaryofcase#4-

CVE-2020-10013CVE-2020-10013isanarbitrarymemorywritevulnerabilitycausedbyboundarychecking

error.Thevaluetobewritteniscontrollableor

predictable.Combinedwithkernelinformationdisclosurevulnerabilities,acompletelocalEoPexploitchaincanbeformed.ThewriteprimitiveisstableanddoesnotrequireheapFengShui

manipulation.ThisvulnerabilityaffectshundredsofAppleBCMWLANCoreDbg

handlers!AcompleteLPE

chainCombinedwithkernelinformationdisclosurevulnerabilities,acompletelocalEoPexploitchaincanbe

formed.Agoodinformationdisclosureexampleis

CVE-2020-9833.Case#5-

CVE-2020-9833CVE-2020-9833:AppleBCMWLANBusInterfacePCIe::loadChipImage/AppleBCMWLANBusInterfacePCIe::copyTrapInfoBlobKernelInformationDisclosure

VulnerabilityPatchedviaSecurityUpdate2020-003Reverseengineeringandbinary

auditingStep1.

Allocationbutnot

initializedStep2.

InitializationAppleBCMWLANBusInterfacePCIe::handleFWTrapreverse

engineeringStep3.Firmwaretrapinfo

extractionAppleBCMWLANBusInterfacePCIe::loadChipImagereverse

engineeringAppleBCMWLANBusInterfacePCIe::copyTrapInfoBlobreverse

engineeringBypassthe

AppleBCMWLANBusInterfacePCIe::handleFWTrapTheexpectedexecutionorderisStep1,2andthen

3.Isitpossibletoextractinformationinthetrapbufferbeforeitis

initialized?Isitpossibleto"race"theexecutionorderfromStep1,2and3toStep1,3,

(2)?Yes,Itis

possibleTheleakedheapdatacanexceed0x200

bytes.Including,kernelobjects,functionpointers,

etc.Defeat

KASLRCase#6-

CVE-2022-26762CVE-2022-26762IO80211Family`getRxRateArbitraryMemoryWrite

VulnerabilityAboutthesecuritycontentofiOS15.5andiPadOS15.5AboutthesecuritycontentofmacOSMonterey12.4Userinput

sanitizationThevulnerablefunctionforgetstosanitizeuser-mode

pointer.macOS/iOS/FreeBSDkernel'scopyinandcopyout:Linuxkernel's copy_from_userand copy_to_user:owskernel'sProbeForReadandProbeForWrite:

Casestudyof

CVE-2022-26762Process1

stopped*thread#1,stopreason=signal

SIGSTOPframe#0:0xffffff8008b23ed7IO80211Family`getRxRate(IO80211Controller*,IO80211Interface*,IO80211VirtualInterface*,IO80211InfraInterface*,apple80211req*,bool)+166IO80211Family`getRxRate:->0xffffff8008b23ed7

<+166>:

movl

%eax,(%rbx)0xffffff8008b23ed9

<+168>:

xorl

%eax,%eax0xffffff8008b23edb

<+170>:

movq

0xca256(%rip),

%rcx(%rcx),

%rcx0xffffff8008b23ee2<+177>:

movq(lldb)registerreadGeneralPurpose

Registers:rax=0x0000000000000258rbx=

0xdeadbeefdeadcaferdi=0xffffff90345b4dc0rsi=0xffffff8008203ee0rbp=0xffffffd079bcba40rsp=

0xffffffd079bcba10rip=0xffffff8008b23ed7IO80211Family`getRxRate+

166......Summaryofcase#6-

CVE-2022-26762ComparedwithCVE-2020-10013,therootcauseofCVE-2022-26762issimpler:thevulnerablefunctionforgetstosanitizeuser-modepointer.Thesesimpleandstablekernelvulnerabilitiesarepowerful,theyareperfectfor

Pwn2Own.Thevaluetobewrittenis

fixed.Kernelvulnerabilitiescausedbycopyin/copyout,copy_from_user/copy_to_user,ProbeForRead/ProbeForWriteareverycommon.Kerneldevelopersshouldcarefullycheckallinput

parameters.Didyoupushyour

limits?Part3-Asaqualityassurance

specialistCase#7:

OE089712553931Case#8:

CVE-2025-24257Case#7-

OE089712553931The0x3F2branchofAppleBCMWLANCore::handleCardSpecificonmacOSSonomaData-only

modificationPiercedthroughallSDL

workflowsButthisdata-onlymodificationforgotthemostimportantthing,the0x3F2branchhashardcodedthe"-"detectioncode.Thismeansthattherestoftheloopisremoved,whichdirectlyleadstoout-of-boundsread/writetothekernel

array.Summaryofcase#7-

OE089712553931Case#8-

CVE-2025-24257CVE-2025-24257IOGPUResource::newResourceGroupKernelOut-of-boundsReadandWrite

VulnerabilityAboutthesecuritycontentofiOS18.4andiPadOS18.4AboutthesecuritycontentofmacOSSequoia15.4,i

=ldi

—pIDGPUFam?1y”IDGPUGroupMemory::remove_memory_ab1ect

:6

x

I

I

I

I

I

e6?

3

0ó

9

37

2

A

<+29

2

>

:

Id

r0xtftfte0030693728<+296>:

mov0xfffffe0030d9372c?+300>:

cbz0xfffffe0030693T30<+304?:

rbitw11,0xfffffe003069380G;c+51d>w12,

wllreQister

readGeneralPurpose

Registers:x0=

0xfffffelb3GGa5d00x1=0xIIIIIe26060d7

e46x3=

0x0000000000000000x5=El

xEl6E?6E?6E?6E?6E?6Id

4Ix7=

0x0000000000000000xB

=

0

x

5

e8a

8a

ó

ec8

c

25

b46x9=

0x0000000000000000x10

=

0

x

5

e8a

8a

ó

ec8

c

25

b46xi1=0xfffffe2fffZf62b0x:L2=E?x49262c2a26ó

174ó1x:L4=￡ì

x74?e?9T5c

20274?

ext6=0xfffffe002dcd8tG0IOGPUFamily’vtableforIOGPUGroupMemory+

72x17

=0xIIIcIe062dc6B146(0xIIIIIe062dc68146JIOGPUFami1y”vtab1eIorIOGPUGnoupMemomy+7

2x19

=0xIIIIIe1b344a

5d06x21=0xIIIII

e26060d7

e46x22=0x06060606c8c25

b46x25=0x06060606060606B6x27=

0x0000000000000000fp=

0xfffffe8fl89dfdd0lr=0xfffffe00306P3a64IOGPUFamily’IOGPUGroupMemory::removeMemoryFromResourceMap(IOGPUCountedMap<unsignedlonglong,IDGPuResource*,IoGPuResourceCountedMapBucket,IOGPUIDLibAllocatorPolicy>*,bool)+

116sp=

0xfffffe8fl896f670pc=0xfffffe0030693724IOGPUFamily’IOGPUGroupMemory::remove_memory_object(IOGPUMemory*,bool)+

292btIhread#1,sIopreason

=frame#0:0xffftie002e0d3648kernel.release.t8l22’DebuggerTrapWithState(db_op=DBOP_PANIC,db_messaQe="panic“,db_panic_str=”Bsatpc0x%0ldllx,lr0xB0l6llx(saved

state:

%p%s)\n\t x0:

0x%016llx

x1:0xM0i6llx x2:

0x%0i6llx x3:

0x%0i6llx\n\t xG:0x%0l6llx

x5:

0xB0l6llx x6:

0xB0l6llx x7:

0xB016llx\n\t x8:0xM0l6llx

x9:

0xB0l6llx x10:

0xB0l6llx xli:

0xB016llx\n\t x12:0xB0l6llx

xl3:

0x%0l6llx xli:

0x%0l6llx xl5:

0x%0l6llx\n\t xld:0x%016llx

x17:

0x%016llx x18:

0x%016llx x19:

0x%0l6llx\n\t x20:0x%0l61lx

x2l:

0x%01dl1x x22:

0x%016l1x x23:

0x%016l1x\n\t x2￠:0x%016llx

x25:

0x%0i6llx x26:

0xB0l6llx x27:

0xB0l6llx\n\t x28:0xB0l6llx

fp:

0xB0l6llx lr:

0xB0l6llx sp:

0xB016llx\n\t pc:0xB0l6llx

cpsr:

0xM08x esr:0x?0l6llx far:0xB0l6llx\n”,

db_panic_args=0xfffffe8fl89df028,db_panic_options=0,db_panic_data_ptr=0x0000000000000000,db_proceed_on_sync_fai1ure=l,db_panic_cal1er=46770d024,db_panic_initiator=0x0000000000000000)atoeDt,g.c:834:2loptJframe#1:Oxttttte9O2e0?2c28kernel.release.t8l22’panic_trap_to_debugger(panic_format_str="%satpc0x%016llx,lr0x%016llx(savedstate:Bp%s)\n\tx0:0x%016llxxl:0x%0l6llxx2:0x%0l6llxx3:0x%0l6llx\n\tx$:0x%0l6llxx5:0x%0161lxx6:0x%0161lxx7:0x%0161lx\n\tx8:0x%0161lxx9:0x%01dllxx10:0x%01dllxxli:0x%01dllx\n\tx12:0x%016llx

xl3:0x%0ld1lxxl4:0x%0ld1lxx15:0x%0*6llx\n\tx*6:0x%016llxx17:0xA0ldllxx18:0xA0ldllxx19:0xA01dllx\nKtx20:0x%01dllxx21:0x%016llxx22:0x%016llxx23:0x%01dllx\n\tx24:0x%01dllxx25:0x%016llxx26:0x%0l6llxx27:0x%0ls1lx\n\tx2a:exBeisllxfp:exBeiallxlr:exBeiallxsp:exBeiallx\n\tpc:exBeiallxcpsr:exxeaxesr:exxeiallxfar:exxeis1lx\n",panic_args=exfffffeafiaVafezB,reason=e,ctx=exeeeeeeeee0000000,panic_options_mask=0,panic_data_ptr=0x0000000000000000,panic_caller=1844674l875467706024,panic_initiator=exeeeeeeeeeeeeeeee)atucuo.c:i3s1:z

oet)frame#2:0xFfttFc002.e?2b5D0kernel.release.t8l22’panic(str=<unavailable>)at:4eDuio.c:1i20:2

[optJframe#3:9xftttfe902e'?]5ea8kernel.release.t8l22’panic_with_thread_kernel_state(msg="Kerneldataabort.",ss=0xfffffe8fl896f320)atslel:.c:?0i:2

[optJframe#G:0xtf%t1c002e22S1S^kernel.release.t8l22’handle_kernel_abort(state=0xfffffe8fl896f320,esr=2516582406,fault_addr=l8GG67G209G30G82526G,fault_code=<unavailable>,fault_type=1,

expected_fault_handler=<unavailable>)atsleia.c:3i0O:2

loptJframe#5:0xtfttfc002e22605ckernel.release.t8l22’sleh_synchronous[inlinedJhandle_abort(state=0xfffffe8fl896f320,esr=2516582G06,fault_addr=Z0G825T6G,inspect_abort=<unavailable>,handler=?unavailable>,expected_fault_handler=exeeeeeeeeeeeeeeee)aisic.:iy77:2loptJframe#6:0xfltic002e22607ckernel.release.t8l22’sleh_synchronous(context=0xfffffe8fl8P6f320,esr—2516582G06,far—184G674209G30G82526G,did_initiate_panic_lockdown=<unavailable?)atsiel’:.c:125Q:%

1opframe#7:0x’FfttFc002.e07F0b0kernel.release.t8l22’fleh_synchronous+

44*

frame IOGPUFamily’IOGPUGroupMemory::remove_memory_object(IOGPUMemory*,bool)+

2P2frame#9:0xFfttFc0030G93aG^IOGPUFamily’IOGPUGroupMemory::removeMemoryFromResourceMap(IOGPUCountedMap<unsignedlonglong,IOGPUResource*,IOGPUResourceCountedMapBucket,IOGPUIOLibAllocatorPolicy>*,

bIrame#16:0xIIIIre0G40ó?￠!8SIDGPUFam:?1y”IDGPUResauxce::Iwee(J+

2ó8cIi—pIOGPUFamily’IOGPUGroupMemory::removeMemoryFromResourceMap:,

[

,

Jx1,

?x8,,,0xfffffe00l93fGfG0<+9d>:ldr0xfffffe00l93fGfGG<+l00>:ldr

6xIIIIIe6€I193f4f48<+1e4>:mov0xfffffe00l93fGfGc<+108>:

movregisterreadGeneralPurpose

Registers:x0=0xIIIIIe29a3e156

26x1=axIIIIIe24d4549I

aex2=

0x0000000000000000x5=0

x0606060606061fdbx

8

=

8

x

8

?

8

8

?

?

8

?

8

?

8

6T

?

2

?x9=0xfffffe24d47e00A0

x10

=0xIIIIIe29a3e15628x11=0x616G6e7275746552

x12

=

0x49262c2a26ó174ó1x?3=

0x756f4]65747P424fxis=

0x7G6e6975202c746exL5=

0x082P2a28745f3233xl6=0xfffffe00ld9d3790IOGPLlFamily’vtableforIOGPuGroupMemory+

72xl7=0xfffcfe00l6Pd37P0(0xfffffe00l6Pd37P0)IOGPLlFamily’vtableforIOGPUGroupMemory+

72x20

=0xIIIIIe1b3a97Bc

26x21=0xIIIIIe1b3b2

bó146x22=

0x0000000000000L9cIp=0xIIIIIe3eecb6

3716lr=0xfffffe00lP3fGf0cIOGPlUFamily’IOGPUGroupMemory::removeMemoryFromResourceMap(IOGPuCountedMap<unsignedlonglonQ,IOGPuResource*,IOGPuResourceCountedMapBucket,IOGPUIOLibAllocatorPolicy>*,

bsp=

0xfffffe3eecb03dd0pc=0xfffffe00lP3f4f40IOGPLlFamily’IOGPUGroupMemory::removeMemoryFromResourceMap(IOGPUCountedMap<unsignedlonglong,IoGPuResource*,IoGPuResourceCountedMapBucket,IOGPUIOLibAllocatorPolicy>*,bool)+

P6memoryread?xIIIIIe24d47e?646+6x6?6?6?6?6?667?2?kdpreadmemoryIa:?I

edbt*thread#1,stopreason

=frame

P0: kernel.release.t8l22’DebuggerTrapWithState(db_op=DBOP_PANIC,db_message=“panic“,db_panic_str=“Xsatpc0x9d0l6llx,lr0x9d0l6llx(savedstate:BpBs)\n\tx0:0xB0l6llx

xl:0xB0l6llxx2:0xB0l6llxx3:0xB0l6llx\n\txG.0xB0l6llxx5:0xB0ldllxx6:0xB0ldllxx7:0xB01dllx\n\tx8:0xB0ldllxx9:0xB0ldllxx10:0xB0ldllxxli:0xM01dllx\n\tx12:0xM0ldllxxl3:0xB0l6llxxlG:0xB0l6llxx15:0xB0l6llxKnKtx16:0xB0l6llxx[7:0xB0l6llxx[8:0xB0l6llxxl9:0xB016llx\n\tx20:0xB0l6llxx21:0xB0l6llxx22:0xB0l6llxx23:0xB0l6llx\n\tx2G:0xB0l6llxx25:0xB0l6llxx26:0xB0l6llxx27:0xB0l6llx\n\tx28:0xB0l6llxfp:0xA0l6llxlr:0x%016llxsp:0x%016llx\n\tpc:0x%0l6llxcpsr:0x9￡08xesr:0x9d0l6llxfar:0xB0l6llx\n“,db_panic_args=0xfffffe3eecb03078,db_panic_options=0,db_panic_data_ptr=0x0000000000000000,db_proceed_on_sync_failure=l,db_panic_caller=184G6741875079l1l1G8,db_panic_initiator=0x0000000000000000)at::

[optJframe

#1: kernel.release.t8l22’panic_trap_to_debugger(panic_format_str="Asatpc0xX0l6llx,lr0xA0l6llx(savedstate:9dpMs)\n\tx0:0xM0l6llx

xl:0xB0l6llxx2:0xB0l6llxx3:0xB0I6llx\n\tx4:0xM0l6llxx5:0xB0?6llxx6:0xB0?6llxx7:0xB0?6llx\n\tx8:0xB0?6llxx9:0xB0?6llxx?0:0x%0?6llxx?1:0x%0?6llx\n\tx?2:0x%0?6llxxI3:0xM0l6llxxI4:0xM0l6llx

xI5:0x%016llx\n\t x16:0x%016llx

x17:

0x%016llx x18:

0x%016llx x19:

0x%016llx\n\t x20:0x%016llx

x21:

0x%016llx x22:

0x%016llx x23:

0x%016llx\n\t x2C:0x%016llx

x25:

0x%016llx x26:

0x%016llx x27:

0x%01dllx\n\t x28:0xM0lallx

fp:

0xB0l6llx lr:

0xB0l6llx sp:

0xB0l6llx\n\t pc:0xB0l6llxcpsr:

0x9d08xesr:

0xB0l6llx far:0xA01dllx\n?,panic_args=0xfffffe3eecb03078,reason=0,

ctx=0x0000000000000000,panic_options_mask=0,panic_data_ptr=0x0000000000000000,panic_caller=184G674l8750791i1l48,

panic_initiator=0x0000000000000000)

at : :

[optJkernel.release.t8L22’panic(str=<unavailable>)

at : :

[optJkernel.release.t8l22’panic_with_thread_kernel_state(msg=“Kerneldataabort.",

ss=0xfffffe3eecb03380)

at : :

[optJframe

P2:frame

#3:frame#G:handler=<unavailable>)

atkernel.release.t8l22’handle_kernel_abort(state=0xfffffe3eecb03380,esr=2516582407,fault_addr=l8GG67G2032870568032,fault_code=<unavailable>,fault_type=1,expected_fault_: : EoptJframe

#5: kernel.

release.

t8l22’sleh_synchronous

[inlined

J

handle_abort(state=0xfffffe3eecb03380,

esr=25l6582407,

fault_addr=l844d7420Z2870568032,

inspect_abort=<unavailable>,

handler=<unavailable>,

expected_fault_handler=0x0000000000000000)

at : :

[optJframe

P6:kernel.release.t8L22’sleh_synchronous(context=0xfffffe3eecb03380,

esr=2516582407,

far=L84467420]2870568032,

did_initiate_panic_lockdown=?unavailable?)

at : : Eopframe

#7:*frame

P8:kernel.release.t8l22’fleh_synchronous+

VGIOGPtJFamily’IOGPUGroupMemory::removeMemoryFromResourceMap(IOGPuCountedMap?unsignedlonglong,IOGPuResource*,IOGPuResourceCountedMapBucket,IOGPUIOLibAllocatorPolicy?*,

bframe

#9:IOGPlJFamily’

IOGPUResource

::free(

)

+

268Boundary

checkingPatch

bypassBypassingthepatchonthemacOSTahoe26.0Beta(25A5279m)Didyoupushyour

limits?Part4-Asaparticipantinthesoftwaredevelopment

lifecycleCase