tfp0
stands for “task for pid
0” – the kernel task port, and therefore the vector for pwnage.)vm_deallocate
calls, probably in another thread.”kqueues
and dumps a bunch of values from them.”proc_pidlistuptrs
bug to disclose the address of arbitrary ipc_ports
;kalloc
sizes” to identify “the most commonly-leaked kernel pointer”;kalloc
allocations;kalloc
allocations made earlier and all the other ports then start making kalloc.4096
allocations (again via crafted mach messages);”bsdinfo->pid
trick” let him build an arbitary read to find the kernel task's vm_map
and the kernel's ipc_space
, allowing him to reallocate the kalloc.4096
buffer with a fake kernel task port.