Apple’s latest iOS 18.4 update has introduced a significant bug affecting dynamic symbol resolution on devices supporting Pointer Authentication Code (PAC).
This issue, first observed by Fabien Perigaud, a noted reverse-engineering expert, has implications for applications relying on dynamic library loading and symbol resolution.
The bug manifests when applications attempt to resolve symbols using the dynamically dlsym() function, particularly on devices equipped with the A15 SoC, like the iPhone SE 3rd generation.
The problem arises due to an oversight in the implementation of dlsym() within the dynamic linker (dyld) on iOS 18.4, where certain symbols, notably strcmp, are incorrectly signed or unsigned, leading to application crashes[1].
The Bug in Detail
When an application uses dlsym() to resolve symbols like strcmp, which are re-exported from libsystem_platform.dylib with a special flag (EXPORT_SYMBOL_FLAGS_STUB_AND_RESOLVER), the function pointer returned is supposed to be stripped of its PAC signature before being converted to an offset.
However, in iOS 18.4, this stripping does not occur, resulting in the pointer being signed twice. This double signing leads to either an invalid signature or an unsigned pointer, causing the application to crash with a kernel protection failure.
Perigaud’s of Synacktiv investigation revealed that the issue stems from a missing XPACI instruction in the dyld code, which is responsible for stripping the PAC signature from the pointer returned by the resolver function.
This instruction was present in the previous version, iOS 18.3.2, but its absence in iOS 18.4 leads to the observed behavior.
Further experiments confirmed that the pointer was being treated as a kernel pointer during the second signing operation, contrary to the ARMv8.6-A architecture specifications.
This misinterpretation results in the pointer being signed with all upper bits set to 1, which, when XORed with the original pointer, cancels out the first signature or produces an incorrect one.
This bug has significant implications for developers, especially those working on applications that dynamically load libraries or use system functions through dlsym().
While not all applications crash due to this issue, those that do face critical stability problems. Developers have found temporary workarounds by manually stripping and re-signing the pointers, but this is not a sustainable solution.
Apple’s Response
As of now, Apple has not officially acknowledged this bug, but given its severity, a fix is expected in an upcoming update. The community is hopeful that Apple will address this issue promptly to prevent further disruptions in app functionality and security.
The discovery of this bug underscores the complexities involved in implementing security features like PAC in modern operating systems. It also highlights the importance of thoroughly testing and validating system updates, especially those involving low-level system interactions.
Developers and users alike are advised to stay tuned for Apple’s response and subsequent updates to resolve this critical issue.
Application Security is no longer just a defensive play, Time to Secure -> Free Webinar
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
