An iOS bug due to improper handling of the Fault Address or FAR register in XNU on arm64. The FAR register is updated with the faulting address upon certain CPU exceptions, such as instruction or data aborts on invalid addresses, alignment faults, and faulting in pages. The FAR is also copied into the thread structure as part of the core state. The problem is, certain other exceptions such as breakpoint debug instructions will not update the FAR, and the FAR is never cleared from its previous value. By first triggering an exception to page-in physical memory on a freshly allocated buffer, an attacker can cause a kernel pointer to get stored in the FAR. By then triggering a breakpoint debug instruction, that kernel pointer can be infoleaked.