1034 - iOS/MacOS kernel UaF due to lack of locking in host_self_trap - project-zero

Starred by 2 users

Status:	Fixed
Owner:	ianbeer@google.com
Closed:	Jan 2017
Cc:	project-...@google.com
Product-iOS Finder-ianbeer Deadline-90 Vendor-Apple CCProjectZeroMembers Severity-High Product-MacOS Reported-2016-Dec-09 Id-654435982 Fixed-2017-Jan-23 CVE-2017-2360

iOS/MacOS kernel UaF due to lack of locking in host_self_trap

Project Member Reported by ianbeer@google.com, Dec 9 2016

Back to list

The task struct has a lock (itk_lock_data, taken via the itk_lock macros) which is supposed to
protect the task->itk_* ports.

The host_self_trap mach trap accesses task->itk_host without taking this lock leading to a use-after-free
given the following interleaving of execution:

Thread A: host_self_trap:
  read current_task()->itk_host         // Thread A reads itk_host

Thread B: task_set_special_port:
  *whichp = port;                       // Thread B replaces itk_host with eg MACH_PORT_NULL
  itk_unlock(task);
  
  if (IP_VALID(old))
    ipc_port_release_send(old);         // Thread B drops last ref on itk_host

Thread A: host_self_trap:
  passes the port to ipc_port_copy_send // uses the free'd port

host_self_trap should use one of the canonical accessors for the task's host port, not just directly read it.

PoC tested on MacOS 10.12.1

host_race.c
2.0 KB View Download

Project Member Comment 1 by ianbeer@google.com, Dec 9 2016

Labels: Reported-2016-Dec-09 Id-654435982

Project Member Comment 2 by ianbeer@google.com, Jan 25 2017

Labels: CVE-2017-2360 Fixed-2017-Jan-23
Status: Fixed

MacOS advisory: https://support.apple.com/en-us/HT207483
iOS advisory: https://support.apple.com/en-us/HT207482

Project Member Comment 3 by ianbeer@google.com, Jan 25 2017

Labels: -Restrict-View-Commit

► Sign in to add a comment