1115 - MacOS/iOS kernel memory corruption due to bad bounds checking in necp_client_copy_interface - project-zero

Starred by 1 user

Status:	Duplicate
Merged:	issue 1108
Owner:	ianbeer@google.com
Closed:	Apr 2017
Cc:	project-...@google.com
Product-iOS Finder-ianbeer Deadline-90 Vendor-Apple CCProjectZeroMembers Severity-High Product-MacOS Id-658883938 Reported-2017-Feb-08 Fixed-2017-Mar-27 CVE-2017-2473

MacOS/iOS kernel memory corruption due to bad bounds checking in necp_client_copy_interface

Project Member Reported by ianbeer@google.com, Feb 8 2017

Back to list

necp_client_copy_interface contains this code where interface_index is an attacker controlled
uint32_t:

  if (interface_index != IFSCOPE_NONE && (int)interface_index <= if_index) {
    interface = ifindex2ifnet[interface_index];
  }

This leads to an interface pointer being read out of bounds. This can lead to kernel memory disclosure
and also memory corruption as a lock is taken on the interface object.

tested on MacOS 10.12.3 (16D32) on MacbookAir5,2

necp_sign.c
1.3 KB View Download

Project Member Comment 1 by ianbeer@google.com, Feb 8 2017

Labels: Id-658883938 Reported-2017-Feb-08

Project Member Comment 2 by ianbeer@google.com, Apr 3 2017

Labels: CVE-2017-2473 Fixed-2017-Mar-27
Mergedinto: 1108
Status: Duplicate

This was considered a duplicate of CVE-2017-2473

Project Member Comment 3 by ianbeer@google.com, Apr 3 2017

Labels: -Restrict-View-Commit

► Sign in to add a comment