1128 - MacOS kernel memory corruption due to off-by-one in audit_sdev_open - project-zero

Starred by 1 user

Status:	Duplicate
Merged:	issue 1126
Owner:	ianbeer@google.com
Closed:	Apr 2017
Cc:	project-...@google.com
Finder-ianbeer Deadline-90 Vendor-Apple CCProjectZeroMembers Severity-High Product-MacOS Id-659388553 Reported-2017-Feb-15 Fixed-2017-Mar-27 CVE-2017-2483

MacOS kernel memory corruption due to off-by-one in audit_sdev_open

Project Member Reported by ianbeer@google.com, Feb 15 2017

Back to list

The auditsession device has a copy-pasted version of the same bug as the auditpipe device:

  static int
  audit_sdev_open(dev_t dev, __unused int flags,  __unused int devtype, proc_t p)
  {
    struct audit_sdev *asdev;
    struct auditinfo_addr aia;
    int u;

    u = minor(dev);
    if (u < 0 || u > MAX_AUDIT_SDEVS)
      return (ENXIO);

    (void) audit_sdev_get_aia(p, &aia);

    AUDIT_SDEV_LIST_WLOCK();
    asdev = audit_sdev_dtab[u];


Again, that bounds check on the minor number should be >= MAX_AUDIT_SDEVS.

In the auditsession case we again end up with that oob pointer being confused with a counter,
in this case audit_sdev_drops allowing us to arbitrarily increment a struct audit_sdev pointer.

This is a root -> kernel privesc as you need to be able to mknod the auditsession device with a controlled
minor number.

tested on MacOS 10.12.3 (16D32) on MacbookAir5,2

auditsession_oob.c
1.9 KB View Download

Project Member Comment 1 by ianbeer@google.com, Feb 15 2017

Labels: Id-659388553 Reported-2017-Feb-15

Project Member Comment 2 by ianbeer@google.com, Apr 3 2017

Labels: CVE-2017-2483 Fixed-2017-Mar-27
Mergedinto: 1126
Status: Duplicate

This issue was considered a duplicate of CVE-2017-2483

Project Member Comment 3 by ianbeer@google.com, Apr 3 2017

Labels: -Restrict-View-Commit

► Sign in to add a comment