New issue
Advanced search Search tips
Issue 1131
Starred by 2 users
Status: Fixed
Owner:
ianbeer@google.com
Closed: May 2017
Cc:
project-...@google.com



Sign in to add a comment
 MacOS uses an insecure swap file
Project Member Reported by ianbeer@google.com, Feb 16 2017 Back to list 
This came out of a discussion with Jann Horn this afternoon; credit is his.

It turns out that even with SIP enabled a regular root user can write to the swapfile under /private/var/vm/swapfile0.

That file is created on demand when the system starts to swap; if you can't see it increase system load.

Then as root (with SIP enabled) do:

cat /dev/urandom > /private/var/vm/swapfile0

We observed multiple interesting-looking kernel panics including in the swapfile decompression code and also the intel GPU driver doing something with GPU pages.
Project Member Comment 1 by ianbeer@google.com, Feb 16 2017
Labels: Id-659493632 Reported-2017-Feb-16
Project Member Comment 2 by ianbeer@google.com, May 17 2017
Labels: CVE-2017-2494 Fixed-2017-May-15
Status: Fixed
Fixed in MacOS 10.12.5: https://support.apple.com/en-us/HT207797
Project Member Comment 3 by jannh@google.com, May 17 2017
Labels: -Restrict-View-Commit
Project Member Comment 4 by jannh@google.com, Jun 2
Labels: Methodology-manual-experiment
Sign in to add a comment