requirements: A bluetooth device must be connected (tested with an Apple bluetooth keyboard)
IOBluetoothDeviceUserClient::clientMemoryForType memory type 0xff calls
__ZN17IOBluetoothDevice18getSCOOutputBufferEv
which calls IOBluetoothDevice::initializeRingBuffer to allocate a buffer to
map into userspace.
IOBluetoothDevice18getSCOOutputBuffer:
...
lea rsi, [rbx+178h] <-- pass pointer to this+0x178 in rsi
mov edx, 3C00h
add rsp, 8
pop rbx
pop rbp
jmp rax <-- tail call to initializeRingBuffer
IOBluetoothDevice::initializeRingBuffer(_IOBluetoothRingBuffer **, int):
...
mov r14, rsi <-- save pointer to this+0x178
...
call __ZN24IOBufferMemoryDescriptor11withOptionsEjmm ; IOBufferMemoryDescriptor::withOptions(uint,ulong,ulong)
mov r12, rax
mov rax, [r12]
mov rdi, r12
call qword ptr [rax+20h] ; ::retain
mov rax, [r12]
mov rdi, r12
call qword ptr [rax+2E0h] ; IOBufferMemoryDescriptor::getBytesNoCopy(void)
mov rbx, rax <-- pointer to buffer in kernel space (will be shared with userspace)
lea rdi, [rbx+10h] ; void *
xor esi, esi ; int
mov rdx, r15 ; size_t
call _memset <-- clear it
mov dword ptr [rbx], 0
mov dword ptr [rbx+4], 0
mov dword ptr [rbx+8], 0
mov [rbx+0Ch], r13d <-- write the size as the fourth dword
mov [r14], rbx <-- save buffer pointer
This buffer will then be mapped into userspace.
Calling external method 4 eventually reaches the following code:
IOBluetoothDevice::startSCOOutput:
__text:0000000000030F62 mov rdi, [rbx+178h] <-- pointer to shared buffer
__text:0000000000030F69 test rdi, rdi
__text:0000000000030F6C jz loc_31039
__text:0000000000030F72 mov r14d, 0E00002D2h
__text:0000000000030F78 cmp byte ptr [rbx+188h], 0
__text:0000000000030F7F jnz loc_31060
__text:0000000000030F85 mov esi, [rdi+0Ch] ; size_t <-- read size from userspace shared mem
__text:0000000000030F88 add rdi, 10h ; void *
__text:0000000000030F8C call _bzero <-- passed as size arg to bzero
Userspace can modify the size in shared memory leading to the bzero writing a controlled number of NULL bytes off the end of the buffer.
