1375 - MacOS kernel code execution due to lack of bounds checking in AppleIntelCapriController::GetLinkConfig - project-zero

Starred by 2 users

Status:	Fixed
Owner:	ianbeer@google.com
Closed:	Today
Cc:	project-...@google.com
Finder-ianbeer Deadline-90 Vendor-Apple CCProjectZeroMembers Severity-High Product-MacOS Methodology-ManualReview Reported-2017-Oct-04 Id-674915567 CVE-2017-13875 Fixed-2017-Dec-06

MacOS kernel code execution due to lack of bounds checking in AppleIntelCapriController::GetLinkConfig

Project Member Reported by ianbeer@google.com, Oct 4

Back to list

AppleIntelCapriController::GetLinkConfig trusts a user-supplied value in the structure input which it uses to index
a small table of pointers without bounds checking. The OOB-read pointer is passed to AppleIntelFramebuffer::validateDisplayMode
which will read a pointer to a C++ object from that buffer (at offset 2138h) and call a virtual method allowing trivial kernel code execution.

Tested on MacOS 10.13 (17A365) on MacBookAir5,2

capri_link_config.c
1.7 KB View Download

Project Member Comment 1 by ianbeer@google.com, Oct 4

Labels: Id-674915567 Reported-2017-Oct-04

Project Member Comment 2 by ianbeer@google.com, Nov 9

deja-vu: https://bugs.chromium.org/p/project-zero/issues/detail?id=1071

This bug was fixed in MacOS 10.12.4 then reintroduced in 10.13 :(

Project Member Comment 3 by ianbeer@google.com, Today (11 hours ago)

Labels: -Restrict-View-Commit CVE-2017-13875 Fixed-2017-Dec-06

https://support.apple.com/en-us/HT208331

Project Member Comment 4 by ianbeer@google.com, Today (11 hours ago)

Status: Fixed

► Sign in to add a comment