New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Jun 2018
Cc:



Sign in to add a comment
link

Issue 1549: MacOS kernel UAF due to lack of locking in nvidia GeForce driver

Reported by ianbeer@google.com, Mar 19 2018 Project Member

Issue description

nvDevice::SetAppSupportBits is external method 0x107 of the nvAccelerator IOService.

It calls task_deallocate without locking. Two threads can race calling this external method to drop
two task references when only one is held.

Note that the repro forks a child which give the nvAccelerator a different task otherwise
the repro is more likely to leak task references than panic.
 
nvtask.c
3.1 KB View Download

Comment 1 by ianbeer@google.com, Mar 19 2018

Project Member
Labels: Reported-2018-Mar-19 Id-687282462

Comment 2 by ianbeer@google.com, Jun 5 2018

Project Member
Labels: Fixed-2018-June-01 CVE-2018-4230
Status: Fixed (was: New)
Fixed in MacOS 10.13.5: https://support.apple.com/en-us/HT208849

Comment 3 by ianbeer@google.com, Jun 5 2018

Project Member
Labels: -Restrict-View-Commit

Sign in to add a comment