New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Jun 5
Cc:



Sign in to add a comment

MacOS kernel UAF due to lack of locking in nvidia GeForce driver

Project Member Reported by ianbeer@google.com, Mar 19

Issue description

nvDevice::SetAppSupportBits is external method 0x107 of the nvAccelerator IOService.

It calls task_deallocate without locking. Two threads can race calling this external method to drop
two task references when only one is held.

Note that the repro forks a child which give the nvAccelerator a different task otherwise
the repro is more likely to leak task references than panic.
 
nvtask.c
3.1 KB View Download
Project Member

Comment 1 by ianbeer@google.com, Mar 19

Labels: Reported-2018-Mar-19 Id-687282462
Project Member

Comment 2 by ianbeer@google.com, Jun 5

Labels: Fixed-2018-June-01 CVE-2018-4230
Status: Fixed (was: New)
Fixed in MacOS 10.13.5: https://support.apple.com/en-us/HT208849
Project Member

Comment 3 by ianbeer@google.com, Jun 5

Labels: -Restrict-View-Commit

Sign in to add a comment