New issue
Advanced search Search tips

Issue 1549 link

Starred by 2 users

Issue metadata

Status: Fixed
Closed: Jun 5

Sign in to add a comment

MacOS kernel UAF due to lack of locking in nvidia GeForce driver

Project Member Reported by, Mar 19 2018

Issue description

nvDevice::SetAppSupportBits is external method 0x107 of the nvAccelerator IOService.

It calls task_deallocate without locking. Two threads can race calling this external method to drop
two task references when only one is held.

Note that the repro forks a child which give the nvAccelerator a different task otherwise
the repro is more likely to leak task references than panic.
3.1 KB View Download
Project Member

Comment 1 by, Mar 19 2018

Labels: Reported-2018-Mar-19 Id-687282462
Project Member

Comment 2 by, Jun 5

Labels: Fixed-2018-June-01 CVE-2018-4230
Status: Fixed (was: New)
Fixed in MacOS 10.13.5:
Project Member

Comment 3 by, Jun 5

Labels: -Restrict-View-Commit

Sign in to add a comment