New issue
Advanced search Search tips
Starred by 7 users

Issue metadata

Status: Fixed
Closed: Jun 2018

  • Only users with EditIssue permission may comment.

Sign in to add a comment

Issue 1564: MacOS/iOS kernel heap overflow due to lack of lower size check in getvolattrlist

Reported by, Apr 19 2018 Project Member

Issue description

getvolattrlist takes a user controlled bufferSize argument via the fgetattrlist syscall.

When allocating a kernel buffer to serialize the attr list to there's the following comment:

   * Allocate a target buffer for attribute results.
   * Note that since we won't ever copy out more than the caller requested,
   * we never need to allocate more than they offer.
  ab.allocated = ulmin(bufferSize, fixedsize + varsize);
  if (ab.allocated > ATTR_MAX_BUFFER) {
    error = ENOMEM;
    VFS_DEBUG(ctx, vp, "ATTRLIST - ERROR: buffer size too large (%d limit %d)", ab.allocated, ATTR_MAX_BUFFER);
    goto out;
  MALLOC(ab.base, char *, ab.allocated, M_TEMP, M_ZERO | M_WAITOK);

The problem is that the code doesn't then correctly handle the case when the user supplied buffer size
is smaller that the requested header size. If we pass ATTR_CMN_RETURNED_ATTRS we'll hit the following code:

  /* Return attribute set output if requested. */
  if (return_valid) {
    ab.actual.commonattr |= ATTR_CMN_RETURNED_ATTRS;
    if (pack_invalid) {
      /* Only report the attributes that are valid */
      ab.actual.commonattr &= ab.valid.commonattr;
      ab.actual.volattr &= ab.valid.volattr;
    bcopy(&ab.actual, ab.base + sizeof(uint32_t), sizeof (ab.actual));

There's no check that the allocated buffer is big enough to hold at least that.

Tested on MacOS 10.13.4 (17E199)
2.0 KB View Download

Comment 1 by, Apr 19 2018

Project Member
Labels: Id-689608216 Reported-2018-Apr-19

Comment 2 by, May 28 2018

Project Member
(It is possible to open '/' O_RDONLY from the Application Sandbox on iOS so you can reach this issue there)

Comment 3 by, Jun 5 2018

Project Member
Labels: Fixed-2018-May-29 CVE-2018-4243
Status: Fixed (was: New)
Fixed in MacOS 10.13.5:
Fixed in iOS 11.4:

Comment 4 by, Jun 5 2018

Project Member
Labels: -Restrict-View-Commit

Comment 5 by, Jun 6 2018

How can I leak kaslr?

Comment 6 by, Jun 6 2018

Nice work..

Comment 7 by, Jun 6 2018

Got it thanks

Comment 8 by, Jun 8 2018

Love your work man

Comment 9 by, Jun 9 2018

Very interesting

Comment 10 by, Jun 13 2018

Project Member
Exploit for iOS 11 through iOS 11.3.1
55.2 KB Download

Comment 11 by, Jun 13 2018

This is the VFS you where talking about?

Comment 12 by, Jun 13 2018

Better Exploit

Comment 13 by, Jun 13 2018

Project Member
Labels: Restrict-AddIssueComment-EditIssue

Sign in to add a comment