New issue
Advanced search Search tips

Issue 1564 link

Starred by 6 users

Issue metadata

Status: Fixed
Closed: Jun 5

  • Only users with EditIssue permission may comment.

Sign in to add a comment

MacOS/iOS kernel heap overflow due to lack of lower size check in getvolattrlist

Project Member Reported by, Apr 19 2018

Issue description

getvolattrlist takes a user controlled bufferSize argument via the fgetattrlist syscall.

When allocating a kernel buffer to serialize the attr list to there's the following comment:

   * Allocate a target buffer for attribute results.
   * Note that since we won't ever copy out more than the caller requested,
   * we never need to allocate more than they offer.
  ab.allocated = ulmin(bufferSize, fixedsize + varsize);
  if (ab.allocated > ATTR_MAX_BUFFER) {
    error = ENOMEM;
    VFS_DEBUG(ctx, vp, "ATTRLIST - ERROR: buffer size too large (%d limit %d)", ab.allocated, ATTR_MAX_BUFFER);
    goto out;
  MALLOC(ab.base, char *, ab.allocated, M_TEMP, M_ZERO | M_WAITOK);

The problem is that the code doesn't then correctly handle the case when the user supplied buffer size
is smaller that the requested header size. If we pass ATTR_CMN_RETURNED_ATTRS we'll hit the following code:

  /* Return attribute set output if requested. */
  if (return_valid) {
    ab.actual.commonattr |= ATTR_CMN_RETURNED_ATTRS;
    if (pack_invalid) {
      /* Only report the attributes that are valid */
      ab.actual.commonattr &= ab.valid.commonattr;
      ab.actual.volattr &= ab.valid.volattr;
    bcopy(&ab.actual, ab.base + sizeof(uint32_t), sizeof (ab.actual));

There's no check that the allocated buffer is big enough to hold at least that.

Tested on MacOS 10.13.4 (17E199)
2.0 KB View Download
Project Member

Comment 1 by, Apr 19 2018

Labels: Id-689608216 Reported-2018-Apr-19
Project Member

Comment 2 by, May 28 2018

(It is possible to open '/' O_RDONLY from the Application Sandbox on iOS so you can reach this issue there)
Project Member

Comment 3 by, Jun 5

Labels: Fixed-2018-May-29 CVE-2018-4243
Status: Fixed (was: New)
Fixed in MacOS 10.13.5:
Fixed in iOS 11.4:
Project Member

Comment 4 by, Jun 5

Labels: -Restrict-View-Commit
How can I leak kaslr?
Nice work.. 
Got it thanks
Love your work man
Very interesting

Project Member

Comment 10 by, Jun 13

Exploit for iOS 11 through iOS 11.3.1
55.2 KB Download
This is the VFS you where talking about?
Better Exploit 
Project Member

Comment 13 by, Jun 13

Labels: Restrict-AddIssueComment-EditIssue

Sign in to add a comment