New issue
Advanced search Search tips
Starred by 7 users

Issue metadata

Status: Fixed
Owner:
Closed: Jun 5
Cc:

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

MacOS/iOS kernel heap overflow due to lack of lower size check in getvolattrlist

Project Member Reported by ianbeer@google.com, Apr 19

Issue description

getvolattrlist takes a user controlled bufferSize argument via the fgetattrlist syscall.

When allocating a kernel buffer to serialize the attr list to there's the following comment:

  /*
   * Allocate a target buffer for attribute results.
   * Note that since we won't ever copy out more than the caller requested,
   * we never need to allocate more than they offer.
   */
  ab.allocated = ulmin(bufferSize, fixedsize + varsize);
  if (ab.allocated > ATTR_MAX_BUFFER) {
    error = ENOMEM;
    VFS_DEBUG(ctx, vp, "ATTRLIST - ERROR: buffer size too large (%d limit %d)", ab.allocated, ATTR_MAX_BUFFER);
    goto out;
  }
  MALLOC(ab.base, char *, ab.allocated, M_TEMP, M_ZERO | M_WAITOK);

The problem is that the code doesn't then correctly handle the case when the user supplied buffer size
is smaller that the requested header size. If we pass ATTR_CMN_RETURNED_ATTRS we'll hit the following code:

  /* Return attribute set output if requested. */
  if (return_valid) {
    ab.actual.commonattr |= ATTR_CMN_RETURNED_ATTRS;
    if (pack_invalid) {
      /* Only report the attributes that are valid */
      ab.actual.commonattr &= ab.valid.commonattr;
      ab.actual.volattr &= ab.valid.volattr;
    }
    bcopy(&ab.actual, ab.base + sizeof(uint32_t), sizeof (ab.actual));
  }

There's no check that the allocated buffer is big enough to hold at least that.

Tested on MacOS 10.13.4 (17E199)
 
getattrlist.c
2.0 KB View Download
Project Member

Comment 1 by ianbeer@google.com, Apr 19

Labels: Id-689608216 Reported-2018-Apr-19
Project Member

Comment 2 by ianbeer@google.com, May 28

(It is possible to open '/' O_RDONLY from the Application Sandbox on iOS so you can reach this issue there)
Project Member

Comment 3 by ianbeer@google.com, Jun 5

Labels: Fixed-2018-May-29 CVE-2018-4243
Status: Fixed (was: New)
Fixed in MacOS 10.13.5: https://support.apple.com/en-us/HT208849
Fixed in iOS 11.4: https://support.apple.com/en-us/HT208848
Project Member

Comment 4 by ianbeer@google.com, Jun 5

Labels: -Restrict-View-Commit
How can I leak kaslr?
Nice work.. 
Got it thanks
Love your work man
Very interesting

Project Member

Comment 10 by ianbeer@google.com, Jun 13

Exploit for iOS 11 through iOS 11.3.1
empty_list.zip
55.2 KB Download
This is the VFS you where talking about?
Better Exploit 
Project Member

Comment 13 by ianbeer@google.com, Jun 13

Labels: Restrict-AddIssueComment-EditIssue

Sign in to add a comment