New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Oct 18
Cc:



Sign in to add a comment
link

Issue 1615: iOS kernel UaF due to bad error handling in personas

Reported by ianbeer@google.com, Jul 10 2018 Project Member

Issue description

There was recently some cleanup in the persona code to fix some race conditions there, I don't think it was sufficient:

 In kpersona_alloc_syscall if we provide an invalid userspace pointer for the ipd outptr we can cause this copyout to fail:
 
  error = copyout(&persona->pna_id, idp, sizeof(persona->pna_id));
  if (error)
    goto out_error;

This jumps here:
  if (persona)
    persona_put(persona);

At this point the persona is actually in the global list and the reference has been transfered there; this code
is mistakenly assuming that userspace can't still race a dealloc call because it doesn't know the id.

The id is attacker controlled so it's easy to still race this (ie we call persona_alloc in one thread, and dealloc in another),
causing an extra call to persona_put.

It's probably possible to make the failing copyout take a long time,
allowing us to gc and zone-swap the page leading to the code attempting to drop a ref on a different type.
 
This PoC has been tested on iOS 11.3.1 because it requires root. I have taken a look at an iOS 12 beta and it looks like the vuln
is still there, but I cannot test it.
 
It should be easy to fix up this PoC to run as root in your testing environment.
 
personas_uaf.c
3.8 KB View Download

Comment 1 by ianbeer@google.com, Jul 10 2018

Project Member
Labels: Id-694799600 Reported-2018-Jul-10

Comment 2 by ianbeer@google.com, Oct 18

Project Member
Labels: -Restrict-View-Commit Fixed-2018-Sept-17 CVE-2018-4337
Status: Fixed (was: New)
This issue was fixed in iOS 12 but not mentioned in the bulletin. Apple assigned CVE-2018-4337 but have not updated their bulletin to mention this.

Comment 3 by kingcale...@gmail.com, Oct 19

Thank you Ian Beer for the great work & the Exploit! You’re the one who inspired me to get into security research!

Comment 4 by japc7441...@gmail.com, Oct 20

ianbeer tiene mas de 4 meses que tiene una gran vulnerabilidad y me estoy inspirando para poder ayudar a que los sistemas sean mas seguro

Sign in to add a comment