New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Closed: Oct 18

Sign in to add a comment

Issue 1615: iOS kernel UaF due to bad error handling in personas

Reported by, Jul 10 2018 Project Member

Issue description

There was recently some cleanup in the persona code to fix some race conditions there, I don't think it was sufficient:

 In kpersona_alloc_syscall if we provide an invalid userspace pointer for the ipd outptr we can cause this copyout to fail:
  error = copyout(&persona->pna_id, idp, sizeof(persona->pna_id));
  if (error)
    goto out_error;

This jumps here:
  if (persona)

At this point the persona is actually in the global list and the reference has been transfered there; this code
is mistakenly assuming that userspace can't still race a dealloc call because it doesn't know the id.

The id is attacker controlled so it's easy to still race this (ie we call persona_alloc in one thread, and dealloc in another),
causing an extra call to persona_put.

It's probably possible to make the failing copyout take a long time,
allowing us to gc and zone-swap the page leading to the code attempting to drop a ref on a different type.
This PoC has been tested on iOS 11.3.1 because it requires root. I have taken a look at an iOS 12 beta and it looks like the vuln
is still there, but I cannot test it.
It should be easy to fix up this PoC to run as root in your testing environment.
3.8 KB View Download

Comment 1 by, Jul 10 2018

Project Member
Labels: Id-694799600 Reported-2018-Jul-10

Comment 2 by, Oct 18

Project Member
Labels: -Restrict-View-Commit Fixed-2018-Sept-17 CVE-2018-4337
Status: Fixed (was: New)
This issue was fixed in iOS 12 but not mentioned in the bulletin. Apple assigned CVE-2018-4337 but have not updated their bulletin to mention this.

Comment 3 by, Oct 19

Thank you Ian Beer for the great work & the Exploit! You’re the one who inspired me to get into security research!

Comment 4 by, Oct 20

ianbeer tiene mas de 4 meses que tiene una gran vulnerabilidad y me estoy inspirando para poder ayudar a que los sistemas sean mas seguro

Sign in to add a comment