17 - OS X IOKit kernel code execution due to lack of bounds checking in IOAccel2DContext2::blit - project-zero

Monorail	Project: project-zero ▼ Issues People Development process History	Sign in

Starred by 4 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Jul 2014
Cc:	fjserna@google.com █ lee...@google.com
Reported-2014-May-02 Id-605859224 Finder-ianbeer Deadline-90 CVE-2014-1377 Vendor-Apple Severity-High Product-OSX-Kernel

OS X IOKit kernel code execution due to lack of bounds checking in IOAccel2DContext2::blit

Project Member Reported by ianbeer@google.com, May 2 2014

Back to list

IOAccel2DContext2::blit is implemented in IOAcceleratorFamily2.kext - the vulnerable code can be reached from the chrome GPU process sandbox and the safari renderer sandbox.

The kernel code fails to validate an index passed from userspace which is used to index an array of pointers to Surfaces.

Provided a suitable structure can be constructed in kernel memory this bug can be leveraged for code execution since the code will call an attacker controller function pointer.

See attached blit.c for a crashing poc.

blit.c
2.5 KB Download

Project Member Comment 1 by ianbeer@google.com, May 2 2014

Labels: Id-605859224 Reported-2014-May-02

Project Member Comment 2 by ianbeer@google.com, May 12 2014

Cc: fjserna@google.com

Project Member Comment 3 by ianbeer@google.com, May 23 2014

Cc: lee...@google.com

Project Member Comment 4 by ianbeer@google.com, Jul 3 2014

Labels: CVE-2014-1377
Status: Fixed

Apple advisory: http://support.apple.com/kb/HT6296

Comment 5 by cevans@google.com, Jul 31 2014

Labels: -Restrict-View-Commit

► Sign in to add a comment