181 - OS X IOKit EoP due to lack of bounds checking in Intel GPU driver - project-zero

Starred by 4 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Feb 2015
Cc:	project-...@google.com
Id-614630648 Finder-ianbeer Deadline-90 CVE-2014-8819 Vendor-Apple Fixed-2015-Jan-27 Reported-2014-Nov-20 CCProjectZeroMembers Severity-High Product-OSX-Kernel

OS X IOKit EoP due to lack of bounds checking in Intel GPU driver

Project Member Reported by ianbeer@google.com, Nov 20 2014

Back to list

The first body dword of the token type 0x8e (BindTextures) of the Intel HD GL driver (IGAccelGLContext) is used in the function IGAccelGLContext::process_token_BindTextures to index an array of IOAccelResource2 pointers without validating that the index is valid.

By passing an invalid index we can force this function to read an IOAccelResource2 pointer out of bounds and pass it to IOAccelContext2::unbindResource which will call a virtual method on the invalid pointer.

ig_gl_BindTextures_again.c
7.3 KB Download

Project Member Comment 1 by ianbeer@google.com, Nov 20 2014

Labels: Id-614630648 Reported-2014-Nov-20

Project Member Comment 2 by ianbeer@google.com, Feb 4 2015

Labels: -Restrict-View-Commit Fixed-2015-Jan-27 CVE-2014-8819
Status: Fixed

Apple advisory: http://support.apple.com/en-us/HT204244

► Sign in to add a comment