New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 182
Starred by 2 users
Status: Fixed
Owner:
cevans@google.com
Email to this user bounced
Closed: Feb 2015
Cc:
project-...@google.com



Sign in to add a comment
 OS X IOKit EoP due to lack of bounds checking in Intel GPU driver (IOAccelResource2::dirtyLevel)
Project Member Reported by ianbeer@google.com, Nov 20 2014 Back to list 
The Intel HD GPU driver function IGAccelGLContext::process_token_BindDrawFBOColor parses the token with ID 0x9100. The dword at offset 0x14 in the token is passed to IOAccelResource2::dirtyLevel where it's used to computed an index for a memory write (OR'ing the low bit of a dword with 1) with no bounds checking.

PoC attached.
ig_gl_DirtyLevel.c
6.8 KB Download
Project Member Comment 1 by ianbeer@google.com, Nov 20 2014
Labels: Reported-2014-Nov-20 Id-614636613
Project Member Comment 2 by ianbeer@google.com, Feb 5 2015
Labels: -Restrict-View-Commit Fixed-2015-Jan-27 CVE-2014-8821
Status: Fixed
Apple advisory: http://support.apple.com/en-us/HT204244
Sign in to add a comment