New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 19
Starred by 5 users
Status: Fixed
Owner:
cevans@google.com
Email to this user bounced
Closed: Jul 2014
Cc:
fjserna@google.com
lee...@google.com



Sign in to add a comment
 OS X IOKit kernel code execution due to unchecked pointer parameter in IGAccelCLContext::unmap_user_memory
Project Member Reported by ianbeer@google.com, May 2 2014 Back to list 
The Intel OpenCL IOKit userclient has pretty much exactly the same bug as the OpenGL one - they trust a user-supplied pointer and call a virtual function off of it.

Specifically the function IGAccelCLContext::unmap_user_memory is reachable as selector 0x101.

Attached poc hello.c (uses the apple OpenCL hello world example to initialize OpenCL and get the correct userclient) will kernel panic dereferencing 0x4141414141414141. Compile with -framework OpenCL -framework IOKit

This should be reachable from the chrome gpu process sandbox and the safari renderer sandbox.
hello.c
11.1 KB Download
Project Member Comment 1 by ianbeer@google.com, May 2 2014
Summary: OS X IOKit kernel code execution due to unchecked pointer parameter in IGAccelCLContext::unmap_user_memory (was: OS X IOKit kernel code execution due to unchecked pointer parameter in IGAccelGLContext::unmap_user_memory)
Project Member Comment 2 by ianbeer@google.com, May 2 2014
Labels: Reported-2014-May-03
Project Member Comment 3 by ianbeer@google.com, May 2 2014
Labels: Id-605870017
Project Member Comment 4 by ianbeer@google.com, May 12 2014
Cc: fjserna@google.com
Project Member Comment 5 by ianbeer@google.com, May 23 2014
Cc: lee...@google.com
Project Member Comment 6 by ianbeer@google.com, Jul 3 2014
Labels: CVE-2014-1376
Status: Fixed
Apple advisory: http://support.apple.com/kb/HT6296
Comment 7 by cevans@google.com, Jul 31 2014
Labels: -Restrict-View-Commit
Sign in to add a comment