191 - Exploitable Kernel NULL dereference in IGAccelCLContext::map_user_memory - project-zero

Starred by 4 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Feb 2015
Cc:	project-...@google.com
CVE-2014-8820 Finder-ianbeer Deadline-90 Id-614704287 Vendor-Apple Reported-2014-Nov-21 Fixed-2015-Jan-27 CCProjectZeroMembers Severity-High Product-OSX-Kernel

Exploitable Kernel NULL dereference in IGAccelCLContext::map_user_memory

Project Member Reported by ianbeer@google.com, Nov 21 2014

Back to list

map_user_memory is selector 0x100 of userclient type 0x8 of IntelAccelerator

The field at offset 0x510 is a pointer to the task struct from which a vm_map_t is read.
By just opening the userclient and calling selector 0x100 with the right number of arguments the field at 0x510 is NULL meaning that the code will try to read a field of a task struct on the NULL page.

This PoC maps the NULL page to show control of a vm_map_t. Presumably bad things can be done with this.

tested on: MacBookAir5,2 w/ 10.10.1 (14B25)

ig_cl_100.c
3.0 KB Download

Project Member Comment 1 by ianbeer@google.com, Nov 21 2014

Labels: Reported-2014-Nov-21 Id-614704287

Project Member Comment 2 by ianbeer@google.com, Feb 4 2015

Labels: -Restrict-View-Commit Fixed-2015-Jan-27 CVE-2014-8820
Status: Fixed

Apple advisory: http://support.apple.com/en-us/HT204244

► Sign in to add a comment