24 - OS X IOKit kernel code execution due to NULL pointer dereference in IOThunderboltFamily - project-zero

Starred by 6 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Aug 2014
Cc:	█ lee...@google.com
Finder-ianbeer Deadline-90 Vendor-Apple Reported-2014-May-22 PublicOn-2014-August-22 Severity-High Id-606429626 Product-OSX-Kernel

OS X IOKit kernel code execution due to NULL pointer dereference in IOThunderboltFamily

Project Member Reported by ianbeer@google.com, May 22 2014

Back to list

IOThunderboltFamilyUserClient::xDomainRequestAction doesn't verify that a pointer is non-NULL before calling a virtual function, giving trivial kernel RIP control if the user process maps the NULL page, as this PoC demonstrates.

IOThunderboltFamilyUserClient::xDomainRequestAction is called by IOThunderboltFamilyUserClient::xDomainRequest which is selector 13 of IOThunderboltController

thunderbolt_request.c
2.5 KB Download

Project Member Comment 1 by ianbeer@google.com, May 22 2014

Labels: Reported-2014-May-22 Id-606429626

Project Member Comment 2 by ianbeer@google.com, May 23 2014

Cc: lee...@google.com

Project Member Comment 3 by ianbeer@google.com, Aug 22 2014

Labels: Deadline-90

This bug appears to have been fixed, though I wasn't notified. I've emailed Apple to find out if it was a collision with an internal find or not.

Project Member Comment 4 by ianbeer@google.com, Aug 22 2014

Labels: -Restrict-View-Commit PublicOn-2014-August-22
Status: Fixed

► Sign in to add a comment