328 - OS X IOKit kernel code execution due to lack of bounds checking in IGAccelGLContext::BindQueryBufferMultiple - project-zero

Starred by 2 users

Status:	Fixed
Owner:	ianbeer@google.com
Closed:	Jul 2015
Cc:	project-...@google.com
Reported-2015-Apr-10 Id-621367272 Finder-ianbeer Deadline-90 Fixed-2015-Jun-30 Vendor-Apple CVE-2015-3695 Product-IOKit CCProjectZeroMembers Severity-High

OS X IOKit kernel code execution due to lack of bounds checking in IGAccelGLContext::BindQueryBufferMultiple

Project Member Reported by ianbeer@google.com, Apr 10 2015

Back to list

The dword at offset 0x10 of the BindQueryBufferMultiple token used by the IGAccelGLContext user client is used as the size parameter in a memory-modifying loop without any bounds checking

build:
  clang -Wall -dynamiclib -o ig_bind_qbm.dylib ig_bind_qbm.c -framework IOKit -arch i386 -arch x86_64

repro:
  DYLD_INSERT_LIBRARIES=./ig_bind_qbm.dylib  /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --single-process --no-sandbox

IMPACT:
This userclient can be instantiated in the chrome GPU process sandbox and the safari renderer sandbox.

tested on: MacBookAir5,2 w/ 10.10.3/14D131

ig_bind_qbm.c
2.7 KB Download

Project Member Comment 1 by ianbeer@google.com, Apr 10 2015

Labels: Reported-2015-Apr-10 Id-621367272

Project Member Comment 2 by ianbeer@google.com, Apr 17 2015

Owner: ianbeer@google.com

Project Member Comment 3 by ianbeer@google.com, Jul 20 2015

Labels: CVE-2015-3695 Fixed-2015-Jun-30
Status: Fixed

https://support.apple.com/en-us/HT204942

Project Member Comment 4 by ianbeer@google.com, Jul 31 2015

Labels: -Restrict-View-Commit

► Sign in to add a comment