33 - OS X IOKit kernel code execution due to lack of bounds checking in IOAccelDisplayPipeTransaction2::set_plane_gamma_table - project-zero

Starred by 6 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Sep 2014
Id-607134906 PublicOn-2014-Sep-14 Fixed-2014-Sep-17 Finder-ianbeer Deadline-90 CVE-2014-4402 Reported-2014-Jun-16 Vendor-Apple Deadline-Exceeded Severity-High Product-OSX-Kernel

OS X IOKit kernel code execution due to lack of bounds checking in IOAccelDisplayPipeTransaction2::set_plane_gamma_table

Project Member Reported by ianbeer@google.com, Jun 16 2014

Back to list

IOAccelDisplayPipe2::transaction_set_plane_gamma_table fails to verify the second dword of IOAccelDisplayPipeGammaTableArgs which can be controlled by calling the external method with selector 5 of IOAccelDisplayPipeUserClient2.

This unchecked dword is passed to IOAccelDisplayPipeTransaction2::set_plane_gamma_table where it is used as an index to read a pointer to a c++ object from an array. By specifying a large index this will read a c++ object pointer out-of-bounds. The code then calls a virtual function on this object.

Impact:
This userclient can be instantiated in the chrome GPU process sandbox and the safari renderer sandbox.

gamma.c
4.1 KB Download

Project Member Comment 1 by ianbeer@google.com, Jun 16 2014

Labels: Reported-2014-June-16

Project Member Comment 2 by ianbeer@google.com, Jun 16 2014

Labels: Id-607134906

Project Member Comment 3 by ianbeer@google.com, Aug 22 2014

Labels: Deadline-90

Project Member Comment 4 by ianbeer@google.com, Sep 14 2014

Labels: -Restrict-View-Commit Deadline-Exceeded PublicOn-2014-September-14

Deadline exceeded - automatically derestricting

Comment 5 by cevans@google.com, Sep 23 2014

Labels: -Reported-2014-June-16 -PublicOn-2014-September-14 Reported-2014-Jun-16 PublicOn-2014-Sep-14 Fixed-2014-Sep-17 CVE-2014-4402
Status: Fixed

http://support.apple.com/kb/HT6443

► Sign in to add a comment