New issue
Advanced search Search tips
Starred by 2 users
Status: Fixed
Owner:
Closed: Jul 2015
Cc:



Sign in to add a comment
OS X IOKit kernel code execution due to lack of bounds checking in IGAccelVideoContextMain::process_token_AllPostProcGVA
Project Member Reported by ianbeer@google.com, Apr 16 2015 Back to list
The function IGAccelVideoContextMain::process_token_AllPostProcGVA trusts the dword at offset 0x10 in the input token and uses it as the index for a kernel memory write. (It adds it to a valid pointer which gets passed into patch_vphal_dndi_curbe where the write actually happens.)

This PoC looks for a MediaKernel token and moves a few things around to trigger the vuln in the AllPostProcGVA code.

tested on: MacBookAir5,2 w/ 10.10.3 (14D131)
build: clang -Wall -dynamiclib -o ig_GVA.dylib ig_GVA.c -framework IOKit -arch i386 -arch x86_64
run: DYLD_INSERT_LIBRARIES=./ig_GVA.dylib  /Applications/QuickTime\ Player.app/Contents/MacOS/QuickTime\ Player
go File -> New Movie Recording and press the red record button

Reachable from sandboxes which can talk the the GPU.
 
ig_GVA.c
7.9 KB Download
Project Member Comment 1 by ianbeer@google.com, Apr 16 2015
Labels: Reported-2015-Apr-16 Id-621654644
Project Member Comment 2 by ianbeer@google.com, Apr 17 2015
Owner: ianbeer@google.com
Project Member Comment 3 by ianbeer@google.com, Jul 20 2015
Labels: CVE-2015-3699 Fixed-2015-Jun-30
Status: Fixed
https://support.apple.com/en-us/HT204942
Project Member Comment 4 by ianbeer@google.com, Jul 31 2015
Labels: -Restrict-View-Commit
Sign in to add a comment