New issue
Advanced search Search tips
Starred by 3 users
Status: Fixed
Owner:
Closed: Jul 2015
Cc:



Sign in to add a comment
OS X IOKit kernel code execution due to insufficient bounds checking in nvidia GeForce command buffer processing
Project Member Reported by ianbeer@google.com, Apr 23 2015 Back to list
The dword at offset +0x78 of token type 0x8900 of the nvidia GeForce GLContext command buffer is used to compute the offset for a kernel memory write with insufficient bounds checking.

tested on: MacBookPro10,1 w/ 10.10.3 (14D131)

build: clang -Wall -dynamiclib -o nv_alloclist.dylib nv_alloclist.c  -framework IOKit -arch i386 -arch x86_64
run: DYLD_INSERT_LIBRARIES=./nv_alloclist.dylib /Applications/Google\ Chrome\ Canary.app/Contents/MacOS/Google\ Chrome\ Canary --single-process --force_discrete_gpu "http://interactivehaiku.com/lifeisshort/"

note: --force_discrete_gpu will force chrome to use the nvidia gpu rather than the intel integrated one.

Reachable from sandboxes which allow GPU access.
 
nv_alloclist.c
7.4 KB Download
Project Member Comment 1 by ianbeer@google.com, Apr 23 2015
Labels: Reported-2015-Apr-23 Id-621987447
Project Member Comment 2 by ianbeer@google.com, Jul 3 2015
Labels: Fixed-2015-Jun-30 CVE-2015-3712
Status: Fixed
https://support.apple.com/en-us/HT204942
Project Member Comment 3 by ianbeer@google.com, Jul 31 2015
Labels: -Restrict-View-Commit
Sign in to add a comment