341 - OS X IOKit kernel code execution due to insufficient bounds checking in nvidia GeForce command buffer processing - project-zero

Starred by 3 users

Status:	Fixed
Owner:	ianbeer@google.com
Closed:	Jul 2015
Cc:	project-...@google.com
Id-621987447 Reported-2015-Apr-23 Finder-ianbeer Deadline-90 Fixed-2015-Jun-30 Vendor-Apple Product-IOKit CCProjectZeroMembers Severity-High CVE-2015-3712

OS X IOKit kernel code execution due to insufficient bounds checking in nvidia GeForce command buffer processing

Project Member Reported by ianbeer@google.com, Apr 23 2015

Back to list

The dword at offset +0x78 of token type 0x8900 of the nvidia GeForce GLContext command buffer is used to compute the offset for a kernel memory write with insufficient bounds checking.

tested on: MacBookPro10,1 w/ 10.10.3 (14D131)

build: clang -Wall -dynamiclib -o nv_alloclist.dylib nv_alloclist.c  -framework IOKit -arch i386 -arch x86_64
run: DYLD_INSERT_LIBRARIES=./nv_alloclist.dylib /Applications/Google\ Chrome\ Canary.app/Contents/MacOS/Google\ Chrome\ Canary --single-process --force_discrete_gpu "http://interactivehaiku.com/lifeisshort/"

note: --force_discrete_gpu will force chrome to use the nvidia gpu rather than the intel integrated one.

Reachable from sandboxes which allow GPU access.

nv_alloclist.c
7.4 KB Download

Project Member Comment 1 by ianbeer@google.com, Apr 23 2015

Labels: Reported-2015-Apr-23 Id-621987447

Project Member Comment 2 by ianbeer@google.com, Jul 3 2015

Labels: Fixed-2015-Jun-30 CVE-2015-3712
Status: Fixed

https://support.apple.com/en-us/HT204942

Project Member Comment 3 by ianbeer@google.com, Jul 31 2015

Labels: -Restrict-View-Commit

► Sign in to add a comment