|
|
OS X IOKit kernel code execution due to lack of bounds checking in AppleMultitouchIODataQueue | |||||||||
| Project Member Reported by ianbeer@google.com, Jun 20 2014 | Back to list | |||||||||
The clientMemoryForType method of AppleUSBMultitouchUserClient creates an AppleMultitouchIODataQueue
and maps it into kernel/user shared memory. AppleMultitouchIODataQueue inherits from IODataQueue.
The memory which is mapped into userspace is represented by the variable-sized struct IODataQueueMemory:
typedef struct _IODataQueueMemory {
UInt32 queueSize;
volatile UInt32 head;
volatile UInt32 tail;
IODataQueueEntry queue[1];
} IODataQueueMemory;
These queueSize, head and tail values are used to ensure that the enqueued items stay within the bounds of the queue. Userspace can modify the queueSize, head and tail values such that the kernel will try to enqueue a value to the queue outside of the allocated memory.
Project Member
Comment 1
by
ianbeer@google.com,
Jun 20 2014
,
Jun 27 2014
Apple requested more information, I sent them another PoC which crashes reliably for me as well as a panic log and system report. New poc attached.
,
Aug 22 2014
,
Sep 23 2014
http://support.apple.com/kb/HT6441 (i.e. also affected iOS) No mention of CVE in OS X update (http://support.apple.com/kb/HT6443) ??
,
Sep 24 2014
,
Oct 17 2014
Interesting case. Looks like it wasn't fixed in OS X until Yosemite: https://support.apple.com/kb/HT6535. Therefore, it can be observed: 1) By declaring this in the earlier iOS patch, Apple dropped on bug on their own OS X software. 2) The original report was against OS X, not iOS, so this definitely went over deadline -- by a month(!) Marking as such. |
||||||||||
| ► Sign in to add a comment | ||||||||||
