New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 36 link

Starred by 6 users

Issue metadata

Status: Fixed
Owner:
Email to this user bounced
Closed: Oct 2014



Sign in to add a comment

OS X IOKit kernel code execution due to lack of bounds checking in AppleMultitouchIODataQueue

Project Member Reported by ianbeer@google.com, Jun 20 2014

Issue description

The clientMemoryForType method of AppleUSBMultitouchUserClient creates an AppleMultitouchIODataQueue
and maps it into kernel/user shared memory. AppleMultitouchIODataQueue inherits from IODataQueue.

The memory which is mapped into userspace is represented by the variable-sized struct IODataQueueMemory:

typedef struct _IODataQueueMemory {
      UInt32 queueSize;
      volatile UInt32 head;
      volatile UInt32 tail;
      IODataQueueEntry queue[1];
} IODataQueueMemory;

These queueSize, head and tail values are used to ensure that the enqueued items stay within the bounds of the queue. Userspace can modify the queueSize, head and tail values such that the kernel will try to enqueue a value to the queue outside of the allocated memory.
 
apple_usb_multitouch_enqueue.c
2.3 KB Download
Project Member

Comment 1 by ianbeer@google.com, Jun 20 2014

Labels: Reported-2014-June-20 Id-607290472
Project Member

Comment 2 by ianbeer@google.com, Jun 27 2014

Apple requested more information, I sent them another PoC which crashes reliably for me as well as a panic log and system report. New poc attached.
new_poc_apple_usb_multitouch_enqueue.c
2.3 KB Download
Project Member

Comment 3 by ianbeer@google.com, Aug 22 2014

Labels: Deadline-90

Comment 4 by cevans@google.com, Sep 23 2014

Labels: -Reported-2014-June-20 Reported-2014-Jun-20 CVE-2014-4418 Product-iOS-Kernel
http://support.apple.com/kb/HT6441 (i.e. also affected iOS)
No mention of CVE in OS X update (http://support.apple.com/kb/HT6443) ??
Project Member

Comment 5 by ianbeer@google.com, Sep 24 2014

Labels: -Restrict-View-Commit

Comment 6 by cevans@google.com, Oct 17 2014

Labels: Deadline-Exceeded Fixed-2014-Oct-16
Status: Fixed
Interesting case.
Looks like it wasn't fixed in OS X until Yosemite: 
https://support.apple.com/kb/HT6535. Therefore, it can be observed:

1) By declaring this in the earlier iOS patch, Apple dropped on bug on their own OS X software.

2) The original report was against OS X, not iOS, so this definitely went over deadline -- by a month(!) Marking as such.

Sign in to add a comment