Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 37
Starred by 5 users
Status: Fixed
Owner:
cevans@google.com
Email to this user bounced
Closed: Sep 2014



Sign in to add a comment
 OS X IOKit kernel code execution due to bad free in IOBluetoothFamily
Project Member Reported by ianbeer@google.com, Jun 23 2014 Back to list 
IOBluetoothFamily implements its own queuing primitive: IOBluetoothDataQueue (doesn't appear to inherit from IODataQueue, but I could be wrong about that?)

IOBluetoothHCIPacketLogUserClient is userclient type 1 of IOBluetoothHCIController.

The IOBluetoothDataQueue free method uses the queue size field which was mapped into userspace
when freeing the queue - a userspace client can modify this field forcing a bad kmem_free.
bluetooth_packet_log_bad_free.c
2.0 KB Download
Project Member Comment 1 by ianbeer@google.com, Jun 23 2014
Labels: Reported-2014-June-23 Id-607333220
Project Member Comment 2 by ianbeer@google.com, Aug 22 2014
Labels: Deadline-90
Comment 3 by cevans@google.com, Sep 23 2014
Labels: -Restrict-View-Commit -Reported-2014-June-23 CVE-2014-4390 Reported-2014-Jun-23 Fixed-2014-Sep-17
Status: Fixed
http://support.apple.com/kb/HT6443
Sign in to add a comment