561 - IOKit doesn't correctly handle spoofed no-more-senders notifications leading to many bugs (OS X and iOS) - project-zero

Starred by 1 user

Status:	Duplicate
Merged:	issue 553
Owner:	ianbeer@google.com
Closed:	Dec 2015
Cc:	project-...@google.com
Finder-ianbeer Deadline-90 Vendor-Apple Reported-2015-Oct-08 Id-629628579 CCProjectZeroMembers Severity-High Product-iOS-Kernel Product-OSX-Kernel

IOKit doesn't correctly handle spoofed no-more-senders notifications leading to many bugs (OS X and iOS)

Project Member Reported by ianbeer@google.com, Oct 8 2015

Back to list

A spoofed no-more-senders notification leads to a call to ::clientClosed when there actually are still
clients. What happens then depends on the userClient's implementation of clientClosed; in this
particular case (with userclient type 0 of IntelAccelerator) we hit an exploitable NULL deref
(this should panic reading from 414141414141414141 (note that that address had been read from the NULL page.)

I imagine there are *far* more bugs here!

iospoof_with_null.c
2.7 KB Download

Project Member Comment 1 by ianbeer@google.com, Oct 8 2015

Labels: Reported-2015-Oct-08 Id-629628579

Project Member Comment 2 by ianbeer@google.com, Dec 20 2015

Mergedinto: 553
Status: Duplicate

Project Member Comment 3 by ianbeer@google.com, Dec 20 2015

This bug was fixed as part of the fixed for CVE-2015-7047 so dup'ing into that issue

Project Member Comment 4 by ianbeer@google.com, Jan 27 2016

Labels: -Restrict-View-Commit

► Sign in to add a comment