565 - OS X Kernel UaF with IOAccelDisplayPipeUserClient2 with spoofed no more senders notifications - project-zero

Starred by 1 user

Status:	Duplicate
Merged:	issue 553
Owner:	ianbeer@google.com
Closed:	Dec 2015
Cc:	project-...@google.com
Finder-ianbeer Deadline-90 Id-629716296 Vendor-Apple Reported-2015-Oct-09 CCProjectZeroMembers Severity-High Product-OSX-Kernel

OS X Kernel UaF with IOAccelDisplayPipeUserClient2 with spoofed no more senders notifications

Project Member Reported by ianbeer@google.com, Oct 9 2015

Back to list

Kernel UaF with IOAccelDisplayPipeUserClient2 with spoofed no more senders notifications

repro: while true; do ./iospoof_ig_4; done

Likely to crash in various ways; have observed NULL derefs and NX traps.

Tested on ElCapitan 10.11 (15a284) on MacBookAir 5,2

iospoof_ig_4.c
1.8 KB Download

Project Member Comment 1 by ianbeer@google.com, Oct 9 2015

Labels: Id-629716296 Reported-2015-Oct-09

Project Member Comment 2 by ianbeer@google.com, Dec 20 2015

Mergedinto: 553
Status: Duplicate

Project Member Comment 3 by ianbeer@google.com, Dec 20 2015

This bug was fixed as part of the fixed for CVE-2015-7047 so dup'ing into that issue

Project Member Comment 4 by ianbeer@google.com, Jan 27 2016

Labels: -Restrict-View-Commit

► Sign in to add a comment