595 - Exploitable kernel NULL dereference in IntelAccelerator::gstqConfigure - project-zero

Starred by 1 user

Status:	Fixed
Owner:	ianbeer@google.com
Closed:	Dec 2015
Cc:	project-...@google.com
Fixed-2015-Dec-08 Finder-ianbeer Deadline-90 Vendor-Apple Reported-2015-Oct-26 CVE-2015-7106 Id-630658948 Product-IOKit CCProjectZeroMembers Severity-High

Exploitable kernel NULL dereference in IntelAccelerator::gstqConfigure

Project Member Reported by ianbeer@google.com, Oct 26 2015

Back to list

The field at IntelAccelerator+0xe60 is a pointer to a GSTContextKernel allocated in the ::gstqCreateInfoMethod.

In the ::start method this field is initialized to NULL. The IGAccelDevice external method gst_configure (0x206)
calls gstqConfigure which doesn't check whether the GSTContextKernel pointer is NULL, therefore by calling
this external method before calling any others which allocate the GSTContextKernel we can cause a kernel
NULL pointer dereference. The GSTContextKernel structure contains pointers, one of which eventually leads
to control of a kernel virtual method call. This PoC will kernel panic calling 0xffff800041414141.

Tested on OS X ElCapitan 10.11.1 (15b42) on MacBookAir5,2

ig_gl_gst_null.c
3.3 KB Download

Project Member Comment 1 by ianbeer@google.com, Oct 26 2015

Labels: Reported-2015-Oct-26 Id-630658948

Project Member Comment 2 by ianbeer@google.com, Dec 20 2015

Labels: CVE-2015-7106 Fixed-2015-Dec-08
Status: Fixed

Apple advisory: https://support.apple.com/en-gb/HT205637

Project Member Comment 3 by ianbeer@google.com, Jan 27 2016

Labels: -Restrict-View-Commit

► Sign in to add a comment