New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Dec 2015
Cc:



Sign in to add a comment
Exploitable kernel NULL dereference in IntelAccelerator::gstqConfigure
Project Member Reported by ianbeer@google.com, Oct 26 2015 Back to list
The field at IntelAccelerator+0xe60 is a pointer to a GSTContextKernel allocated in the ::gstqCreateInfoMethod.

In the ::start method this field is initialized to NULL. The IGAccelDevice external method gst_configure (0x206)
calls gstqConfigure which doesn't check whether the GSTContextKernel pointer is NULL, therefore by calling
this external method before calling any others which allocate the GSTContextKernel we can cause a kernel
NULL pointer dereference. The GSTContextKernel structure contains pointers, one of which eventually leads
to control of a kernel virtual method call. This PoC will kernel panic calling 0xffff800041414141.

Tested on OS X ElCapitan 10.11.1 (15b42) on MacBookAir5,2
 
ig_gl_gst_null.c
3.3 KB Download
Project Member Comment 1 by ianbeer@google.com, Oct 26 2015
Labels: Reported-2015-Oct-26 Id-630658948
Project Member Comment 2 by ianbeer@google.com, Dec 20 2015
Labels: CVE-2015-7106 Fixed-2015-Dec-08
Status: Fixed
Apple advisory: https://support.apple.com/en-gb/HT205637
Project Member Comment 3 by ianbeer@google.com, Jan 27 2016
Labels: -Restrict-View-Commit
Sign in to add a comment