597 - io_service_close leads to potentially dangerous IOKit methods being called without locks - project-zero

Starred by 1 user

Status:	Fixed
Owner:	ianbeer@google.com
Closed:	Jan 2016
Cc:	project-...@google.com
Product-iOS Id-630813131 Finder-ianbeer Fixed-2016-Jan-19 Deadline-90 Reported-2015-Oct-28 Product-OSX Vendor-Apple CVE-2016-1720 CCProjectZeroMembers Severity-High

io_service_close leads to potentially dangerous IOKit methods being called without locks

Project Member Reported by ianbeer@google.com, Oct 28 2015

Back to list

It turns out that the spoofed no-more-senders notification bug when applied to iokit objects
was actually just a more complicated way to hit ::clientClose in parallel. We can in fact
do this very simply by calling IOServiceClose on two threads :)

Like the spoofed notifications this leads to many bugs in many userclients, the exact nature
of which depends on the semantics of the clientClose implementation.

In this particular case we hit a kernel UaF.

Tested on El Capitan 10.10.1 15b42 on MacBookAir 5,2

repro: while true; do ./ioparallel_close; done

ioparallel_close.c
1.7 KB Download

Project Member Comment 1 by ianbeer@google.com, Oct 28 2015

Labels: Reported-2015-Oct-28 Id-630813131

Project Member Comment 2 by ianbeer@google.com, Jan 21 2016

Labels: CVE-2016-1720 Fixed-2016-Jan-19
Status: Fixed

OS X advisory: https://support.apple.com/en-us/HT205731
iOS advisory: https://support.apple.com/en-us/HT205732

Project Member Comment 3 by ianbeer@google.com, Jan 27 2016

Labels: -Restrict-View-Commit

► Sign in to add a comment