New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Dec 2015
Cc:



Sign in to add a comment
OS X and iOS kernel double free due to lack of locking in iokit registry iterator manipulation
Project Member Reported by ianbeer@google.com, Oct 28 2015 Back to list
The userspace MIG wrapper IORegistryIteratorExitEntry invokes the following kernel function:

    kern_return_t is_io_registry_iterator_exit_entry(
                                                     io_object_t iterator )
    {
        bool  didIt;
        
        CHECK( IORegistryIterator, iterator, iter );
        
        didIt = iter->exitEntry();
        
        return( didIt ? kIOReturnSuccess : kIOReturnNoDevice );
    }

exitExtry is defined as follows:

bool IORegistryIterator::exitEntry( void )
{
    IORegCursor * gone;
    
    if( where->iter) {
        where->iter->release();
        where->iter = 0;
        if( where->current)// && (where != &start))
            where->current->release();
    }
    
    if( where != &start) {
        gone = where;
        where = gone->next;
        IOFree( gone, sizeof(IORegCursor));
        return( true);
        
    } else
        return( false);
}

There are multiple concurrency hazards here; for example a double free of where if two threads
enter at the same time.

These registry APIs aren't protected by MAC hooks therefore this bug can be reached from all sandboxes
on OS X and iOS.

Tested on El Capitan 10.10.1 15b42 on MacBookAir 5,2

Use kernel zone poisoning and corruption checked with the -zc and -zp boot args to repro

repro: while true; do ./ioparallel_regiter; done
 
ioparallel_regiter.c
2.3 KB Download
Project Member Comment 1 by ianbeer@google.com, Oct 28 2015
Labels: Reported-2015-Oct-28 Id-630820250
Project Member Comment 2 by ianbeer@google.com, Dec 20 2015
Labels: CVE-2015-7084 Fixed-2015-Dec-08
Status: Fixed
Apple advisory:
OS X: https://support.apple.com/en-gb/HT205637
iOS: https://support.apple.com/en-gb/HT205635
Project Member Comment 3 by ianbeer@google.com, Dec 20 2015
 Issue 620  has been merged into this issue.
Project Member Comment 4 by ianbeer@google.com, Jan 27 2016
Labels: -Restrict-View-Commit
Sign in to add a comment