New issue
Advanced search Search tips
Issue 709
Starred by 2 users
Status: Fixed
Owner:
ianbeer@google.com
Closed: Mar 2016
Cc:
project-...@google.com



Sign in to add a comment
 OS X Kernel unchecked array index used to read object pointer then call virtual method in nvdia geforce driver
Project Member Reported by ianbeer@google.com, Jan 31 2016 Back to list 
nvDevice::ReleaseDeviceTexture is external method 0x10a of userclient 5 of the geforce IOAccelerator.
It takes a single uint argument

__text:000000000001BCD2                 mov     r14d, esi
  ...
__text:000000000001BD08                 and     r14d, 7FFFFFFFh   <-- clear upper bit
__text:000000000001BD0F                 mov     rax, [r15+168h]
__text:000000000001BD16                 mov     rdi, [rax+r14*8]  <-- use as array index
__text:000000000001BD1A                 test    rdi, rdi
__text:000000000001BD1D                 jz      short loc_1BD2C
__text:000000000001BD1F                 mov     rax, [rdi]          <-- read vtable
__text:000000000001BD22                 call    qword ptr [rax+28h] <-- call OSObject::release

This userclient is part of the nvidia geforce driver so it's only available on devices with that hardware (eg macbookpro.)

This code is reachable from most interesting sandboxes including the safari renderer and the chrome GPU process.
nv_oob.c
3.2 KB Download
Project Member Comment 1 by ianbeer@google.com, Jan 31 2016
Labels: Reported-2016-Jan-31 Id-635602757
Project Member Comment 2 by ianbeer@google.com, Mar 21 2016
Labels: Fixed-2016-Mar-21 CVE-2016-1741
Status: Fixed
Apple advisory: https://support.apple.com/en-us/HT206167
Project Member Comment 3 by ianbeer@google.com, Mar 22 2016
Labels: -Restrict-View-Commit
Sign in to add a comment