710 - OS X Kernel use-after-free in AppleKeyStore - project-zero

Starred by 2 users

Status:	Fixed
Owner:	ianbeer@google.com
Closed:	Mar 2016
Cc:	project-...@google.com
Reported-2016-Feb-01 Finder-ianbeer Deadline-90 Id-635635663 Vendor-Apple Product-IOKit CCProjectZeroMembers Severity-High Fixed-2016-Mar-21 CVE-2016-1755

OS X Kernel use-after-free in AppleKeyStore

Project Member Reported by ianbeer@google.com, Feb 1 2016

Back to list

The AppleKeyStore userclient uses an IOCommandGate to serialize access to its userclient methods, however
by racing two threads, one of which closes the userclient (which frees the IOCommandGate)
and one of which tries to make an external method call we can cause a use-after-free of the IOCommandGate.

Tested on OS X 10.11.3 El Capitan 15D21 on MacBookAir5,2

applekeystore_race.c
2.9 KB Download

Project Member Comment 1 by ianbeer@google.com, Feb 1 2016

Labels: Reported-2016-Feb-01 Id-635635663

Project Member Comment 2 by ianbeer@google.com, Mar 21 2016

Labels: CVE-2016-1755 Fixed-2016-Mar-21

Apple advisory: https://support.apple.com/en-us/HT206167

Project Member Comment 3 by ianbeer@google.com, Mar 21 2016

Status: Fixed

Project Member Comment 4 by ianbeer@google.com, Mar 22 2016

Labels: -Restrict-View-Commit

► Sign in to add a comment