778 - OS X exploitable kernel NULL dereference in IOAccelSharedUserClient2::page_off_resource - project-zero

Starred by 1 user

Status:	Fixed
Owner:	ianbeer@google.com
Closed:	May 2016
Cc:	project-...@google.com
Finder-ianbeer Deadline-90 Product-OSX Vendor-Apple CCProjectZeroMembers Severity-High Reported-2016-Mar-23 Id-638212832 Fixed-2016-May-16 CVE-2016-1813

OS X exploitable kernel NULL dereference in IOAccelSharedUserClient2::page_off_resource

Project Member Reported by ianbeer@google.com, Mar 23 2016

Back to list

IOAccelerator external method IOAccelSharedUserClient2::page_off_resource uses the pointer at this+0x100 without checking if it's NULL.
A series of dereferences from this pointer lead to trivial RIP control.

We can race two threads, in one call the external method and in the other call IOServiceClose, which NULLs out the pointer at
this+0x100.

By mapping the NULL page into userspace we can control the pointer read.

tested on OS X 10.11.4 (15E65) on MacBookAir 5,2

ioaccel_race.c
3.5 KB View Download

Project Member Comment 1 by ianbeer@google.com, Mar 23 2016

Labels: Id-638212832 Reported-2016-Mar-23

Project Member Comment 2 by ianbeer@google.com, May 18 2016

Labels: Fixed-2016-May-16 CVE-2016-1813
Status: Fixed

Apple advisory: https://support.apple.com/en-us/HT206567

Project Member Comment 3 by ianbeer@google.com, Jun 9 2016

Labels: -Restrict-View-Commit

► Sign in to add a comment