New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: May 2016
Cc:



Sign in to add a comment
OS X exploitable kernel NULL dereference in IOAccelSharedUserClient2::page_off_resource
Project Member Reported by ianbeer@google.com, Mar 23 2016 Back to list
IOAccelerator external method IOAccelSharedUserClient2::page_off_resource uses the pointer at this+0x100 without checking if it's NULL.
A series of dereferences from this pointer lead to trivial RIP control.

We can race two threads, in one call the external method and in the other call IOServiceClose, which NULLs out the pointer at
this+0x100.

By mapping the NULL page into userspace we can control the pointer read.

tested on OS X 10.11.4 (15E65) on MacBookAir 5,2
 
ioaccel_race.c
3.5 KB View Download
Project Member Comment 1 by ianbeer@google.com, Mar 23 2016
Labels: Id-638212832 Reported-2016-Mar-23
Project Member Comment 2 by ianbeer@google.com, May 18 2016
Labels: Fixed-2016-May-16 CVE-2016-1813
Status: Fixed
Apple advisory: https://support.apple.com/en-us/HT206567
Project Member Comment 3 by ianbeer@google.com, Jun 9 2016
Labels: -Restrict-View-Commit
Sign in to add a comment