782 - OS X exploitable kernel NULL pointer dereference in AppleGraphicsDeviceControl - project-zero

Starred by 1 user

Status:	Fixed
Owner:	ianbeer@google.com
Closed:	May 2016
Cc:	project-...@google.com
Finder-ianbeer Deadline-90 Product-OSX Vendor-Apple CCProjectZeroMembers Severity-High Reported-2016-Mar-25 Id-638356287 Fixed-2016-May-16 CVE-2016-1793

OS X exploitable kernel NULL pointer dereference in AppleGraphicsDeviceControl

Project Member Reported by ianbeer@google.com, Mar 25 2016

Back to list

AppleGraphicsDeviceControlClient doesn't check that its pointer to its IOService (at this+0xd8) is non-null before using it
in all external methods.

We can set this pointer to NULL by racing two threads, one of which calls IOServiceClose which NULLs out the pointer and the
other of which makes any external method call.

By mapping the NULL page in userspace this gives us trivial kernel RIP control as the code makes a virtual call on a NULL object pointer.

tested on OS X 10.11.4 (15E65) MacBookPro 10,1

graphicscontrol_race.c
3.6 KB View Download

Project Member Comment 1 by ianbeer@google.com, Mar 25 2016

Labels: Id-638356287 Reported-2016-Mar-25

Project Member Comment 2 by ianbeer@google.com, May 18 2016

Labels: Fixed-2016-May-16 CVE-2016-1793
Status: Fixed

Apple advisory: https://support.apple.com/en-us/HT206567

Project Member Comment 3 by ianbeer@google.com, Jun 9 2016

Labels: -Restrict-View-Commit

► Sign in to add a comment