New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: May 2016
Cc:



Sign in to add a comment
OS X exploitable kernel NULL pointer dereference in AppleMuxControl.kext
Project Member Reported by ianbeer@google.com, Mar 25 2016 Back to list
The method AppleGraphicsControlClient::checkArguments does actually appear to test whether the pointer at this+0xd8 is non-null, but uses it anyway :)

We can race external methods which call this with another thread calling IOServiceClose to get a NULL pointer there.

By mapping the NULL page in userspace this gives us trivial kernel RIP control as the code makes a virtual call on a NULL object pointer.

tested on OS X 10.11.4 (15E65) MacBookPro 10,1
 
mux_control_race.c
3.6 KB View Download
Project Member Comment 1 by ianbeer@google.com, Mar 25 2016
Labels: Id-638358152 Reported-2016-Mar-25
Project Member Comment 2 by ianbeer@google.com, May 18 2016
Labels: Fixed-2016-May-16 CVE-2016-1794
Status: Fixed
Apple advisory: https://support.apple.com/en-us/HT206567
Project Member Comment 3 by ianbeer@google.com, Jun 9 2016
Labels: -Restrict-View-Commit
Sign in to add a comment