The method AppleGraphicsControlClient::checkArguments does actually appear to test whether the pointer at this+0xd8 is non-null, but uses it anyway :)

We can race external methods which call this with another thread calling IOServiceClose to get a NULL pointer there.

By mapping the NULL page in userspace this gives us trivial kernel RIP control as the code makes a virtual call on a NULL object pointer.

tested on OS X 10.11.4 (15E65) MacBookPro 10,1
 

mux_control_race.c 3.6 KB View Download