784 - OS X exploitable kernel NULL pointer dereference in nvCommandQueue::GetHandleIndex in GeForce.kext - project-zero

Starred by 1 user

Status:	Fixed
Owner:	ianbeer@google.com
Closed:	May 2016
Cc:	project-...@google.com
Finder-ianbeer Deadline-90 Product-OSX Vendor-Apple CCProjectZeroMembers Severity-High Reported-2016-Mar-25 Id-638359448 Fixed-2016-May-16 CVE-2016-1846

OS X exploitable kernel NULL pointer dereference in nvCommandQueue::GetHandleIndex in GeForce.kext

Project Member Reported by ianbeer@google.com, Mar 25 2016

Back to list

The method nvCommandQueue::GetHandleIndex doesn't check whether this+0x5b8 is non-null before using it.

We can race a call to this method this with another thread calling IOServiceClose to get a NULL pointer there.

By mapping the NULL page in userspace this gives us trivial kernel RIP control as the code makes a virtual call on a NULL object pointer.

tested on OS X 10.11.4 (15E65) MacBookPro 10,1

Project Member Comment 1 by ianbeer@google.com, Mar 25 2016

Labels: Id-638359448 Reported-2016-Mar-25

Project Member Comment 2 by ianbeer@google.com, Mar 25 2016

Attaching the correct PoC :)

nv_command_queue_race.c
3.6 KB View Download

Project Member Comment 3 by ianbeer@google.com, May 18 2016

Labels: Fixed-2016-May-16 CVE-2016-1846
Status: Fixed

Apple advisory: https://support.apple.com/en-us/HT206567

Project Member Comment 4 by ianbeer@google.com, Jun 9 2016

Labels: -Restrict-View-Commit

► Sign in to add a comment