New issue
Advanced search Search tips
Starred by 2 users
Status: Duplicate
Merged: issue 830
Owner:
Closed: Aug 2016
Cc:



Sign in to add a comment
OS X/iOS kernel use-after-free in IOHDIXController
Project Member Reported by ianbeer@google.com, May 26 2016 Back to list
IOHDXIControllerUserClient stores a task struct pointer (passed in via IOServiceOpen) in the field at +0x1f8 without taking a reference.

By killing the corrisponding task we can free this pointer leaving the user client with a dangling pointer. We can get this pointer used
by calling the CreateDrive64 external method which will try to read and use the memory map off of the free'd task struct.

This bug could be leveraged for kernel memory corruption.

build: clang -o iohdix_task_uaf  iohdix_task_uaf.c -framework IOKit

You should set gzalloc_min=1024 gzalloc_max=2048 or similar to actually fault on the UaF - otherwise you might see some weird panics!

tested on OS X 10.11.5 (15F34) on MacBookAir5,2
 
iohdix_task_uaf.c
10.8 KB View Download
Project Member Comment 1 by ianbeer@google.com, May 26 2016
Labels: Id-641579598
Project Member Comment 2 by ianbeer@google.com, Aug 29 2016
Labels: -Severity-High Severity-HIgh
Mergedinto: 830
Status: Duplicate
Considered a duplicate of CVE-2016-1863
Project Member Comment 3 by ianbeer@google.com, Oct 25 2016
Labels: -Restrict-View-Commit
Sign in to add a comment