msgh_id 437 is parsed by launchd's autogenerated MIG code in the function at 0x10000420D (10.11.6)

This mig method takes an out-of-line-ports descriptor but the code doesn't verify that the request_fdsCnt
is equal to the actual descriptor size and it uses the untrusted one to call mig_deallocate to unmap the memory.

By passing a larger value we can cause subsequent pages to be deallocated while they're still in use.

This bug can be reached from any sandbox on OS X/iOS.

to actually see a crash run this PoC in a loop and also do something which causes a lot of launchd traffic eg:
  in one terminal: while true; do ./legacy_ipc; done
  in another: while true; do /Applications/Safari.app/Contents/MacOS/Safari & sleep 0.4 && killall Safari; done

tested on OS X 10.11.6 (15G31) on MacBookAir5,2
 

legacy_ipc.c 2.9 KB View Download