930 - ipc_port_t reference count leak due to incorrect externalMethod overrides leads to OS X/iOS kernel UaF - project-zero

Starred by 1 user

Status:	Duplicate
Merged:	issue 926
Owner:	ianbeer@google.com
Closed:	Dec 2016
Cc:	project-...@google.com
Product-iOS Finder-ianbeer Deadline-90 Product-OSX Vendor-Apple CCProjectZeroMembers Severity-High Reported-2016-Sep-07 Id-647470738 CVE-2016-7612 Fixed-2016-Dec-12

ipc_port_t reference count leak due to incorrect externalMethod overrides leads to OS X/iOS kernel UaF

Project Member Reported by ianbeer@google.com, Sep 7 2016

Back to list

IOUserClient subclasses which override IOUserClient::externalMethod need to ensure that if they return
kIOReturnSuccess they actually take ownership of the mach_port_t asyncWakePort if they are called via
IOConnectCallAsyncMethod.

If the userclient code doesn't take ownership of the mach port and returns a success code MIG assumes that
they did take ownership and won't release it's reference on the port. This leads to a reference count leak.

See the previous bug for more in-depth discussion.

This PoC targets IOSurface which was just the first userclient I looked at; I imagine more are vulnerable.
This PoC takes about an hour on 4 core MacBookPro to trigger the kernel UaF.

surface_leak.zip
5.9 KB Download

Project Member Comment 1 by ianbeer@google.com, Sep 7 2016

Labels: Id-647470738 Reported-2016-Sept-07

Project Member Comment 2 by scvitti@google.com, Sep 8 2016

Labels: -Reported-2016-Sept-07 Reported-2016-Sep-07

Project Member Comment 3 by ianbeer@google.com, Dec 22 2016

Labels: -Restrict-View-Commit CVE-2016-7612 Fixed-2016-Dec-12
Status: Fixed

Fixed in MacOS 10.12.2: https://support.apple.com/en-us/HT207423
Fixed in iOS 10.2: https://support.apple.com/en-us/HT207422

Project Member Comment 4 by ianbeer@google.com, Dec 23 2016

Mergedinto: 926
Status: Duplicate

► Sign in to add a comment