New issue
Advanced search Search tips
Starred by 1 user
Status: Duplicate
Merged: issue 973
Owner:
Closed: Jan 2017
Cc:



Sign in to add a comment
MacOS kernel use after free due to bad reference counting when creating new user clients
Project Member Reported by ianbeer@google.com, Oct 26 2016 Back to list
As mentioned in p0  bug 973 /followup 651078322 the IORegistryEntry::getProperty function
returns a pointer to a registry value without taking a reference on it.

Pretty much the only safe thing you can do with this API is check whether a registry entry
recently had a property with the given key - you can't hold the registry lock when calling this function
as it takes that lock so it really almost impossible to call safely if you want to use the return value
for anything other than comparing to NULL.

Here's another case of a bad use of getProperty in IOService.cpp:

    // First try my own properties for a user client class name
    temp = getProperty(gIOUserClientClassKey); // <-- temp can be freed any time after this
    if (temp) {
        if (OSDynamicCast(OSSymbol, temp))
            userClientClass = (const OSSymbol *) temp;
        else if (OSDynamicCast(OSString, temp)) {
            userClientClass = OSSymbol::withString((OSString *) temp);  // <-- will call virtual method on temp
            if (userClientClass)
                setProperty(kIOUserClientClassKey,
                            (OSObject *) userClientClass);
        }
    }

Tested on MacBookAir5,2 MacOS Sierra 10.12.1 (16B2555)
 
ucproprace.c
2.6 KB View Download
Project Member Comment 1 by ianbeer@google.com, Oct 26 2016
Labels: Id-651194808 Reported-Oct-26-2016
Project Member Comment 2 by ianbeer@google.com, Nov 3 2016
Labels: -Reported-Oct-26-2016 Reported-26-Oct-2016
Project Member Comment 3 by ianbeer@google.com, Nov 3 2016
Labels: -Reported-26-Oct-2016 Reported-2016-Oct-26
Project Member Comment 4 by ianbeer@google.com, Jan 25 2017
Mergedinto: 973
Status: Duplicate
Project Member Comment 5 by ianbeer@google.com, Jan 25 2017
Labels: -Restrict-View-Commit
Sign in to add a comment