Spoofed no-more-senders notifications with IOBluetoothHCIPacketLogUserClient leads to unsafe parallel OSArray manipulation

[GoogleCodeExporter]

The OS* data types (OSArray etc) are explicity not thread safe; they rely on 
their callers to implement the required locking
to serialize all accesses and manipulations of them. By sending two spoofed 
no-more-senders notifications on two threads at the
same time we can cause parallel calls to OSArray::removeObject with no locks 
which is unsafe. In this particular case you might see two threads
both passing the index >= count check in OSArray::removeObject (when count = 1 
and index = 0) but then both decrementing count leading to an OSArray with
a count of 0xffffffff leading to memory corruption when trying to shift the 
array contents.

repro: while true; do ./iospoof_bluepacketlog; done

Tested on OS X 10.11 ElCapitan (15A284) on MacBookAir 5,2

Original issue reported on code.google.com by ianb...@google.com on 13 Oct 2015 at 12:48

• Merged into: #553

Attachments:

• iospoof_bluepacketlog.c

[GoogleCodeExporter]

Original comment by ianb...@google.com on 13 Oct 2015 at 12:50

• Added labels: Id-629892139, Reported-2015-Oct-13

[GoogleCodeExporter]

Original comment by ianb...@google.com on 20 Dec 2015 at 9:24

• Changed state: Duplicate

[GoogleCodeExporter]

This bug was fixed as part of the fixed for CVE-2015-7047 so dup'ing into that 
issue

Original comment by ianb...@google.com on 20 Dec 2015 at 9:30

[GoogleCodeExporter]

Original comment by ianb...@google.com on 27 Jan 2016 at 5:14

• Removed labels: Restrict-View-Commit