ITh4cker / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

OS X HFS_EXTEND_FS sysctl discloses uninitialized kernel stack memory to userspace #394

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
The implementation of the HFS_EXTEND_FS sysctl is in the hfs_syscall function 
in hfs_vfsops.c:

  } else if (name[0] == HFS_EXTEND_FS) {
    u_int64_t  newsize;                        <-- uninitialized local uint64_t
    vnode_t vp = vfs_context_cwd(context);

    if (newp == USER_ADDR_NULL || vp == NULLVP)
      return (EINVAL);
    if ((error = hfs_getmountpoint(vp, &hfsmp)))
      return (error);
    error = sysctl_quad(oldp, oldlenp, newp, newlen, (quad_t *)&newsize);  <-- address passed to sysctl_quad

sysctl_quad is a helper function for simultaneously getting AND setting kernel 
variables. That is, if
the user specifies an oldp and oldlenp then sysctl_quad will write out the old 
value
before reading in a new one from newp.

Getting to this sysctl code and passing a newp requires root, but there are 
still sandboxed processes
running as root on OS X which wouldn't be able to exploit the usual root to 
kernel paths via AppleHWAccess etc
so this bug does constitute a real bug under the OS X security model.

To repro compile this and then execute it with your current working directory 
as '/':

clang -o /tmp/hfs_sysctl_leak hfs_sysctl_leak.c
cd /
for i in {1..1000}; do sudo /tmp/hfs_sysctl_leak; done | grep ffffff

I've been able to leak kernel text pointers with this on a MacBookAir5,2 w/ 
10.10.3 (14D131)

Original issue reported on code.google.com by ianb...@google.com on 20 May 2015 at 8:30

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by ianb...@google.com on 20 May 2015 at 8:31

GoogleCodeExporter commented 8 years ago

Original comment by ianb...@google.com on 21 May 2015 at 3:13

GoogleCodeExporter commented 8 years ago
https://support.apple.com/en-us/HT204942

Original comment by ianb...@google.com on 3 Jul 2015 at 11:33

GoogleCodeExporter commented 8 years ago

Original comment by ianb...@google.com on 31 Jul 2015 at 10:12