search

bingghost / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Integer Overflow in IOHDIXControllerUserClient::convertClientBuffer leading to undersized kalloc allocation passed to DMA code #511

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
Method 5 of the IOHDIXController user client is createDrive64. This takes a 
0x100 byte structure input from which it reads a userspace pointer and a size 
which it passes to IOHDIXController::convertClientBuffer. This wraps the memory 
pointed to by the userspace pointer in an IOMemoryDescriptor then takes the 
user-provided size, casts it to a 32-bit type and adds one. It passes that 
value to IOMalloc. By passing a size of 0xffffffff we can cause an integer 
overflow and IOMalloc will be passed a size of 0.

IOMalloc falls through to kalloc which will quite happily make a 0-sized 
allocation for us and return a valid, writable kernel heap pointer.

The original size we specified, cast to a 32-bit type but withone one added to 
it is then passed as the size of the target buffer in the call to 
IOMemoryDescriptor::readBytes which attempts to read from the wrapped userspace 
memory into the undersized kernel heap buffer.

It actually tries to use some fancy DMA stuff to do that copy and this PoC will 
almost certainly fail and kernel panic somewhere inside that DMA code as there 
probably aren't valid page-table entries for the whole destination range. But 
some kalloc heap spraying should take care of that allowing us to actually 
overwrite stuff :)

Original issue reported on code.google.com by ianb...@google.com on 31 Aug 2015 at 12:23

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by ianb...@google.com on 31 Aug 2015 at 12:27

GoogleCodeExporter commented 8 years ago

Original comment by ianb...@google.com on 31 Aug 2015 at 12:43

GoogleCodeExporter commented 8 years ago 
OS X Advisory: https://support.apple.com/en-us/HT205375
iOS Advisory: https://support.apple.com/en-us/HT205370

Original comment by ianb...@google.com on 22 Oct 2015 at 12:00

GoogleCodeExporter commented 8 years ago

Original comment by ianb...@google.com on 22 Oct 2015 at 12:03

GoogleCodeExporter commented 8 years ago

Original comment by ianb...@google.com on 27 Jan 2016 at 5:12