OS X IOKit kernel memory disclosure due to lack of bounds checking in AGPMClient::getPstatesOccupancy

[GoogleCodeExporter]

The AGPM (AppleGraphicsPowerManagement) user client is reachable from the 
chrome gpu process sandbox and the safari renderer sandbox.

The getPStatesOccupancy method fails to bounds check the index it's passed. The 
oob value which is read is then returned to the userspace caller allowing a 
sandboxed program to programmatically dump large amounts of kernel memory.

Attached PoC leak_kmem.c will try to dump 256 kB of kernel memory to the file 
dump.bin.

This is of course a nice kASLR defeat since you can almost certainly find all 
the pointers you need.

On OS X another interesting attack scenario with a bug like this would be to 
try to read a sandbox extension - since these are just HMAC'ed strings if you 
could force another process to request an extension and then read it from 
kernel memory you could just consume it since extensions aren't tied to a 
particular process. I don't know how feasible it would be to read the HMAC key, 
if I have time I'll experiment a bit with this. (Chrome doesn't use sandbox 
extensions, safari does.)

Original issue reported on code.google.com by ianb...@google.com on 2 May 2014 at 3:23

Attachments:

• leak_kmem.c

[GoogleCodeExporter]

Original comment by ianb...@google.com on 2 May 2014 at 3:36

• Added labels: Id-605859230, Reported-2014-May-02
• Removed labels: ****

[GoogleCodeExporter]

Original comment by ianb...@google.com on 2 May 2014 at 3:37

• Changed title: OS X IOKit kernel memory disclosure due to lack of bounds checking in AGPMClient::getPstatesOccupancy
• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Original comment by ianb...@google.com on 12 May 2014 at 8:33

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Original comment by ianb...@google.com on 23 May 2014 at 4:36

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Apple advisory: http://support.apple.com/kb/HT6296

Original comment by ianb...@google.com on 3 Jul 2014 at 1:18

• Changed state: Fixed
• Added labels: CVE-2014-1372
• Removed labels: ****

[GoogleCodeExporter]

Original comment by cev...@google.com on 31 Jul 2014 at 12:17

• Added labels: ****
• Removed labels: Restrict-View-Commit