OS X IOKit EoP due to lack of bounds checking in Intel GPU driver

GoogleCodeExporter commented 9 years ago

The first body dword of the token type 0x8e (BindTextures) of the Intel HD GL 
driver (IGAccelGLContext) is used in the function 
IGAccelGLContext::process_token_BindTextures to index an array of 
IOAccelResource2 pointers without validating that the index is valid.

By passing an invalid index we can force this function to read an 
IOAccelResource2 pointer out of bounds and pass it to 
IOAccelContext2::unbindResource which will call a virtual method on the invalid 
pointer.

Original issue reported on code.google.com by ianb...@google.com on 20 Nov 2014 at 11:15

Attachments:

ig_gl_BindTextures_again.c

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 20 Nov 2014 at 11:21

Added labels: Id-614630648, Reported-2014-Nov-20
Removed labels: ****

GoogleCodeExporter commented 9 years ago

Apple advisory: http://support.apple.com/en-us/HT204244

Original comment by ianb...@google.com on 4 Feb 2015 at 11:56

Changed state: Fixed
Added labels: CVE-2014-8819, Fixed-2015-Jan-27
Removed labels: Restrict-View-Commit

codenote / google-security-research

OS X IOKit EoP due to lack of bounds checking in Intel GPU driver #181