codenote / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

OS X IOKit EoP due to lack of bounds checking in Intel GPU driver (IOAccelResource2::dirtyLevel) #182

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
The Intel HD GPU driver function 
IGAccelGLContext::process_token_BindDrawFBOColor parses the token with ID 
0x9100. The dword at offset 0x14 in the token is passed to 
IOAccelResource2::dirtyLevel where it's used to computed an index for a memory 
write (OR'ing the low bit of a dword with 1) with no bounds checking.

PoC attached.

Original issue reported on code.google.com by ianb...@google.com on 20 Nov 2014 at 1:51

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 20 Nov 2014 at 1:55

GoogleCodeExporter commented 9 years ago
Apple advisory: http://support.apple.com/en-us/HT204244

Original comment by ianb...@google.com on 5 Feb 2015 at 12:00