OS X IOKit kernel code execution due to unchecked pointer parameter in IGAccelCLContext::unmap_user_memory

[GoogleCodeExporter]

The Intel OpenCL IOKit userclient has pretty much exactly the same bug as the 
OpenGL one - they trust a user-supplied pointer and call a virtual function off 
of it.

Specifically the function IGAccelCLContext::unmap_user_memory is reachable as 
selector 0x101.

Attached poc hello.c (uses the apple OpenCL hello world example to initialize 
OpenCL and get the correct userclient) will kernel panic dereferencing 
0x4141414141414141. Compile with -framework OpenCL -framework IOKit

This should be reachable from the chrome gpu process sandbox and the safari 
renderer sandbox.

Original issue reported on code.google.com by ianb...@google.com on 2 May 2014 at 11:00

Attachments:

• hello.c

[GoogleCodeExporter]

Original comment by ianb...@google.com on 2 May 2014 at 11:05

• Changed title: OS X IOKit kernel code execution due to unchecked pointer parameter in IGAccelCLContext::unmap_user_memory
• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Original comment by ianb...@google.com on 2 May 2014 at 11:13

• Added labels: Reported-2014-May-03
• Removed labels: ****

[GoogleCodeExporter]

Original comment by ianb...@google.com on 2 May 2014 at 11:14

• Added labels: Id-605870017
• Removed labels: ****

[GoogleCodeExporter]

Original comment by ianb...@google.com on 12 May 2014 at 8:33

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Original comment by ianb...@google.com on 23 May 2014 at 4:36

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Apple advisory: http://support.apple.com/kb/HT6296

Original comment by ianb...@google.com on 3 Jul 2014 at 1:19

• Changed state: Fixed
• Added labels: CVE-2014-1376
• Removed labels: ****

[GoogleCodeExporter]

Original comment by cev...@google.com on 31 Jul 2014 at 12:17

• Added labels: ****
• Removed labels: Restrict-View-Commit