OS X IOKit kernel code execution due to lack of bounds checking in IOAccelDisplayPipeTransaction2::set_plane_gamma_table

[GoogleCodeExporter]

IOAccelDisplayPipe2::transaction_set_plane_gamma_table fails to verify the 
second dword of IOAccelDisplayPipeGammaTableArgs which can be controlled by 
calling the external method with selector 5 of IOAccelDisplayPipeUserClient2.

This unchecked dword is passed to 
IOAccelDisplayPipeTransaction2::set_plane_gamma_table where it is used as an 
index to read a pointer to a c++ object from an array. By specifying a large 
index this will read a c++ object pointer out-of-bounds. The code then calls a 
virtual function on this object.

Impact:
This userclient can be instantiated in the chrome GPU process sandbox and the 
safari renderer sandbox.

Original issue reported on code.google.com by ianb...@google.com on 16 Jun 2014 at 1:55

Attachments:

• gamma.c

[GoogleCodeExporter]

Original comment by ianb...@google.com on 16 Jun 2014 at 2:00

• Added labels: Reported-2014-June-16
• Removed labels: ****

[GoogleCodeExporter]

Original comment by ianb...@google.com on 16 Jun 2014 at 2:00

• Added labels: Id-607134906
• Removed labels: ****

[GoogleCodeExporter]

Original comment by ianb...@google.com on 22 Aug 2014 at 9:36

• Added labels: Deadline-90
• Removed labels: ****

[GoogleCodeExporter]

Deadline exceeded - automatically derestricting

Original comment by ianb...@google.com on 14 Sep 2014 at 12:19

• Added labels: Deadline-Exceeded, PublicOn-2014-September-14
• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

http://support.apple.com/kb/HT6443

Original comment by cev...@google.com on 23 Sep 2014 at 9:28

• Changed state: Fixed
• Added labels: CVE-2014-4402, Fixed-2014-Sep-17, PublicOn-2014-Sep-14, Reported-2014-Jun-16
• Removed labels: PublicOn-2014-September-14, Reported-2014-June-16