OS X IOKit kernel code execution due to lack of bounds checking in AppleMultitouchIODataQueue

codenote / google-security-research

Automatically exported from code.google.com/p/google-security-research

0 stars 0 forks source link

OS X IOKit kernel code execution due to lack of bounds checking in AppleMultitouchIODataQueue #36

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

The clientMemoryForType method of AppleUSBMultitouchUserClient creates an 
AppleMultitouchIODataQueue
and maps it into kernel/user shared memory. AppleMultitouchIODataQueue inherits 
from IODataQueue.

The memory which is mapped into userspace is represented by the variable-sized 
struct IODataQueueMemory:

typedef struct _IODataQueueMemory {
      UInt32 queueSize;
      volatile UInt32 head;
      volatile UInt32 tail;
      IODataQueueEntry queue[1];
} IODataQueueMemory;

These queueSize, head and tail values are used to ensure that the enqueued 
items stay within the bounds of the queue. Userspace can modify the queueSize, 
head and tail values such that the kernel will try to enqueue a value to the 
queue outside of the allocated memory.

Original issue reported on code.google.com by ianb...@google.com on 20 Jun 2014 at 3:58

Attachments:

apple_usb_multitouch_enqueue.c

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 20 Jun 2014 at 5:54

Added labels: Id-607290472, Reported-2014-June-20
Removed labels: ****

GoogleCodeExporter commented 9 years ago

Apple requested more information, I sent them another PoC which crashes 
reliably for me as well as a panic log and system report. New poc attached.

Original comment by ianb...@google.com on 27 Jun 2014 at 10:16

Added labels: ****
Removed labels: ****

Attachments:

new_poc_apple_usb_multitouch_enqueue.c

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 22 Aug 2014 at 9:37

Added labels: Deadline-90
Removed labels: ****

GoogleCodeExporter commented 9 years ago

http://support.apple.com/kb/HT6441 (i.e. also affected iOS)
No mention of CVE in OS X update (http://support.apple.com/kb/HT6443) ??

Original comment by cev...@google.com on 23 Sep 2014 at 9:41

Added labels: CVE-2014-4418, Product-iOS-Kernel, Reported-2014-Jun-20
Removed labels: Reported-2014-June-20

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 24 Sep 2014 at 9:44

Added labels: ****
Removed labels: Restrict-View-Commit

GoogleCodeExporter commented 9 years ago

Interesting case.
Looks like it wasn't fixed in OS X until Yosemite: 
https://support.apple.com/kb/HT6535. Therefore, it can be observed:

1) By declaring this in the earlier iOS patch, Apple dropped on bug on their 
own OS X software.

2) The original report was against OS X, not iOS, so this definitely went over 
deadline -- by a month(!) Marking as such.

Original comment by cev...@google.com on 17 Oct 2014 at 7:01

Changed state: Fixed
Added labels: Deadline-Exceeded, Fixed-2014-Oct-16
Removed labels: ****