OS X IOKit kernel code execution due to bad free in IOBluetoothFamily

GoogleCodeExporter commented 9 years ago

IOBluetoothFamily implements its own queuing primitive: IOBluetoothDataQueue 
(doesn't appear to inherit from IODataQueue, but I could be wrong about that?)

IOBluetoothHCIPacketLogUserClient is userclient type 1 of 
IOBluetoothHCIController.

The IOBluetoothDataQueue free method uses the queue size field which was mapped 
into userspace
when freeing the queue - a userspace client can modify this field forcing a bad 
kmem_free.

Original issue reported on code.google.com by ianb...@google.com on 23 Jun 2014 at 11:21

Attachments:

bluetooth_packet_log_bad_free.c

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 23 Jun 2014 at 11:32

Added labels: Id-607333220, Reported-2014-June-23
Removed labels: ****

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 22 Aug 2014 at 9:37

Added labels: Deadline-90
Removed labels: ****

GoogleCodeExporter commented 9 years ago

http://support.apple.com/kb/HT6443

Original comment by cev...@google.com on 23 Sep 2014 at 9:15

Changed state: Fixed
Added labels: CVE-2014-4390, Fixed-2014-Sep-17, Reported-2014-Jun-23
Removed labels: Reported-2014-June-23, Restrict-View-Commit

codenote / google-security-research

OS X IOKit kernel code execution due to bad free in IOBluetoothFamily #37