Exploitable Kernel NULL dereference in IGAccelCLContext::map_user_memory

[GoogleCodeExporter]

map_user_memory is selector 0x100 of userclient type 0x8 of IntelAccelerator

The field at offset 0x510 is a pointer to the task struct from which a vm_map_t 
is read.
By just opening the userclient and calling selector 0x100 with the right number 
of arguments the field at 0x510 is NULL meaning that the code will try to read 
a field of a task struct on the NULL page.

This PoC maps the NULL page to show control of a vm_map_t. Presumably bad 
things can be done with this.

tested on: MacBookAir5,2 w/ 10.10.1 (14B25)

Original issue reported on code.google.com by ianb...@google.com on 21 Nov 2014 at 3:22

Attachments:

• ig_cl_100.c

[GoogleCodeExporter]

Original comment by ianb...@google.com on 21 Nov 2014 at 3:24

• Added labels: Reported-2014-Nov-21, Id-614704287

[GoogleCodeExporter]

Apple advisory: http://support.apple.com/en-us/HT204244

Original comment by ianb...@google.com on 4 Feb 2015 at 11:58

• Changed state: Fixed
• Added labels: Fixed-2015-Jan-27, CVE-2014-8820
• Removed labels: Restrict-View-Commit