OS X Kernel UaF in hypervisor driver

[GoogleCodeExporter]

The hv_space lock group gets an extra ref dropped when you kill a process with 
an AppleHV userclient;
one via IOService::terminateWorker calling the AppleHVClient::free method 
(which calls lck_rw_free on the 
lock group using the pointer hanging off the global _hv variable) and secondly 
via the hypervisor
machine_thread_destroy callback (hv_callback_thread_destroy) which also calls 
lck_rw_free with a lock group
pointer taken from _hv.

tested on OS X 10.11 ElCapitan (15a284) on MacBookAir 5,2

Original issue reported on code.google.com by ianb...@google.com on 14 Oct 2015 at 3:42

Attachments:

• applehv_uaf.c

[GoogleCodeExporter]

Original comment by ianb...@google.com on 14 Oct 2015 at 3:44

• Added labels: Id-629983148, Reported-2015-Oct-14

[GoogleCodeExporter]

Apple advisory: https://support.apple.com/en-gb/HT205637

Original comment by ianb...@google.com on 20 Dec 2015 at 8:45

• Changed state: Fixed
• Added labels: CVE-2015-7078, Fixed-2015-Dec-08

[GoogleCodeExporter]

Original comment by ianb...@google.com on 27 Jan 2016 at 5:14

• Removed labels: Restrict-View-Commit