Exploitable kernel NULL dereference in IntelAccelerator::gstqConfigure

[GoogleCodeExporter]

The field at IntelAccelerator+0xe60 is a pointer to a GSTContextKernel 
allocated in the ::gstqCreateInfoMethod.

In the ::start method this field is initialized to NULL. The IGAccelDevice 
external method gst_configure (0x206)
calls gstqConfigure which doesn't check whether the GSTContextKernel pointer is 
NULL, therefore by calling
this external method before calling any others which allocate the 
GSTContextKernel we can cause a kernel
NULL pointer dereference. The GSTContextKernel structure contains pointers, one 
of which eventually leads
to control of a kernel virtual method call. This PoC will kernel panic calling 
0xffff800041414141.

Tested on OS X ElCapitan 10.11.1 (15b42) on MacBookAir5,2

Original issue reported on code.google.com by ianb...@google.com on 26 Oct 2015 at 3:43

Attachments:

• ig_gl_gst_null.c

[GoogleCodeExporter]

Original comment by ianb...@google.com on 26 Oct 2015 at 3:45

• Added labels: Id-630658948, Reported-2015-Oct-26

[GoogleCodeExporter]

Apple advisory: https://support.apple.com/en-gb/HT205637

Original comment by ianb...@google.com on 20 Dec 2015 at 8:47

• Changed state: Fixed
• Added labels: CVE-2015-7106, Fixed-2015-Dec-08

[GoogleCodeExporter]

Original comment by ianb...@google.com on 27 Jan 2016 at 5:14

• Removed labels: Restrict-View-Commit