ericmckean / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

OS X IOKit EoP due to lack of bounds checking in Intel GPU driver #181

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
The first body dword of the token type 0x8e (BindTextures) of the Intel HD GL 
driver (IGAccelGLContext) is used in the function 
IGAccelGLContext::process_token_BindTextures to index an array of 
IOAccelResource2 pointers without validating that the index is valid.

By passing an invalid index we can force this function to read an 
IOAccelResource2 pointer out of bounds and pass it to 
IOAccelContext2::unbindResource which will call a virtual method on the invalid 
pointer.

Original issue reported on code.google.com by ianb...@google.com on 20 Nov 2014 at 11:15

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 20 Nov 2014 at 11:21

GoogleCodeExporter commented 9 years ago
Apple advisory: http://support.apple.com/en-us/HT204244

Original comment by ianb...@google.com on 4 Feb 2015 at 11:56