search

krishnateja / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

OS X IOKit kernel memory corruption due to bad bzero in IOBluetoothDevice #136

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
requirements: A bluetooth device must be connected (tested with an Apple 
bluetooth keyboard)

IOBluetoothDeviceUserClient::clientMemoryForType memory type 0xff calls
 __ZN17IOBluetoothDevice18getSCOOutputBufferEv
which calls IOBluetoothDevice::initializeRingBuffer to allocate a buffer to
map into userspace.

IOBluetoothDevice18getSCOOutputBuffer:
...
lea     rsi, [rbx+178h]  <-- pass pointer to this+0x178 in rsi
mov     edx, 3C00h
add     rsp, 8
pop     rbx
pop     rbp
jmp     rax              <-- tail call to initializeRingBuffer

IOBluetoothDevice::initializeRingBuffer(_IOBluetoothRingBuffer **, int):
...
mov     r14, rsi        <-- save pointer to this+0x178
...
call    __ZN24IOBufferMemoryDescriptor11withOptionsEjmm ; 
IOBufferMemoryDescriptor::withOptions(uint,ulong,ulong)
mov     r12, rax
mov     rax, [r12]
mov     rdi, r12
call    qword ptr [rax+20h] ; ::retain
mov     rax, [r12]
mov     rdi, r12
call    qword ptr [rax+2E0h] ; IOBufferMemoryDescriptor::getBytesNoCopy(void)
mov     rbx, rax                    <-- pointer to buffer in kernel space (will 
be shared with userspace)
lea     rdi, [rbx+10h]  ; void *
xor     esi, esi        ; int
mov     rdx, r15        ; size_t
call    _memset                     <-- clear it
mov     dword ptr [rbx], 0
mov     dword ptr [rbx+4], 0
mov     dword ptr [rbx+8], 0
mov     [rbx+0Ch], r13d             <-- write the size as the fourth dword
mov     [r14], rbx                  <-- save buffer pointer

This buffer will then be mapped into userspace.

Calling external method 4 eventually reaches the following code:
IOBluetoothDevice::startSCOOutput:

__text:0000000000030F62                 mov     rdi, [rbx+178h]            <-- 
pointer to shared buffer
__text:0000000000030F69                 test    rdi, rdi
__text:0000000000030F6C                 jz      loc_31039
__text:0000000000030F72                 mov     r14d, 0E00002D2h
__text:0000000000030F78                 cmp     byte ptr [rbx+188h], 0
__text:0000000000030F7F                 jnz     loc_31060
__text:0000000000030F85                 mov     esi, [rdi+0Ch]  ; size_t   <-- 
read size from userspace shared mem
__text:0000000000030F88                 add     rdi, 10h        ; void *
__text:0000000000030F8C                 call    _bzero                     <-- 
passed as size arg to bzero

Userspace can modify the size in shared memory leading to the bzero writing a 
controlled number of NULL bytes off the end of the buffer.

Original issue reported on code.google.com by ianb...@google.com on 23 Oct 2014 at 10:59

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 23 Oct 2014 at 11:02

GoogleCodeExporter commented 9 years ago 
Deadline exceeded - automatically derestricting

Original comment by ianb...@google.com on 21 Jan 2015 at 10:47

GoogleCodeExporter commented 9 years ago 
[deleted comment]
GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 26 Jan 2015 at 7:13

GoogleCodeExporter commented 9 years ago 
Apple advisory: http://support.apple.com/en-us/HT204244

Original comment by ianb...@google.com on 4 Feb 2015 at 11:53