OS X IOKit EoP due to lack of bounds checking in Intel GPU driver (IOAccelResource2::dirtyLevel)

lovesuae / google-security-research

Automatically exported from code.google.com/p/google-security-research

0 stars 0 forks source link

OS X IOKit EoP due to lack of bounds checking in Intel GPU driver (IOAccelResource2::dirtyLevel) #182

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

The Intel HD GPU driver function 
IGAccelGLContext::process_token_BindDrawFBOColor parses the token with ID 
0x9100. The dword at offset 0x14 in the token is passed to 
IOAccelResource2::dirtyLevel where it's used to computed an index for a memory 
write (OR'ing the low bit of a dword with 1) with no bounds checking.

PoC attached.

Original issue reported on code.google.com by ianb...@google.com on 20 Nov 2014 at 1:51

Attachments:

ig_gl_DirtyLevel.c

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 20 Nov 2014 at 1:55

Added labels: Id-614636613, Reported-2014-Nov-20

GoogleCodeExporter commented 9 years ago

Apple advisory: http://support.apple.com/en-us/HT204244

Original comment by ianb...@google.com on 5 Feb 2015 at 12:00

Changed state: Fixed
Added labels: CVE-2014-8821, Fixed-2015-Jan-27
Removed labels: Restrict-View-Commit