OS X IOKit kernel code execution due to lack of bounds checking in IGAccelGLContext::BindQueryBufferMultiple

GoogleCodeExporter commented 9 years ago

The dword at offset 0x10 of the BindQueryBufferMultiple token used by the 
IGAccelGLContext user client is used as the size parameter in a 
memory-modifying loop without any bounds checking

build:
  clang -Wall -dynamiclib -o ig_bind_qbm.dylib ig_bind_qbm.c -framework IOKit -arch i386 -arch x86_64

repro:
  DYLD_INSERT_LIBRARIES=./ig_bind_qbm.dylib  /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --single-process --no-sandbox

IMPACT:
This userclient can be instantiated in the chrome GPU process sandbox and the 
safari renderer sandbox.

tested on: MacBookAir5,2 w/ 10.10.3/14D131

Original issue reported on code.google.com by ianb...@google.com on 10 Apr 2015 at 5:10

Attachments:

ig_bind_qbm.c

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 10 Apr 2015 at 5:12

Added labels: Id-621367272, Reported-2015-Apr-10

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 17 Apr 2015 at 1:25

GoogleCodeExporter commented 9 years ago

https://support.apple.com/en-us/HT204942

Original comment by ianb...@google.com on 20 Jul 2015 at 11:20

Changed state: Fixed
Added labels: CVE-2015-3695, Fixed-2015-Jun-30

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 31 Jul 2015 at 10:10

Removed labels: Restrict-View-Commit

sla-cker / google-security-research

OS X IOKit kernel code execution due to lack of bounds checking in IGAccelGLContext::BindQueryBufferMultiple #328