OS X IOKit kernel code execution due to use of IOAccelSurface2::convertGLIndexToBufferIndex error code return value as buffer index

[GoogleCodeExporter]

The function IOAccelSurface2::convertGLIndexToBufferIndex converts an 
eIOAccelGLBufferType enum value to a surface buffer index.
If convertGLIndexToBufferIndex is passed an invalid enum value it returns 
0xffff, however no call sites actually check the return value and blindly pass 
it to IGAccelGLContext::getSurfaceBuffer which will use the index to read an 
object pointer out-of-bounds and then call a virtual function.

This PoC modifies the BindDepthBuffer token to overwrite the value at offset +8 
which is passed to convertGLIndexToBufferIndex.

It may be necessary to run the PoC a few times to hit the crash, since if the 
OOB value is NULL or the field at +40 of the read pointer is NULL then this 
will just hit an error path and not crash.

tested on: MacBookAir5,2 w/ 10.10.3 (14D131)
build: clang -Wall -dynamiclib -o ig_convertGLIndex.dylib ig_convertGLIndex.c 
-framework IOKit -arch i386 -arch x86_64
run: DYLD_INSERT_LIBRARIES=./ig_convertGLIndex.dylib 
/Applications/Chess.app/Contents/MacOS/Chess
note: because of the nature of the heap oob read you may have to run the repro 
a few times to hit a bad value

Original issue reported on code.google.com by ianb...@google.com on 17 Apr 2015 at 1:29

Attachments:

• ig_convertGLIndex.c

[GoogleCodeExporter]

Original comment by ianb...@google.com on 17 Apr 2015 at 1:31

• Added labels: Id-621705895, Reported-2015-Apr-17

[GoogleCodeExporter]

Original comment by ianb...@google.com on 17 Apr 2015 at 4:15

[GoogleCodeExporter]

https://support.apple.com/en-us/HT204942

Original comment by ianb...@google.com on 20 Jul 2015 at 11:24

• Changed state: Fixed
• Added labels: CVE-2015-3701, Fixed-2015-Jun-30

[GoogleCodeExporter]

Original comment by ianb...@google.com on 31 Jul 2015 at 10:11

• Removed labels: Restrict-View-Commit