OS X IOKit kernel code execution due to insufficient bounds checking in nvidia GeForce command buffer processing

GoogleCodeExporter commented 9 years ago

The dword at offset +0x78 of token type 0x8900 of the nvidia GeForce GLContext 
command buffer is used to compute the offset for a kernel memory write with 
insufficient bounds checking.

tested on: MacBookPro10,1 w/ 10.10.3 (14D131)

build: clang -Wall -dynamiclib -o nv_alloclist.dylib nv_alloclist.c  -framework 
IOKit -arch i386 -arch x86_64
run: DYLD_INSERT_LIBRARIES=./nv_alloclist.dylib /Applications/Google\ Chrome\ 
Canary.app/Contents/MacOS/Google\ Chrome\ Canary --single-process 
--force_discrete_gpu "http://interactivehaiku.com/lifeisshort/"

note: --force_discrete_gpu will force chrome to use the nvidia gpu rather than 
the intel integrated one.

Reachable from sandboxes which allow GPU access.

Original issue reported on code.google.com by ianb...@google.com on 23 Apr 2015 at 11:58

Attachments:

nv_alloclist.c

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 23 Apr 2015 at 12:00

Added labels: Id-621987447, Reported-2015-Apr-23

GoogleCodeExporter commented 9 years ago

https://support.apple.com/en-us/HT204942

Original comment by ianb...@google.com on 3 Jul 2015 at 11:30

Changed state: Fixed
Added labels: CVE-2015-3712, Fixed-2015-Jun-30

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 31 Jul 2015 at 10:11

Removed labels: Restrict-View-Commit

sla-cker / google-security-research

OS X IOKit kernel code execution due to insufficient bounds checking in nvidia GeForce command buffer processing #341