OS X IOKit kernel code execution due to NULL pointer dereference in IOThunderboltFamily

telnetgmike / google-security-research

Automatically exported from code.google.com/p/google-security-research

0 stars 0 forks source link

OS X IOKit kernel code execution due to NULL pointer dereference in IOThunderboltFamily #24

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

IOThunderboltFamilyUserClient::xDomainRequestAction doesn't verify that a 
pointer is non-NULL before calling a virtual function, giving trivial kernel 
RIP control if the user process maps the NULL page, as this PoC demonstrates.

IOThunderboltFamilyUserClient::xDomainRequestAction is called by 
IOThunderboltFamilyUserClient::xDomainRequest which is selector 13 of 
IOThunderboltController

Original issue reported on code.google.com by ianb...@google.com on 22 May 2014 at 8:03

Attachments:

thunderbolt_request.c

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 22 May 2014 at 8:16

Added labels: Id-606429626, Reported-2014-May-22

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 23 May 2014 at 4:37

GoogleCodeExporter commented 9 years ago

This bug appears to have been fixed, though I wasn't notified. I've emailed 
Apple to find out if it was a collision with an internal find or not.

Original comment by ianb...@google.com on 22 Aug 2014 at 1:07

Added labels: Deadline-90

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 22 Aug 2014 at 9:34

Changed state: Fixed
Added labels: PublicOn-2014-August-22
Removed labels: Restrict-View-Commit