search

telnetgmike / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

OS X IOKit kernel code execution due to multiple bounds checking issues in IGAccelGLContext token parsing (x3) #34

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
The functions IGAccelGLContext::process_token_BindConstantBuffers, 
IGAccelGLContext::process_token_BindDrawFBOColor and 
GAccelGLContext::process_token_BindTextures fail to bounds-check the dword at 
offset 0x10 of the token they're parsing - this value is read from user/kernel 
shared memory and is thus completely attacker controlled. The value is used as 
the index for a kernel memory write.

(See previous token parsing bugs for more details of the IOAccelerator token 
structures.)

These PoCs find the tokens in shared memory and set the offset to a large value 
to cause a kernel panic.

IMPACT:
This userclient can be instantiated from the chrome gpu sandbox and the safari 
renderer sandbox

Original issue reported on code.google.com by ianb...@google.com on 17 Jun 2014 at 4:35

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 17 Jun 2014 at 5:29

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 21 Jun 2014 at 7:03

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 22 Aug 2014 at 9:37

GoogleCodeExporter commented 9 years ago 
Deadline exceeded - automatically derestricting

Original comment by ianb...@google.com on 15 Sep 2014 at 12:53

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 15 Sep 2014 at 12:55

GoogleCodeExporter commented 9 years ago 
http://support.apple.com/kb/HT6443

Original comment by cev...@google.com on 23 Sep 2014 at 9:25