v4ng3l1s / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Exploitable Kernel NULL dereference in IGAccelCLContext::map_user_memory #191

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
map_user_memory is selector 0x100 of userclient type 0x8 of IntelAccelerator

The field at offset 0x510 is a pointer to the task struct from which a vm_map_t 
is read.
By just opening the userclient and calling selector 0x100 with the right number 
of arguments the field at 0x510 is NULL meaning that the code will try to read 
a field of a task struct on the NULL page.

This PoC maps the NULL page to show control of a vm_map_t. Presumably bad 
things can be done with this.

tested on: MacBookAir5,2 w/ 10.10.1 (14B25)

Original issue reported on code.google.com by ianb...@google.com on 21 Nov 2014 at 3:22

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 21 Nov 2014 at 3:24

GoogleCodeExporter commented 9 years ago
Apple advisory: http://support.apple.com/en-us/HT204244

Original comment by ianb...@google.com on 4 Feb 2015 at 11:58