macOS < 10.12.2 / iOS < 10.2 Kernel - ipc_port_t Reference Count Leak Due to Incorrect externalMethod Overrides Use-After-Free

2016-12-22 05:05:13

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=930

IOUserClient subclasses which override IOUserClient::externalMethod need to ensure that if they return
kIOReturnSuccess they actually take ownership of the mach_port_t asyncWakePort if they are called via
IOConnectCallAsyncMethod.

If the userclient code doesn't take ownership of the mach port and returns a success code MIG assumes that
they did take ownership and won't release it's reference on the port. This leads to a reference count leak.

See the previous bug for more in-depth discussion.

This PoC targets IOSurface which was just the first userclient I looked at; I imagine more are vulnerable.
This PoC takes about an hour on 4 core MacBookPro to trigger the kernel UaF.


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40955.zip

Fixes

No fixes

In order to submit a new fix you need to be registered.