<--

macOS IOFireWireAVC Kernel Extension Out of Bounds Vulnerability

Aleph Research Advisory

Identifier

Severity

High

Product

macOS

Vulnerable Versions

  1. macOS Sierra 10.12.3 and earlier.

Mitigation

Install macOS Sierra 10.12.4

Summary

A case of improper bounds checking in the IOFireWireAVC Kernel Extension.

Technical Details

The vulnerable code can be found in IOFireWireAVC-424/IOFireWireAVC/IOFireWireAVCUserClient.cpp:

[...]
case kIOFWAVCUserClientCreateAsyncAVCCommand:
	result = CreateAVCAsyncCommand((UInt8*)arguments->structureInput, 
              (UInt8*)arguments->structureOutput, 
			  arguments->structureInputSize, 
			  (UInt32*)&arguments->structureOutputSize);
	break; 
[...]

structureInputSize is a value that is controlled by the user passing the arguments from userspace, and it is used to determine a command length. However, the called function CreateAVCAsyncCommand fails to properly validate the length.

IOReturn IOFireWireAVCUserClient::CreateAVCAsyncCommand(UInt8 * cmd, UInt8 *   asyncAVCCommandHandle, UInt32 len, UInt32 *refSize)
{
	IOReturn res = kIOReturnNoMemory;
	UInt32 *pReturnedCommandHandle = (UInt32*) asyncAVCCommandHandle;
	UInt32 cmdLen = len - sizeof(mach_vm_address_t);                             // decrease len by 8
	mach_vm_address_t *ppSharedBufAddress = (mach_vm_address_t*) &cmd[cmdLen];   // (a) 			
[...]		
	// Create the memory descriptor for the user/kernel shared response buffer
	pUCAsyncCommand->fMem = IOMemoryDescriptor::withAddressRange( *ppSharedBufAddress, 1024, kIODirectionInOut, fTask ) ;  // (b)
[...]
}

The function will create a user/kernel shared buffer (b), with an address pointer controlled by an attacker (a). This can lead to a variety of potentially dangerous situations such as a memory read and write.

Timeline

  • 28-Mar-17
    : Public disclosure.
  • 28-Mar-17
    : Added as ALEPH-2017015.
  • 27-Mar-17
    : Patch available.

Credit

  • Orr A of Aleph Research, HCL Technologies

External References