macOS
macOS Sierra 10.12.3 and earlier.
Install macOS Sierra 10.12.4
A case of improper bounds checking in the IOFireWireAVC
Kernel Extension.
The vulnerable code can be found in IOFireWireAVC-424/IOFireWireAVC/IOFireWireAVCUserClient.cpp
:
[...]
case kIOFWAVCUserClientCreateAsyncAVCCommand:
result = CreateAVCAsyncCommand((UInt8*)arguments->structureInput,
(UInt8*)arguments->structureOutput,
arguments->structureInputSize,
(UInt32*)&arguments->structureOutputSize);
break;
[...]
structureInputSize
is a value that is controlled by the user passing the arguments from userspace, and it is used to determine a command length. However, the called function CreateAVCAsyncCommand
fails to properly validate the length.
IOReturn IOFireWireAVCUserClient::CreateAVCAsyncCommand(UInt8 * cmd, UInt8 * asyncAVCCommandHandle, UInt32 len, UInt32 *refSize)
{
IOReturn res = kIOReturnNoMemory;
UInt32 *pReturnedCommandHandle = (UInt32*) asyncAVCCommandHandle;
UInt32 cmdLen = len - sizeof(mach_vm_address_t); // decrease len by 8
mach_vm_address_t *ppSharedBufAddress = (mach_vm_address_t*) &cmd[cmdLen]; // (a)
[...]
// Create the memory descriptor for the user/kernel shared response buffer
pUCAsyncCommand->fMem = IOMemoryDescriptor::withAddressRange( *ppSharedBufAddress, 1024, kIODirectionInOut, fTask ) ; // (b)
[...]
}
The function will create a user/kernel shared buffer (b), with an address pointer controlled by an attacker (a). This can lead to a variety of potentially dangerous situations such as a memory read and write.