<--

Apple iOS/watchOS/tvOS IOKit Buffer Overflow in Device-Tree Parsing

Aleph Research Advisory

Identifier

Severity

Low

Products

  1. Apple iOS

  2. Apple watchOS

  3. Apple tvOS

Vulnerable Versions

  1. iOS 10.3.1 and earlier

  2. watchOS 3.2 and earlier

  3. tvOS 10.2 and earlier

Mitigation

Update to latest versions.

Technical Details

An issue exists in iokit\Kernel\IONVRAM.cpp:

At (1), the function allocates a buffer with the size of kIODTNVRAMImageSize (0x2000). It then proceeds to initProxyData():

bool IODTNVRAM::init(IORegistryEntry *old, const IORegistryPlane *plane)
{
  [...]
 
  _nvramImage = IONew(UInt8, kIODTNVRAMImageSize);  // (1)
  if (_nvramImage == 0) return false;
 
  [...]
 
  initProxyData();

  [...]
} 

At (2), The functions copies over the _nvramImage variable with data obtained from /chosen/nvram-proxy-data device-tree entry, without properly checking the length of the data, which should be no bigger than kIODTNVRAMImageSize.

void IODTNVRAM::initProxyData(void)
{
  IORegistryEntry *entry;
  const char *key = "nvram-proxy-data";
  OSObject *prop;
  OSData *data;
  const void *bytes;
  
  entry = IORegistryEntry::fromPath("/chosen", gIODTPlane);
  if (entry != 0) {
	prop = entry->getProperty(key);
	if (prop != 0) {
	  data = OSDynamicCast(OSData, prop);
	  if (data != 0) {
		bytes = data->getBytesNoCopy();
		if (bytes != 0) {
		  bcopy(bytes, _nvramImage, data->getLength());	 // (2) - no size check.
		  initNVRAMImage();
		  _isProxied = true;
		}
	  }
	}
	entry->removeProperty(key);
	entry->release();
  }
}

An attacker with access to the device-tree entry nvram-proxy-data, which is available in the firmware updates, could potentially overflow the buffer.

Patch

Apple has addressed the issue through additional kernel hardening.

Timeline

  • 17-Jul-17
    : Deadline.
  • 25-May-17
    : Public disclosure.
  • 15-May-17
    : Patch available (About the security content of watchOS 3.2.2).
  • 15-May-17
    : Patch available (About the security content of tvOS 10.2.1).
  • 15-May-17
    : Patch available (About the security content of iOS 10.3.2).
  • 29-Mar-17
    : Reported.
  • 29-Mar-17
    : Added as ALEPH-2017017.

Credit

  • Orr A of Aleph Research, HCL Technologies