XNU Stale Pointer Use-After-Free

2019-05-21T00:00:00
ID PACKETSTORM:152993
Type packetstorm
Reporter Google Security Research
Modified 2019-05-21T00:00:00

Description

                                        
                                            `XNU: Use-after-free due to stale pointer left by in6_pcbdetach   
  
Related CVE Numbers: CVE-2019-8605Fixed-2019-May-13.  
  
  
# Reproduction  
Repros on 10.14.3 when run as root. It may need multiple tries to trigger.  
$ clang -o in6_selectsrc in6_selectsrc.cc  
$ while 1; do sudo ./in6_selectsrc; done  
res0: 3  
res1: 0  
res1.5: -1 // failure expected here  
res2: 0  
done  
...  
[crash]  
  
# Explanation  
The following snippet is taken from in6_pcbdetach:  
```  
void  
in6_pcbdetach(struct inpcb *inp)  
{  
// ...  
\tif (!(so->so_flags & SOF_PCBCLEARING)) {  
\t\tstruct ip_moptions *imo;  
\t\tstruct ip6_moptions *im6o;  
  
\t\tinp->inp_vflag = 0;  
\t\tif (inp->in6p_options != NULL) {  
\t\t\tm_freem(inp->in6p_options);  
\t\t\tinp->in6p_options = NULL; // <- good  
\t\t}  
\t\tip6_freepcbopts(inp->in6p_outputopts); // <- bad  
\t\tROUTE_RELEASE(&inp->in6p_route);  
\t\t// free IPv4 related resources in case of mapped addr  
\t\tif (inp->inp_options != NULL) {  
\t\t\t(void) m_free(inp->inp_options); // <- good  
\t\t\tinp->inp_options = NULL;  
\t\t}  
```  
  
Notice that freed options must also be cleared so they are not accidentally reused.  
This can happen when a socket is disconnected and reconnected without being destroyed.  
In the inp->in6p_outputopts case, the options are freed but not cleared, so they can be  
used after they are freed.  
  
This specific PoC requires root because I use raw sockets, but it's possible other socket  
types suffer from this same vulnerability.  
  
# Crash Log  
panic(cpu 4 caller 0xffffff8015cda29d): Kernel trap at 0xffffff8016011764, type 13=general protection, registers:  
CR0: 0x0000000080010033, CR2: 0x00007f9ae1801000, CR3: 0x000000069fc5f111, CR4: 0x00000000003626e0  
RAX: 0x0000000000000001, RBX: 0xdeadbeefdeadbeef, RCX: 0x0000000000000000, RDX: 0x0000000000000000  
RSP: 0xffffffa3ffa5bd30, RBP: 0xffffffa3ffa5bdc0, RSI: 0x0000000000000000, RDI: 0x0000000000000001  
R8: 0x0000000000000000, R9: 0xffffffa3ffa5bde0, R10: 0xffffff801664de20, R11: 0x0000000000000000  
R12: 0x0000000000000000, R13: 0xffffff80719b7940, R14: 0xffffff8067fdc660, R15: 0x0000000000000000  
RFL: 0x0000000000010282, RIP: 0xffffff8016011764, CS: 0x0000000000000008, SS: 0x0000000000000010  
Fault CR2: 0x00007f9ae1801000, Error code: 0x0000000000000000, Fault CPU: 0x4, PL: 0, VF: 0  
  
Backtrace (CPU 4), Frame : Return Address  
0xffffff801594e290 : 0xffffff8015baeb0d mach_kernel : _handle_debugger_trap + 0x48d  
0xffffff801594e2e0 : 0xffffff8015ce8653 mach_kernel : _kdp_i386_trap + 0x153  
0xffffff801594e320 : 0xffffff8015cda07a mach_kernel : _kernel_trap + 0x4fa  
0xffffff801594e390 : 0xffffff8015b5bca0 mach_kernel : _return_from_trap + 0xe0  
0xffffff801594e3b0 : 0xffffff8015bae527 mach_kernel : _panic_trap_to_debugger + 0x197  
0xffffff801594e4d0 : 0xffffff8015bae373 mach_kernel : _panic + 0x63  
0xffffff801594e540 : 0xffffff8015cda29d mach_kernel : _kernel_trap + 0x71d  
0xffffff801594e6b0 : 0xffffff8015b5bca0 mach_kernel : _return_from_trap + 0xe0  
0xffffff801594e6d0 : 0xffffff8016011764 mach_kernel : _in6_selectsrc + 0x114  
0xffffffa3ffa5bdc0 : 0xffffff8016043015 mach_kernel : _nd6_setdefaultiface + 0xd75  
0xffffffa3ffa5be20 : 0xffffff8016120274 mach_kernel : _soconnectlock + 0x284  
0xffffffa3ffa5be60 : 0xffffff80161317bf mach_kernel : _connect_nocancel + 0x20f  
0xffffffa3ffa5bf40 : 0xffffff80161b62bb mach_kernel : _unix_syscall64 + 0x26b  
0xffffffa3ffa5bfa0 : 0xffffff8015b5c466 mach_kernel : _hndl_unix_scall64 + 0x16  
  
BSD process name corresponding to current thread: in6_selectsrc  
Boot args: keepsyms=1 -v=1  
  
Mac OS version:  
18D109  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available (whichever is earlier), the bug  
report will become visible to the public.  
  
  
  
Found by: nedwill@google.com  
  
`