Apple Intel GPU Driver - Use-After-FreeDouble-Delete due to bad Locking

Apple Intel GPU Driver - Use-After-FreeDouble-Delete due to bad Locking / This PoC file might look familiar; this bug is a trivial variant of CVE-2016-1744 Apple bug id 635599405. That report showed the bug in the unmapusermemory external methods; a variant also exists in the mapusermemory extern...

Apple Intel GPU Driver - Use-After-Free/Double-Delete due to bad Locking

/ This PoC file might look familiar; this bug is a trivial variant of CVE-2016-1744 Apple bug id 635599405. That report showed the bug in the unmapusermemory external methods; a variant also exists in the mapusermemory external methods. The intel graphics drivers have their own hash table type...

Apple Intel GPU Driver - Use-After-Free/Double-Delete due to bad Locking Exploit

Exploit for macOS platform in category dos / poc / This PoC file might look familiar; this bug is a trivial variant of CVE-2016-1744 Apple bug id 635599405. That report showed the bug in the unmapusermemory external methods; a variant also exists in the mapusermemory external methods. The intel...

Apple iOS / MacOS Domain Socket Kernel Use-After-Free(CVE-2017-2501)

iOS/MacOS kernel uaf due to bad locking in unix domain socket file descriptor externalization unpexternalize is responsible for externalizing the file descriptors carried within a unix domain socket message. That means allocating new fd table entries in the receiver and recreating a file which...

Apple iOS / macOS Kernel - Use-After-Free Due to Bad Locking in Unix Domain Socket File Descriptor E

Exploit for multiple platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1123 unpexternalize is responsible for externalizing the file descriptors carried within a unix domain socket message. That means allocating new fd table entries in the receiver...

Apple macOS/iOS Kernel - Use-After-Free Due to Bad Locking in Unix Domain Socket File Descriptor Externalization

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1123 unpexternalize is responsible for externalizing the file descriptors carried within a unix domain socket message. That means allocating new fd table entries in the receiver and recreating a file which looks looks to userspac...

macOS / iOS Kernel 10.12.3 (16D32) - Double-Free Due to Bad Locking in fsevents Device Exploit

Exploit for multiple platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1129 fseventsfioctl handles ioctls on fsevent fds acquired via FSEVENTSCLONE64 on /dev/fsevents Heres the code for the FSEVENTSDEVICEFILTER64 ioctl: case FSEVENTSDEVICEFILTER64:...

Apple macOSiOS Kernel 10.12.3 (16D32) - Double-Free Due to Bad Locking in fsevents Device

Apple macOSiOS Kernel 10.12.3 16D32 - Double-Free Due to Bad Locking in fsevents Device / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1129 fseventsfioctl handles ioctls on fsevent fds acquired via FSEVENTSCLONE64 on /dev/fsevents Heres the code for the FSEVENTSDEVICEFILTER64...

Apple macOS/iOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1116 necpopen is a syscall used to obtain a new necp file descriptor The necp file's fp's fgdata points to a struct necpfddata allocated on the heap. Here's the relevant code from necpopen: error = fallocp, &fp, &fd,...

Apple macOS/iOS Kernel 10.12.3 (16D32) - Double-Free Due to Bad Locking in fsevents Device

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1129 fseventsfioctl handles ioctls on fsevent fds acquired via FSEVENTSCLONE64 on /dev/fsevents Heres the code for the FSEVENTSDEVICEFILTER64 ioctl: case FSEVENTSDEVICEFILTER64: if !procis64bitvfscontextprocctx ret = EINVAL; brea...

Apple macOSiOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free

Apple macOSiOS Kernel 10.12.3 16D32 - Bad Locking in necpopen Use-After-Free / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1116 necpopen is a syscall used to obtain a new necp file descriptor The necp file's fp's fgdata points to a struct necpfddata allocated on the heap...

macOS / iOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free Exploit

Exploit for multiple platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1116 necpopen is a syscall used to obtain a new necp file descriptor The necp file's fp's fgdata points to a struct necpfddata allocated on the heap. Here's the relevant code fr...

Apple Mac OSX - Kernel Use-After-Free Due to Bad Locking in IOAcceleratorFamily2

Exploit for macOS platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=772 In IOAccelContext2::clientMemoryForType the lockbusy/unlockbusy should be extended to cover all the code setting up shared memory type 2. At the moment the lock doesn't protect...

Apple Mac OSX Kernel - Use-After-Free Due to Bad Locking in IOAcceleratorFamily2

Apple Mac OSX Kernel - Use-After-Free Due to Bad Locking in IOAcceleratorFamily2 / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=772 In IOAccelContext2::clientMemoryForType the lockbusy/unlockbusy should be extended to cover all the code setting up shared memory type 2. At the...

Apple Mac OSX Kernel - Use-After-Free Due to Bad Locking in IOAcceleratorFamily2

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=772 In IOAccelContext2::clientMemoryForType the lockbusy/unlockbusy should be extended to cover all the code setting up shared memory type 2. At the moment the lock doesn't protect two threads racing where one reaches the release...