Apple iOS/macOS - Sandbox Escape due to mach Message sent from Shared Memory

iohideventsystem sets up a shared memory event queue; at the end of this shared memory buffer it puts a mach message which it sends whenever it wants to notify a client that there's data available in the queue. As a client we can modify this mach message such that the server hidd on MacOS,...