macOS < 10.14.5 / iOS < 12.3 XNU - in6_pcbdetach Stale Pointer Use-After-Free Exploit

macOS soflags & SOFPCBCLEARING struct ipmoptions imo; struct ip6moptions im6o; inp-inpvflag = 0; if inp-in6poptions != NULL mfreeminp-in6poptions; inp-in6poptions = NULL; // in6poutputopts; // in6proute; // free IPv4 related resources in case of mapped addr if inp-inpoptions != NULL void...

Apple macOS 10.14.5 iOS 12.3 XNU - in6_pcbdetach Stale Pointer Use-After-Free

Apple macOS 10.14.5 iOS 12.3 XNU - in6pcbdetach Stale Pointer Use-After-Free Reproduction Repros on 10.14.3 when run as root. It may need multiple tries to trigger. $ clang -o in6selectsrc in6selectsrc.cc $ while 1; do sudo ./in6selectsrc; done res0: 3 res1: 0 res1.5: -1 // failure expected here...

XNU Stale Pointer Use-After-Free

XNU: Use-after-free due to stale pointer left by in6pcbdetach Related CVE Numbers: CVE-2019-8605Fixed-2019-May-13. Reproduction Repros on 10.14.3 when run as root. It may need multiple tries to trigger. $ clang -o in6selectsrc in6selectsrc.cc $ while 1; do sudo ./in6selectsrc; done res0: 3 res1: ...

Apple macOS &lt; 10.14.5 / iOS &lt; 12.3 XNU - &#039;in6_pcbdetach&#039; Stale Pointer Use-After-Free

Reproduction Repros on 10.14.3 when run as root. It may need multiple tries to trigger. $ clang -o in6selectsrc in6selectsrc.cc $ while 1; do sudo ./in6selectsrc; done res0: 3 res1: 0 res1.5: -1 // failure expected here res2: 0 done ... crash Explanation The following snippet is taken from...