5 matches found
Apple Mac OSX Kernel - Null Pointer Dereference in AppleMuxControl.kext
Apple Mac OSX Kernel - Null Pointer Dereference in AppleMuxControl.kext / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=783 The method AppleGraphicsControlClient::checkArguments does actually appear to test whether the pointer at this+0xd8 is non-null, but uses it anyway : We...
Apple Mac OSX Kernel - Null Pointer Dereference in AppleGraphicsDeviceControl
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=782 AppleGraphicsDeviceControlClient doesn't check that its pointer to its IOService at this+0xd8 is non-null before using it in all external methods. We can set this pointer to NULL by racing two threads, one of which calls...
Apple Mac OSX Kernel - Null Pointer Dereference in AppleMuxControl.kext
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=783 The method AppleGraphicsControlClient::checkArguments does actually appear to test whether the pointer at this+0xd8 is non-null, but uses it anyway : We can race external methods which call this with another thread calling...
Apple Mac OSX Kernel - NULL Dereference in IOAccelSharedUserClient2::page_off_resource
Apple Mac OSX Kernel - NULL Dereference in IOAccelSharedUserClient2::pageoffresource / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=778 IOAccelerator external method IOAccelSharedUserClient2::pageoffresource uses the pointer at this+0x100 without checking if it's NULL. A seri...
Apple Mac OSX Kernel - NULL Dereference in IOAccelSharedUserClient2::page_off_resource
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=778 IOAccelerator external method IOAccelSharedUserClient2::pageoffresource uses the pointer at this+0x100 without checking if it's NULL. A series of dereferences from this pointer lead to trivial RIP control. We can race two...