3 matches found
Apple XNU Kernel - Memory Corruption due to Integer Overflow in __offsetof Usage in posix_spawn on 32-bit Platforms
Apple XNU Kernel - Memory Corruption due to Integer Overflow in offsetof Usage in posixspawn on 32-bit Platforms posixspawn is a complex syscall which takes a lot of arguments from userspace. The third argument is a pointer to a further arguments descriptor in userspace with the following structu...
MacOS Kernel < 10.12.2 / iOS < 10.2 - ipc_port_t Reference Count Leak Due to Incorrect externa
Exploit for multiple platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=930 IOUserClient subclasses which override IOUserClient::externalMethod need to ensure that if they return kIOReturnSuccess they actually take ownership of the machportt...
Apple macOS < 10.12.2 / iOS < 10.2 Kernel - ipc_port_t Reference Count Leak Due to Incorrect externalMethod Overrides Use-After-Free
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=926 mach ports are really struct ipcportt's in the kernel; this is a reference-counted object, ipreference and iprelease atomically increment and decrement the 32 bit ioreferences field. Unlike OSObjects, ipreference will allow the...