Apple macOS < 10.12.2 / iOS < 10.2 Kernel - ipc_port_t Reference Count Leak Due to Incorrect externalMethod Overrides Use-After-Free

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=926 mach ports are really struct ipcportt's in the kernel; this is a reference-counted object, ipreference and iprelease atomically increment and decrement the 32 bit ioreferences field. Unlike OSObjects, ipreference will allow the...