Apple OS X Kernel - IOBluetoothFamily.kext Use-After-Free

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=830 When you create a new IOKit user client from userspace you call: kernreturnt IOServiceOpen ioservicet service, taskportt owningTask, uint32t type, ioconnectt connect ; The owningTask mach port gets converted into a task struc...