macOS IOFireWireAVC Kernel Extension Out of Bounds Vulnerability(CVE-2017-2436)

2017-03-29T00:00:00
ID SSV:92846
Type seebug
Reporter 名匿
Modified 2017-03-29T00:00:00

Description

Technical Details

The vulnerable code can be found in IOFireWireAVC-424/IOFireWireAVC/IOFireWireAVCUserClient.cpp:

[...] case kIOFWAVCUserClientCreateAsyncAVCCommand: result = CreateAVCAsyncCommand((UInt8*)arguments->structureInput, (UInt8*)arguments->structureOutput, arguments->structureInputSize, (UInt32*)&arguments->structureOutputSize); break; [...]

structureInputSize is a value that is controlled by the user passing the arguments from userspace, and it is used to determine a command length. However, the called function CreateAVCAsyncCommand fails to properly validate the length.

IOReturn IOFireWireAVCUserClient::CreateAVCAsyncCommand(UInt8 * cmd, UInt8 * asyncAVCCommandHandle, UInt32 len, UInt32 *refSize) { IOReturn res = kIOReturnNoMemory; UInt32 *pReturnedCommandHandle = (UInt32*) asyncAVCCommandHandle; UInt32 cmdLen = len - sizeof(mach_vm_address_t); // decrease len by 8 mach_vm_address_t *ppSharedBufAddress = (mach_vm_address_t*) &cmd[cmdLen]; // (a) [...] // Create the memory descriptor for the user/kernel shared response buffer pUCAsyncCommand->fMem = IOMemoryDescriptor::withAddressRange( *ppSharedBufAddress, 1024, kIODirectionInOut, fTask ) ; // (b) [...] }

The function will create a user/kernel shared buffer (b), with an address pointer controlled by an attacker (a). This can lead to a variety of potentially dangerous situations such as a memory read and write.