The vulnerable code can be found in
result = CreateAVCAsyncCommand((UInt8*)arguments->structureInput,
structureInputSize is a value that is controlled by the user passing the arguments from userspace, and it is used to determine a command length. However, the called function
CreateAVCAsyncCommand fails to properly validate the length.
IOReturn IOFireWireAVCUserClient::CreateAVCAsyncCommand(UInt8 * cmd, UInt8 * asyncAVCCommandHandle, UInt32 len, UInt32 *refSize)
IOReturn res = kIOReturnNoMemory;
UInt32 *pReturnedCommandHandle = (UInt32*) asyncAVCCommandHandle;
UInt32 cmdLen = len - sizeof(mach_vm_address_t); // decrease len by 8
mach_vm_address_t *ppSharedBufAddress = (mach_vm_address_t*) &cmd[cmdLen]; // (a)
// Create the memory descriptor for the user/kernel shared response buffer
pUCAsyncCommand->fMem = IOMemoryDescriptor::withAddressRange( *ppSharedBufAddress, 1024, kIODirectionInOut, fTask ) ; // (b)
The function will create a user/kernel shared buffer (b), with an address pointer controlled by an attacker (a). This can lead to a variety of potentially dangerous situations such as a memory read and write.