MacOS kernel uaf due to double-release in posix_spawn(CVE-2017-2472)

2017-04-04T00:00:00
ID SSV:92891
Type seebug
Reporter Root
Modified 2017-04-04T00:00:00

Description

exec_handle_port_actions is responsible for handling the map port actions extension to posix_spawn.

It supports 4 different types of port (PSPA_SPECIAL, PSPA_EXCEPTION, PSPA_AU_SESSION and PSPA_IMP_WATCHPORTS)

For the special, exception and audit the ports it tries to update the new task to reflect the port action by calling either task_set_special_port, task_set_exception_ports or audit_session_spawnjoin and if any of those calls fail it calls ipc_port_release_send(port).

task_set_special_port and task_set_exception_ports don't drop a reference on the port if they fail but audit_session_spawnjoin (which calls to audit_session_join_internal) _does _ drop a reference on the port on failure. It's easy to make audit_session_spawnjoin fail by specifying a port which isn \ 't an audit session port.

This means we can cause two references to be dropped on the port when only one is held leading to a use after free in the kernel.

Tested on MacOS 10.12.3 (16D32) on MacBookAir5,2

Attachment: spawn. c