Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

macOS / iOS - Kernel Double Free due to Incorrect API Usage in Flow Divert Socket Option Handling

🗓️ 12 Dec 2017 00:00:00Reported by Google Security ResearchType 
zdt
 zdt🔗 0day.today👁 46 Views

macOS/iOS Kernel Double Free due to Incorrect API Usage in Flow Divert Socket Option Handlin

Related
Code
ReporterTitlePublishedViews
Family
Tenable Nessus		macOS 10.13.x < 10.13.2 Multiple Vulnerabilities (Meltdown)
10 Apr 201900:00
nessus
Tenable Nessus		Apple iOS < 11.2 Multiple Vulnerabilities (APPLE-SA-2017-12-13-6)
17 Apr 201900:00
nessus
Tenable Nessus		Apple TV < 11.2 Multiple Vulnerabilities
5 Jan 201800:00
nessus
Tenable Nessus		Apple iOS < 11.2 Multiple Vulnerabilities
7 Dec 201700:00
nessus
Tenable Nessus		macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-002 and 2017-005)
7 Dec 201700:00
nessus
Tenable Nessus		macOS 10.13.x < 10.13.2 Multiple Vulnerabilities (Meltdown)
7 Dec 201700:00
nessus
Apple		About the security content of watchOS 4.2
5 Dec 201700:00
apple
Apple		About the security content of iOS 11.2
2 Dec 201700:00
apple
Apple		About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan
6 Dec 201700:00
apple
Apple		About the security content of tvOS 11.2
4 Dec 201700:00
apple
Rows per page
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1373 
  
 SO_FLOW_DIVERT_TOKEN is a socket option on the SOL_SOCKET layer. It's implemented by 
  
   flow_divert_token_set(struct socket *so, struct sockopt *sopt) 
  
 in flow_divert.c. 
  
 The relevant code is: 
  
   error = soopt_getm(sopt, &token); 
   if (error) { 
     goto done; 
   } 
    
   error = soopt_mcopyin(sopt, token); 
   if (error) { 
     goto done; 
   } 
  
 ... 
  
 done: 
   if (token != NULL) { 
     mbuf_freem(token); 
   } 
  
 soopt_getm allocates an mbuf. 
  
 soopt_mcopyin, which should copyin the data for the mbuf from userspace, has the following code: 
  
       error = copyin(sopt->sopt_val, mtod(m, char *), 
           m->m_len); 
       if (error != 0) { 
         m_freem(m0); 
         return (error); 
       } 
  
 This means that if the copyin fails, by for example providing an invalid userspace pointer, soopt_mcopyin 
 will free the mbuf. flow_divert_token_set isn't aware of these semantics and if it sees that soopt_mcopyin 
 returns an error it also calls mbuf_freem on that same mbuf which soopy_mcopyin already freed. 
  
 mbufs are aggressivly cached but with sufficiently full caches m_freem will eventually fall through to freeing 
 back to a zalloc zone, and that zone could potentially be garbage collected leading to the ability to actually 
 exploit such an issue. 
  
 This PoC will just hit a panic inside m_free when it detects a double-free but do note that this cannot detect 
 all double frees and this issue is still exploitable with sufficient grooming/cache manipulation. 
  
 Tested on MacOS 10.13 (17A365) on MacBookAir5,2 
 */ 
  
 // ianbeer 
  
 #if 0 
 MacOS/iOS kernel double free due to incorrect API usage in flow divert socket option handling 
  
 SO_FLOW_DIVERT_TOKEN is a socket option on the SOL_SOCKET layer. It's implemented by 
  
   flow_divert_token_set(struct socket *so, struct sockopt *sopt) 
  
 in flow_divert.c. 
  
 The relevant code is: 
  
   error = soopt_getm(sopt, &token); 
   if (error) { 
     goto done; 
   } 
    
   error = soopt_mcopyin(sopt, token); 
   if (error) { 
     goto done; 
   } 
  
 ... 
  
 done: 
   if (token != NULL) { 
     mbuf_freem(token); 
   } 
  
 soopt_getm allocates an mbuf. 
  
 soopt_mcopyin, which should copyin the data for the mbuf from userspace, has the following code: 
  
 			error = copyin(sopt->sopt_val, mtod(m, char *), 
 			    m->m_len); 
 			if (error != 0) { 
 				m_freem(m0); 
 				return (error); 
 			} 
  
 This means that if the copyin fails, by for example providing an invalid userspace pointer, soopt_mcopyin 
 will free the mbuf. flow_divert_token_set isn't aware of these semantics and if it sees that soopt_mcopyin 
 returns an error it also calls mbuf_freem on that same mbuf which soopy_mcopyin already freed. 
  
 mbufs are aggressivly cached but with sufficiently full caches m_freem will eventually fall through to freeing 
 back to a zalloc zone, and that zone could potentially be garbage collected leading to the ability to actually 
 exploit such an issue. 
  
 This PoC will just hit a panic inside m_free when it detects a double-free but do note that this cannot detect 
 all double frees and this issue is still exploitable with sufficient grooming/cache manipulation. 
  
 Tested on MacOS 10.13 (17A365) on MacBookAir5,2

#  0day.today [2018-01-06]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Dec 2017 00:00Current
8High risk
Vulners AI Score8
EPSS0.05109
kernel double freeincorrect apiflow divert socketsocket optionsol_socketflow_divert_token_setsoopt_mcopyinmbuf_freemcopyinm_freemzalloc zoneexploit0day today
46