Apple iOS/macOS Kernel - Use-After-Free Due to Bad Locking in Unix Domain Socket File Descriptor Externalization

EDB-ID: 42054
Author: Google Security Research
Published: 2017-05-23
CVE: CVE-2017-2501
Type: Dos
Platform: Multiple
Aliases: N/A
Advisory/Source: Link
Tags: Use After Free
Vulnerable App: N/A

 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1123 

unp_externalize is responsible for externalizing the file descriptors carried within a unix domain socket message.
That means allocating new fd table entries in the receiver and recreating a file which looks looks (to userspace) like the file
the sender sent.

Here's the relevant code:

for (i = 0; i < newfds; i++) { <----------- (a)
#if CONFIG_MACF_SOCKET
/*
* If receive access is denied, don't pass along
* and error message, just discard the descriptor.
*/
if (mac_file_check_receive(kauth_cred_get(), rp[i])) {
proc_fdunlock(p);
unp_discard(rp[i], p);
fds[i] = 0;
proc_fdlock(p);
continue;
}
Related Posts

Comments