macOS Kernel 10.12.3 (16D32) - Use-After-Free Due to Double-Release in posix

EDB-ID: 41791
Author: Google Security Research
Published: 2017-04-04
CVE: CVE-2017-2472
Type: Dos
Platform: macOS
Aliases: N/A
Advisory/Source: Link
Tags: Denial of Service (DoS)
Vulnerable App: N/A

 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1104 
  
 exec_handle_port_actions is responsible for handling the xnu port actions extension to posix_spawn. 
  
 It supports 4 different types of port (PSPA_SPECIAL, PSPA_EXCEPTION, PSPA_AU_SESSION and PSPA_IMP_WATCHPORTS) 
  
 For the special, exception and audit ports it tries to update the new task to reflect the port action 
 by calling either task_set_special_port, task_set_exception_ports or audit_session_spawnjoin and if 
 any of those calls fail it calls ipc_port_release_send(port). 
  
 task_set_special_port and task_set_exception_ports don't drop a reference on the port if they fail 
 but audit_session_spawnjoin (which calls to audit_session_join_internal) *does* drop a reference on 
 the port on failure. It's easy to make audit_session_spawnjoin fail by specifying a port which isn't 
 an audit session port. 
  
 This means we can cause two references to be dropped on the port when only one is held leading to a 
 use after free in the kernel. 
  
 Tested on MacOS 10.12.3 (16D32) on MacBookAir5,2 
 */ 
  
 // ianbeer 
 #if 0 
 MacOS/iOS kernel uaf due to double-release in posix_spawn 
  
 exec_handle_port_actions is responsible for handling the xnu port actions extension to posix_spawn. 
  
 It supports 4 different types of port (PSPA_SPECIAL, PSPA_EXCEPTION, PSPA_AU_SESSION and PSPA_IMP_WATCHPORTS) 
  
 For the special, exception and audit ports it tries to update the new task to reflect the port action 
 by calling either task_set_special_port, task_set_exception_ports or audit_session_spawnjoin and if 
 any of those calls fail it calls ipc_port_release_send(port). 
  
 task_set_special_port and task_set_exception_ports don't drop a reference on the port if they fail 
 but audit_session_spawnjoin (which calls to audit_session_join_internal) *does* drop a reference on 
 the port on failure. It's easy to make audit_session_spawnjoin fail by specifying a port which isn't 
 an audit session port. 
  
 This means we can cause two references to be dropped on the port when only one is held leading to a 
 use after free in the kernel. 
  
 Tested on MacOS 10.12.3 (16D32) on MacBookAir5,2












Get link





Facebook





X





Pinterest





Email





Other Apps

Exploit Collector

Search Exploit

macOS Kernel 10.12.3 (16D32) - Use-After-Free Due to Double-Release in posix_spawn