Apple iOS/macOS Kernel - Use-After-Free Due to Bad Locking in Unix Domain Socket File Descriptor Externalization

EDB-ID: 42054
Author: Google Security Research
Published: 2017-05-23
CVE: CVE-2017-2501
Type: Dos
Platform: Multiple
Aliases: N/A
Advisory/Source: Link
Tags: Use After Free
Vulnerable App: N/A


unp_externalize is responsible for externalizing the file descriptors carried within a unix domain socket message.
That means allocating new fd table entries in the receiver and recreating a file which looks looks (to userspace) like the file
the sender sent.

Here's the relevant code:

for (i = 0; i < newfds; i++) { <----------- (a)
* If receive access is denied, don't pass along
* and error message, just discard the descriptor.
if (mac_file_check_receive(kauth_cred_get(), rp[i])) {
unp_discard(rp[i], p);
fds[i] = 0;
Related Posts