EDB-ID: 44847 | Author: Google Security Research | Published: 2018-06-06 | CVE: CVE-2018-4230 | Type: Dos | Platform: macOS | Aliases: N/A | Advisory/Source: Link | Tags: Use After Free (UAF) | Vulnerable App: N/A | nvDevice::SetAppSupportBits is external method 0x107 of the nvAccelerator IOService.
It calls task_deallocate without locking. Two threads can race calling this external method to drop
two task references when only one is held.
Note that the repro forks a child which give the nvAccelerator a different task otherwise
the repro is more likely to leak task references than panic.
*/
// ianbeer
#if 0
MacOS kernel UAF due to lack of locking in nvidia GeForce driver
nvDevice::SetAppSupportBits is external method 0x107 of the nvAccelerator IOService.
It calls task_deallocate without locking. Two threads can race calling this external method to drop
two task references when only one is held.
Note that the repro forks a child which give the nvAccelerator a different task otherwise
the repro is more likely to leak task references than panic.