36 lines
No EOL
1.8 KiB
Text
36 lines
No EOL
1.8 KiB
Text
I have previously detailed the lifetime management paradigms in MIG in the writeups for:
|
|
CVE-2016-7612 [https://bugs.chromium.org/p/project-zero/issues/detail?id=926]
|
|
and
|
|
CVE-2016-7633 [https://bugs.chromium.org/p/project-zero/issues/detail?id=954]
|
|
|
|
If a MIG method returns KERN_SUCCESS it means that the method took ownership of *all* the arguments passed to it.
|
|
If a MIG method returns an error code, then it took ownership of *none* of the arguments passed to it.
|
|
|
|
If an IOKit userclient external method takes an async wake mach port argument then the lifetime of the reference
|
|
on that mach port passed to the external method will be managed by MIG semantics. If the external method returns
|
|
an error then MIG will assume that the reference was not consumed by the external method and as such the MIG
|
|
generated coode will drop a reference on the port.
|
|
|
|
IOSurfaceRootUserClient external method 17 (s_set_surface_notify) will drop a reference on the wake_port
|
|
(via IOUserClient::releaseAsyncReference64) then return an error code if the client has previously registered
|
|
a port with the same callback function.
|
|
|
|
The external method's error return value propagates via the return value of is_io_connect_async_method back to the
|
|
MIG generated code which will drop a futher reference on the wake_port when only one was taken.
|
|
|
|
This bug is reachable from the iOS app sandbox as demonstrated by this PoC.
|
|
|
|
Tested on iOS 11.0.3 (11A432) on iPhone 6s (MKQL2CN/A)
|
|
Tested on MacOS 10.13 (17A365) on MacBookAir5,2
|
|
|
|
------------------------------------------------------
|
|
|
|
async_wake exploit attached.
|
|
|
|
Gets tfp0 on all 64-bit devices plus an initial PoC local kernel debugger.
|
|
|
|
See the README and kdbg.c for details.
|
|
|
|
|
|
Proof of Concept:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/43320.zip |