This blog post is about a new type of vulnerabilities in IOKit I discovered and submitted to Apple in 2016. I did a brief scan using a IDA script on MacOS and found at least four bugs with 3 CVEs assigned (CVE-2016-7620/4/5), see https://support.apple.com/kb/HT207423. I was told afterwards that there’re even more issues of this type on iOS’/OSX’s IOKit drivers and fortunately Apple fixed them also.
Lecture time: IOKit revisited
Recall the old userspace iokit call entry method:
1709 kern_return_t1710 IOConnectCallMethod(1711 mach_port_t connection, // In1712 uint32_t selector, // In1713 const uint64_t *input, // In1714 uint32_t inputCnt, // In1715 const void *inputStruct, // In1716 size_t inputStructCnt, // In1717 uint64_t *output, // Out1718 uint32_t *outputCnt, // In/Out1719 void *outputStruct, // Out1720 size_t *outputStructCntP) // In/Out1721 {//...1736 if (inputStructCnt <= sizeof(io_struct_inband_t)) {1737 inb_input = (void *) inputStruct;1738 inb_input_size = (mach_msg_type_number_t) inputStructCnt;1739 }1740 else {1741 ool_input = reinterpret_cast_mach_vm_address_t(inputStruct);1742 ool_input_size = inputStructCnt;1743 }1744 //...1770 else if (size <= sizeof(io_struct_inband_t)) {1771 inb_output = outputStruct;1772 inb_output_size = (mach_msg_type_number_t) size;1773 }1774 else {1775 ool_output = reinterpret_cast_mach_vm_address_t(outputStruct);1776 ool_output_size = (mach_vm_size_t) size;1777 }1778 }1779 1780 rtn = io_connect_method(connection, selector,1781 (uint64_t *) input, inputCnt,1782 inb_input, inb_input_size,1783 ool_input, ool_input_size,1784 inb_output, &inb_output_size,1785 output, outputCnt,1786 ool_output, &ool_output_size);1787 //...1795 return rtn;1796 }
If the inputstruct is larger than sizeof(io_struct_inband_t)
, the passed in argument will be casted to a mach
[...]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from Keen Security Lab Blog
Read the original article: