Racing for everyone: descriptor describes TOCTOU in Apple’s core

This blog post is about a new type of vulnerabilities in IOKit I discovered and submitted to Apple in 2016. I did a brief scan using a IDA script on MacOS and found at least four bugs with 3 CVEs assigned (CVE-2016-7620/4/5), see https://support.apple.com/kb/HT207423. I was told afterwards that there’re even more issues of this type on iOS’/OSX’s IOKit drivers and fortunately Apple fixed them also.

Lecture time: IOKit revisited

Recall the old userspace iokit call entry method:

1709 kern_return_t1710 IOConnectCallMethod(1711    mach_port_t  connection,        // In1712    uint32_t     selector,      // In1713    const uint64_t  *input,         // In1714    uint32_t     inputCnt,      // In1715    const void  *inputStruct,       // In1716    size_t       inputStructCnt,    // In1717    uint64_t    *output,        // Out1718    uint32_t    *outputCnt,     // In/Out1719    void        *outputStruct,      // Out1720    size_t      *outputStructCntP)  // In/Out1721 {//...1736     if (inputStructCnt <= sizeof(io_struct_inband_t)) {1737    inb_input      = (void *) inputStruct;1738    inb_input_size = (mach_msg_type_number_t) inputStructCnt;1739     }1740     else {1741    ool_input      = reinterpret_cast_mach_vm_address_t(inputStruct);1742    ool_input_size = inputStructCnt;1743     }1744 //...1770    else if (size <= sizeof(io_struct_inband_t)) {1771        inb_output      = outputStruct;1772        inb_output_size = (mach_msg_type_number_t) size;1773    }1774    else {1775        ool_output      = reinterpret_cast_mach_vm_address_t(outputStruct);1776        ool_output_size = (mach_vm_size_t)    size;1777    }1778     }1779 1780     rtn = io_connect_method(connection,         selector,1781                (uint64_t *) input, inputCnt,1782                inb_input,          inb_input_size,1783                ool_input,          ool_input_size,1784                inb_output,         &inb_output_size,1785                output,             outputCnt,1786                ool_output,         &ool_output_size);1787 //...1795     return rtn;1796 }

If the inputstruct is larger than sizeof(io_struct_inband_t), the passed in argument will be casted to a mach

[...]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from Keen Security Lab Blog

Read the original article: