UaF/Double-delete due to bad locking in Apple Intel GPU driver
CVE-2018-4334
This PoC file might look familiar; this bug is a trivial variant of CVE-2016-1744 (Apple bug id 635599405.)
That report showed the bug in the unmap_user_memory external methods; a variant also exists
in the map_user_memory external methods.
The intel graphics drivers have their own hash table type IGHashTable which isn't thread-safe.
map_user_memory manipulates an IGHashTable without locking leading to memory issues (eg UaFs and/or double-frees)
tested on MacOS 10.13.5 (17F77) on MacBookPro10,1
Found by: ianbeer