Apple Intel GPU Driver Use-After-Free / Double-Delete

2018.10.20

Credit: Google Security Research

Risk: High

Local: Yes

Remote: No

CVE: CVE-2018-4334 | CVE-2016-1744

CWE: N/A

UaF/Double-delete due to bad locking in Apple Intel GPU driver
CVE-2018-4334
This PoC file might look familiar; this bug is a trivial variant of CVE-2016-1744 (Apple bug id 635599405.)
That report showed the bug in the unmap_user_memory external methods; a variant also exists
in the map_user_memory external methods.
The intel graphics drivers have their own hash table type IGHashTable which isn't thread-safe.
map_user_memory manipulates an IGHashTable without locking leading to memory issues (eg UaFs and/or double-frees)
tested on MacOS 10.13.5 (17F77) on MacBookPro10,1
Found by: ianbeer

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Apple Intel GPU Driver Use-After-Free / Double-Delete

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.