8 NULL Point Deference Fixed in OSX 10.11.6

Description

Several DspFuncs in DspFuncLib don’t check the return value of DspFuc::getInputBuffer and DspFunc::getOutputBuffer , they then call DspBuffer::getBufferAddress directly. If the return value is 0, then NULL point is dereferenced in getBufferAddress.

 

Affected OS and Module

OSX < 10.11.6

Module: DspFuncLib

Tested Environment:

  • OSX 10.11.3 in VMware Fusion
  • MacBook Pro(Retina, 2015)

 

Analysis

Several DspFuncs don’t check the return value of DspFuc::getInputBuffer and DspFunc::getOutputBuffer. Take DspFunc2WayCrossover as example:

NULL_DSP_ACCESS

See the picture above, if DspFunc::getInputBuffer returns 0, it will panic when getBufferAddress is called.

DspFunc::getInputBuffer/DspFunc::getOutputBuffer will return 0 in my provided PoCs.

There are 8 DspFuncs in DspFuncLib which don’t check the return value, please see the table as below.

NO. DspFunc Name DspFunc Object
1 DspCrossover2Way DspFunc2WayCrossover
2 Dsp2To4Splitter DspFunc2To4Splitter
3 DspBeamFormer DspFuncBeamFormer
4 DspDelay DspFuncDelay
5 DspCrossover2Dot1 DspFunc2DOT1Crossover
6 DspCrossover2Dot2 DspFunc2DOT2Crossover
7 DspMultiBandCompressor DspFuncMultiBandCompressor
8 Dsp2To6Splitter DspFunc2To6Splitter

 

Continue reading “8 NULL Point Deference Fixed in OSX 10.11.6”

4 UAF vulnerabilities in DspFuncs which are patched in OSX 10.11.6

Description

DspFuncManager::process will call each DspFunc::process which may cleanup itself, but the cleanup here won’t remove the pointer which points to its own object  from the OSArray in DspFuncManager so that any access to the object in the OSArray will leads to UAF.

 

Affected OS and Module

OSX < 10.11.6

Module: DspFuncLib, AppleHDA

Test Environment:

  • VM Fusion OSX 10.11.3
  • MacBook Pro(Retina,2015)

 

 

Analysis

When DspFuncUserClient::createDspFunction or DspFuncUserClient::createDspFunctionWithInstance is called, DspFuncManager will set new created object in its OSArray:

 

UAF_DSP_CREATE_OBJECT

 

Then, when DspFuncManager::process is called(due to ClientStop or performClientIO), Each DspFunc::process is called. For example, DspFuncBuzzKill::process will be called if DspFuncBuzzKill object is currently in the OSArray introduced above.

UAF_DSP_CLEANUP

See the picture above. In DspFuncBuzzKill, if DspFunc::getInputBuffer returns 0, DspFuncBuzzKill::cleanup will be called and it will free its own class object. Please be noticed that DspFuncBuzzKill::cleanup won’t remove its object from OSArray in DspFuncManager. So later if any access to the OSArray(like DspFuncManager::getFunctionInstance), UAF will occur!

 

There are 4 DspFuncs which have the UAF problem, see table as below.

NO. DspFunc Name DspFuncObject
1 DspBuzzKill DspFucBuzzKill
2 DspCalibrationEQ DspFuncCalibrationEQ
3 DspControlFreak/ DspControlFreak4ch DspFuncControlFreak
4 DspXTC_2chIn_2chOut/ DspXTC_2chIn_4chOut DspFuncXTC

 

Continue reading “4 UAF vulnerabilities in DspFuncs which are patched in OSX 10.11.6”