Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
IOFireWireFamily-crash3.c Disclosure of issues addressed in OS X v10.10.4 Jun 30, 2015


Multiple NULL pointer dereferences in IOFireWireFamily

  • Authors: Roberto Paleari (@rpaleari) and Aristide Fattori (@joystick)
  • Notification date: 20/04/2015
  • Release date: 30/06/2015
  • Status: Fixed in OS X 10.10.4


We identified multiple NULL pointer dereferences in kernel module IOFireWireFamily. These issues can be exploited by local attackers to crash the system.

More in detail, the issues affect multiple methods exposed by IOKit service IOFireWireLocalNode. These methods blindly dereference the user-supplied asyncReference member of the IOExternalMethodArguments input structure, without checking if this member actually holds a valid pointer.

We confirm method selectors 84, 85 and 89 are vulnerable and we provide a separate proof-of-concept for each of them. Practically speaking, our PoCs simply invoke the methods through the IOConnectCallMethod() IOKitLib function (which implicitly sets a NULL asyncReference) instead of using IOConnectCallAsyncMethod().

Other unsafe usages of the asyncReference attribute are also present in the very same driver, but we decided not to invest more time into the analysis of these bugs as the latest MacBooks and iMacs lack the firewire port, thus these issues should affect only older models. Moreover, at the time of writing we have not been able to leverage these vulnerabilities to execute arbitrary code, but we cannot rule out this possibility.