Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
..
Failed to load latest commit information.
README.md

README.md

Kernel memory leak

  • Authors: Aristide Fattori (@joystick) and Roberto Paleari (@rpaleari)
  • Notification date: 09/03/2015
  • Release date: 13/08/2015
  • Status: Fixed in OS X 10.10.5

The patch to CVE-2014-8837, included in OS X 10.10.2, does not fully patches one of the issues we reported.

In particular, function IOBluetoothHCIController::BluetoothHCIWriteCurrentIACLAP(unsigned int req_index, BluetoothHCICurrentInquiryAccessCodes *IAC) failed to check IAC.buffer. This pointer can be set by the attacker to either an invalid address, that leads to a crash, or to an address pointing to a valid kernel address, causing _PackDataList to copy 512 bytes of data from anywhere in the kernel to the request identified by req_index. It is unclear, however, if this data could somehow be retrieved by the attacker through another request. Should someone find a way to read this data, it would be possible to perform a kernel memory leak.

This bug has been addressed by Apple in OS X Yosemite 10.10.5 (see HT205031).