Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Kernel memory leak

  • Authors: Aristide Fattori (@joystick) and Roberto Paleari (@rpaleari)
  • Notification date: 09/03/2015
  • Release date: 13/08/2015
  • Status: Fixed in OS X 10.10.5

The patch to CVE-2014-8837, included in OS X 10.10.2, does not fully patches one of the issues we reported.

In particular, function IOBluetoothHCIController::BluetoothHCIWriteCurrentIACLAP(unsigned int req_index, BluetoothHCICurrentInquiryAccessCodes *IAC) failed to check IAC.buffer. This pointer can be set by the attacker to either an invalid address, that leads to a crash, or to an address pointing to a valid kernel address, causing _PackDataList to copy 512 bytes of data from anywhere in the kernel to the request identified by req_index. It is unclear, however, if this data could somehow be retrieved by the attacker through another request. Should someone find a way to read this data, it would be possible to perform a kernel memory leak.

This bug has been addressed by Apple in OS X Yosemite 10.10.5 (see HT205031).