Kernel memory leak
- Authors: Aristide Fattori (@joystick) and Roberto Paleari (@rpaleari)
- Notification date: 09/03/2015
- Release date: 13/08/2015
- Status: Fixed in OS X 10.10.5
The patch to CVE-2014-8837, included in OS X 10.10.2, does not fully patches one of the issues we reported.
In particular, function
IOBluetoothHCIController::BluetoothHCIWriteCurrentIACLAP(unsigned int req_index, BluetoothHCICurrentInquiryAccessCodes *IAC) failed to check
This pointer can be set by the attacker to either an invalid address, that leads to
a crash, or to an address pointing to a valid kernel address,
_PackDataList to copy 512 bytes of data from anywhere in the kernel to the request
req_index. It is unclear, however, if this data could somehow be retrieved
by the attacker through another request. Should someone find a way to read this
data, it would be possible to perform a kernel memory leak.
This bug has been addressed by Apple in OS X Yosemite 10.10.5 (see HT205031).