iOS and macOS suffers from a sandbox escape vulnerability due to mach message sent from shared memory.
a3d215b3dcbb576bdd541af3b90d6ce149694fdd4b79be4354ec9f8a117ca103
iOS/MacOS sandbox escape due to mach message sent from shared memory
io_hideventsystem sets up a shared memory event queue; at the end of this shared memory buffer it puts
a mach message which it sends whenever it wants to notify a client that there's data available
in the queue.
As a client we can modify this mach message such that the server (hidd on MacOS, backboardd on iOS)
will send us an arbitrary mach port from its namespace with an arbitrary disposition.
This is a minimal PoC to demonstrate the issue. Interpose it in to the PoC for P0 1623, Apple issue 695930632
Found by: ianbeer