OS X suffers from a privilege escalation vulnerability due to XPC type confusion in sysmond.
84ce6959cd03e4fc99b8bddfeb6aeb14ae2f9faa1682d524c3ff80126ea1fdfe
The iOS kernel suffers from a use-after-free vulnerability in IOHIDEventService.
0993c62c9d7d3b84cf8014c889265e8630d8eb77eb33686a24adc235d64af0f7
Opening userclient type 12 of IOSCSIPeripheralDeviceType00 leads to an exploitable kernel NULL dereference.
28a95b498e79b6f046637fef1058c83fb6eef97a32bfe058d4b061c8cc843127
The iOS kernel suffers from a use-after-free vulnerability in AppleOscarCompass.
07c89757d7e1a727b6c919c8d09c684989b89529f2c1b57792b91afdea65dac4
The _ool variations of the IOKit device.defs functions all incorrectly deal with error conditions. If you run the mig tool on device.defs you can see the source of the kernel-side MIG handling code.
c4f8daf502963ad5eece0728838a97dbed83ae3ccd4fed0c0d0ea4932020c23d
The iOS kernel suffers from a use-after-free vulnerability in AppleOscarAccelerometer.
f847b2c8805bf3af8196f69a53844b188d41d842f188dcb391ae8fdd35e8c3db
iOS / OS X kernels suffer from a use-after-free / double free vulnerability due to lack of locking in IOHDIXControllUserClient:clientClose.
adb1b7847f70f13cf0c6ea874eee96b6c0668190e0c8da0a1d59183341cb8770
IOBluetoothHCIUserClient uses an IOCommandGate to dispatch external methods; it passes a pointer to the structInput of the external method as arg0 and ::SimpleDispatchWL as the Action. It neither passes nor checks the size of that structInput, and SimpleDispatchWL goes on to read the field at +0x70 of the structInput.
c56f8e5cc82da06ddca32f877f2fa338106ff32a8c69efe2c67b6ac5c6b5196a
The hv_space lock group gets an extra ref dropped when you kill a process with an AppleHV userclient; one via IOService::terminateWorker calling the AppleHVClient::free method (which calls lck_rw_free on the lock group using the pointer hanging off the global _hv variable) and secondly via the hypervisor machine_thread_destroy callback (hv_callback_thread_destroy) which also calls lck_rw_free with a lock group pointer taken from _hv.
05bbdc4f970de720232f0fe75333057f8dbe21b2c91a3d821e577be39c6aed9b
The external method 0x206 of IGAccelGLContext is gst_configure. This method takes an arbitrary sized input structure (passed in rsi) but doesn't check the size of that structure (passed in rcx).
e94e24fe8cba2913f917f0f60d22c0acf21be5b012b6f82c3594d9dd86932b95
iOS / OS X suffer from a kernel double free due to lack of locking in Iokit registry iterator manipulation.
8165a567612f28c0b556478f27c6f67dcb0caeb69b674c8e9e622681a9e157de
The iOS kernel suffers from a use-after-free vulnerability in IOReportHub.
372880071edb71ad2025e05e64439b5087b17a0a293d3814c5d4fbabdcbcdc0d
The iOS kernel suffers from a use-after-free vulnerability in AppleOscarCMA.
4640878ce067410ae3596bf74bbbfd8ccf473388034000bd3f132d57616e2107
The field at IntelAccelerator+0xe60 is a pointer to a GSTContextKernel allocated in the ::gstqCreateInfoMethod. In the ::start method this field is initialized to NULL. The IGAccelDevice external method gst_configure (0x206) calls gstqConfigure which doesn't check whether the GSTContextKernel pointer is NULL, therefore by calling this external method before calling any others which allocate the GSTContextKernel we can cause a kernel NULL pointer dereference. The GSTContextKernel structure contains pointers, one of which eventually leads to control of a kernel virtual method call. This PoC will kernel panic calling 0xffff800041414141.
9ba4909584ef4a22ac3f38fbff2047915ff0e5cb4a39226d02f5540d8bac2d54
It turns out that the spoofed no-more-senders notification bug when applied to iokit objects was actually just a more complicated way to hit ::clientClose in parallel. You can in fact do this very simply by calling IOServiceClose on two threads. Like the spoofed notifications this leads to many bugs in many userclients, the exact nature of which depends on the semantics of the clientClose implementation.
25c87d331724c51d81b1658a116bd5e77ebeedb53b236aa9fe1efaac0e2a8831
iOS and OS X suffers from a kernel code execution vulnerability due to an integer overflow in NECP system control socket packet parsing.
a90f8ff051275e3a2763ebcc399a8891e5415fd85649de1e7df1f7d097d14c5e
iOS and OS X suffer from a kernel code execution vulnerability via double-delete in IOHIDEventQueue:start due to incorrect error handling.
6ac15af258a146b8752ac818073462c4ae8b5c574c8d1f8ee6cb3d0d6bc85d9f
The mach voucher subsystem fails to correctly handle spoofed no-more-senders messages. ipc_kobject_server will be called for mach messages sent to kernel-owned mach ports. If the msgh_id of the message can't be found in the mig_buckets hash table then this function calls ipc_kobject_notify. Note that this is the same code path which would be taken for a real no-more-senders notification message but there's nothing stopping user-space from also just sending one.
1042bf509240fef0a9ac35c0d9ae68166b05f9869f97a04609c7cfaf25873502
A bad patch for CVE-2015-3712 allows for code execution due to insufficient bounds checking in nvidia GeForce command buffer processing.
ee9c46d5821b8af0488acb255e77382b0306b6ba04c458cde11f5fab2f6efff2
IOUserClient::connectClient is an obscure IOKit method which according to the docs is supposed to "Inform a connection of a second connection." In fact IOKit provides no default implementation and only a handful of userclients actually implement it, and it's pretty much up to them to define the semantics of what "informing the connection of a second connection" actually means. One of the userclients which implements connectClient is IOAccelContext2 which is the parent of the IGAccelContext userclient family (which are the intel GPU accelerator userclients.) IOUserClient::connectClient is exposed to userspace as IOConnectAddClient.
e6b28ef3cbbacff31eb961ab63d921cbf6e4a18a44fb51c2925eaa646004d804
The iOS kernel suffers from a use-after-free vulnerability in AppleOscarGyro.
4e06593eee3ee14b6e919071b2131a9da0f8320a680e792d7ad5ff9d7dbc3557
Method 5 of the IOHDIXController user client is createDrive64. This takes a 0x10 0 byte structure input from which it reads a userspace pointer and a size which it passes to IOHDIXController::convertClientBuffer. This wraps the memory pointed to by the userspace pointer in an IOMemoryDescriptor then takes the user-provided size, casts it to a 32-bit type and adds one. It passes that value to IOMalloc. By passing a size of 0xffffffff we can cause an integer overflow and IOMalloc will be passed a size of 0. IOMalloc falls through to kalloc which will quite happily make a 0-sized allocation for us and return a valid, writable kernel heap pointer.
7c1b4d44f576a45333e8a5f38a438bc7780560237ca558e684660c3e2a87a9cb
networkd is the system daemon which implements the com.apple.networkd XPC service. It's unsandboxed but runs as its own user. com.apple.networkd is reachable from many sandboxes including the Safari WebProcess and ntpd (plus all those which allow system-network). networkd parses quite complicated XPC messages and there are many cases where xpc_dictionary_get_value and xpc_array_get_value are used without subsequent checking of the type of the returned value.
8f3b0d4e8a89ad64284b0b7f58567f82fed3eee85dac017382e0f65c2b11a7e5
The Exynos Seiren Audio driver has a device endpoint (/dev/seiren) that is accessible by either the system user or the audio group (such as the mediaserver). It was found that the write() implementation for this driver contains a buffer overflow vulnerability that overflows a static global buffer.
faf34e337128765e7e7cd244e5054952422e46472fdd20baad4de151245624d7
OS X Regex Engine (TRE) suffers from integer signedness and overflow issues.
c4c0f4887f90a7b044ece2c30e99c3551cdccd98d07ef1bb542fc7bca4fc060e