CVE-2022-32827

Related Files

AppleAVD deallocateKernelMemoryInternal Missing Surface Lock

Posted Nov 18, 2022

Authored by Google Security Research, natashenka

In AppleAVD.kext, pixel buffers are mapped by calling AppleAVDUserClient::_mapPixelBuffer, which eventually calls AppleAVD::allocateKernelMemoryInternal. If the buffer is an IOSurface, the function calls IOSurface::deviceLockSurface before allocating memory by calling prepare. But when a pixel buffer is unmapped by calling AppleAVDUserClient::_unmapPixelBuffer, which calls AppleAVD::deallocateKernelMemoryInternal, the IOSurface is not locked before calling complete. This means that mapping and unmapping can occur at the same time, leading to kernel memory corruption. This bug could allow escalation to kernel privileges from a local app.

tags | exploit, kernel, local

advisories | CVE-2022-32827

SHA-256 | fa06dd34c9fcfaf9f03c6a70c7fd7fc078ff6872d40e76e3295731e58256ce8a

Download | Favorite | View

Apple Security Advisory 2022-10-27-3

Posted Oct 31, 2022

Authored by Apple | Site apple.com

Apple Security Advisory 2022-10-27-3 - iOS 16 addresses buffer overflow, bypass, code execution, out of bounds read, out of bounds write, spoofing, and use-after-free vulnerabilities.

tags | advisory, overflow, spoof, vulnerability, code execution

systems | apple, ios

advisories | CVE-2021-36690, CVE-2022-1622, CVE-2022-26744, CVE-2022-32795, CVE-2022-32827, CVE-2022-32835, CVE-2022-32854, CVE-2022-32858, CVE-2022-32859, CVE-2022-32864, CVE-2022-32865, CVE-2022-32866, CVE-2022-32867, CVE-2022-32868

SHA-256 | f72f652240009ad6885c95e399eeada938afdca8ed7e90acdcc02793817280ae

Download | Favorite | View