IOUserClient::connectClient is an obscure IOKit method which according to the docs is supposed to "Inform a connection of a second connection." In fact IOKit provides no default implementation and only a handful of userclients actually implement it, and it's pretty much up to them to define the semantics of what "informing the connection of a second connection" actually means. One of the userclients which implements connectClient is IOAccelContext2 which is the parent of the IGAccelContext userclient family (which are the intel GPU accelerator userclients.) IOUserClient::connectClient is exposed to userspace as IOConnectAddClient.
e6b28ef3cbbacff31eb961ab63d921cbf6e4a18a44fb51c2925eaa646004d804
The iOS kernel suffers from a use-after-free vulnerability in AppleOscarGyro.
4e06593eee3ee14b6e919071b2131a9da0f8320a680e792d7ad5ff9d7dbc3557
Barracuda Networks Message Archiver 650 suffers from client-side cross site scripting vulnerabilities.
1c0b73f24b7667d9fb0327e285dc28d2284d74620d2883f0ce6c017bf7538e6a
Atlassian Jira versions 6.1.4 and below suffer from a cross site scripting vulnerability.
69982c2e62642ecdd6d36596ed6e34438ea61178dc78a728f96a3b398a394b62
Wireshark suffers from a stack-based buffer overflow in Dissect_nhdr_extopt.
e5bb93c3d0ae53a0370f67f79a20eec4d3bc179a65634b7d8197cdbc08479166
Android sensord local root exploit.
81fc11ebb3e31b76d066ddd79bc476422e02bd43e5bb43e9ef99238f55eb448e
Method 5 of the IOHDIXController user client is createDrive64. This takes a 0x10 0 byte structure input from which it reads a userspace pointer and a size which it passes to IOHDIXController::convertClientBuffer. This wraps the memory pointed to by the userspace pointer in an IOMemoryDescriptor then takes the user-provided size, casts it to a 32-bit type and adds one. It passes that value to IOMalloc. By passing a size of 0xffffffff we can cause an integer overflow and IOMalloc will be passed a size of 0. IOMalloc falls through to kalloc which will quite happily make a 0-sized allocation for us and return a valid, writable kernel heap pointer.
7c1b4d44f576a45333e8a5f38a438bc7780560237ca558e684660c3e2a87a9cb