vendor:
MacOS
by:
ianbeer
7,8
CVSS
HIGH
Double Free
415
CWE
Product Name: MacOS
Affected Version From: MacOS 10.12.3 (16D32)
Affected Version To: MacOS 10.12.3 (16D32)
Patch Exists: NO
Related CWE: N/A
CPE: o:apple:mac_os_x:10.12.3
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: MacbookAir5,2
2017
MacOS/iOS kernel double free due to bad locking in fsevents
There is a double free vulnerability in the fsevents ioctl handler due to bad locking. This can lead to an exploitable kernel use after free if two threads see the same value for devices_not_to_watch at (a), assign that to tmp then free it at (d). The lock/unlock at (b) and (c) don't protect this.
Mitigation:
The open handler for the fsevents device node has a further access check which restricts this issue to root only despite the permissions on the device node (which is world-readable).
