CVE-2015-7047

/* Source: codegooglecom/p/google-security-research/issues/detail?id=565 Kernel UaF with IOAccelDisplayPipeUserClient2 with spoofed no more senders notifications repro: while true; do /iospoof_ig_4; done Likely to crash in various ways; have observed NULL derefs and NX traps Tested on ElCapitan 1011 (15a284) on MacBookAir 5,2 */ / ...

/* Source: codegooglecom/p/google-security-research/issues/detail?id=553 The mach voucher subsystem fails to correctly handle spoofed no-more-senders messages ipc_kobject_server will be called for mach messages sent to kernel-owned mach ports If the msgh_id of the message can't be found in the mig_buckets hash table then this function ...

/* Source: codegooglecom/p/google-security-research/issues/detail?id=567 Kernel UaF due to audit session port failing to correctly account for spoofed no-more-senders notifications Tested on ElCapitan 1011 (15a284) on MacBookAir 5,2 */ // ianbeer /* Kernel UaF due to audit session port failing to correctly account for spoofed no-mor ...

/* Source: codegooglecom/p/google-security-research/issues/detail?id=572 The OS* data types (OSArray etc) are explicity not thread safe; they rely on their callers to implement the required locking to serialize all accesses and manipulations of them By sending two spoofed no-more-senders notifications on two threads at the same time we ...

/* Source: codegooglecom/p/google-security-research/issues/detail?id=566 Kernel UaF with IOAccelMemoryInfoUserClient with spoofed no more senders notifications repro: while true; do /iospoof_ig_7; done Tested on ElCapitan 1011 (15a284) on MacBookAir 5,2 */ // ianbeer // clang -o iospoof_ig_7 iospoof_ig_7c -framework IOKit /* Kernel ...