crash.software
Projects
Pull Requests
Issues
Builds
CVE-2022-42864
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY CVE-2022-42864 Commits 302f8a59
🤬
  • ■ ■ ■ ■ ■ ■
    README.md
    skipped 19 lines
    20 20  ```cpp
    21 21  IOReturn IOHIDDevice::postElementTransaction(const void* elementData, UInt32 dataSize, UInt32 completionTimeout, IOHIDCompletion * completion)
    22 22  {
    23  - IOReturn ret = kIOReturnError;
    24  - uint32_t cookies_[kMaxLocalCookieArrayLength];
    25  - uint32_t *cookies = cookies_;
    26  - uint32_t cookieCount = 0;
    27  - uint32_t cookieSize = 0;
    28  - uint32_t dataOffset = 0;
    29  - uint8_t *data = (uint8_t*)elementData;
    30  - IOMemoryDescriptor *elementDesc = getMemoryWithCurrentElementValues();
    31  - require(_elementArray && elementDesc, fail);
     23 + IOReturn ret = kIOReturnError;
     24 + uint32_t cookies_[kMaxLocalCookieArrayLength];
     25 + uint32_t *cookies = cookies_;
     26 + uint32_t cookieCount = 0;
     27 + uint32_t cookieSize = 0;
     28 + uint32_t dataOffset = 0;
     29 + uint8_t *data = (uint8_t*)elementData;
     30 + IOMemoryDescriptor *elementDesc = getMemoryWithCurrentElementValues();
     31 + require(_elementArray && elementDesc, fail);
    32 32   
    33  - WORKLOOP_LOCK;
     33 + WORKLOOP_LOCK;
    34 34   
    35  - // Find the number of cookies in the data. Check that all cookies are valid elements. [1]
    36  - while (dataOffset < dataSize) {
    37  - const IOHIDElementValueHeader *headerPtr = (const IOHIDElementValueHeader *)(data + dataOffset);
    38  - IOHIDElementPrivate *element = GetElement(headerPtr->cookie);
    39  - if (!element) {
    40  - HIDDeviceLogError("Could not find element for cookie: %d", headerPtr->cookie);
    41  - ret = kIOReturnAborted;
    42  - goto fail;
    43  - }
    44  - cookieCount++;
     35 + // Find the number of cookies in the data. Check that all cookies are valid elements. [1]
     36 + while (dataOffset < dataSize) {
     37 + const IOHIDElementValueHeader *headerPtr = (const IOHIDElementValueHeader *)(data + dataOffset);
     38 + IOHIDElementPrivate *element = GetElement(headerPtr->cookie);
     39 + if (!element) {
     40 + HIDDeviceLogError("Could not find element for cookie: %d", headerPtr->cookie);
     41 + ret = kIOReturnAborted;
     42 + goto fail;
     43 + }
     44 + cookieCount++;
    45 45   
    46  - require_noerr_action(os_add3_overflow(dataOffset, headerPtr->length, sizeof(IOHIDElementValueHeader), &dataOffset), fail, HIDDeviceLogError("Overflow iterating cookie data buffer %u %u", dataOffset, headerPtr->length));
    47  - }
    48  - // Data isn't as large as expected, don't overrun, just abort
    49  - if (dataOffset != dataSize) { // [2]
    50  - HIDDeviceLogError("Cookie data buffer is smaller than expected. %u vs. %u",
    51  - (unsigned int)dataSize, (unsigned int)dataOffset);
    52  - ret = kIOReturnAborted;
    53  - goto fail;
    54  - }
    55  - dataOffset = 0;
     46 + require_noerr_action(os_add3_overflow(dataOffset, headerPtr->length, sizeof(IOHIDElementValueHeader), &dataOffset), fail, HIDDeviceLogError("Overflow iterating cookie data buffer %u %u", dataOffset, headerPtr->length));
     47 + }
     48 + // Data isn't as large as expected, don't overrun, just abort
     49 + if (dataOffset != dataSize) { // [2]
     50 + HIDDeviceLogError("Cookie data buffer is smaller than expected. %u vs. %u",
     51 + (unsigned int)dataSize, (unsigned int)dataOffset);
     52 + ret = kIOReturnAborted;
     53 + goto fail;
     54 + }
     55 + dataOffset = 0;
    56 56   
    57  - require_noerr_action(os_mul_overflow(cookieCount, sizeof(uint32_t), &cookieSize),
    58  - fail,
    59  - HIDDeviceLogError("Overflow calculating cookieSize"));
     57 + require_noerr_action(os_mul_overflow(cookieCount, sizeof(uint32_t), &cookieSize),
     58 + fail,
     59 + HIDDeviceLogError("Overflow calculating cookieSize"));
    60 60   
    61  - cookies = (cookieCount <= kMaxLocalCookieArrayLength) ? cookies : (uint32_t*)IOMallocData(cookieSize); // [3]
     61 + cookies = (cookieCount <= kMaxLocalCookieArrayLength) ? cookies : (uint32_t*)IOMallocData(cookieSize); // [3]
    62 62   
    63  - if (cookies == NULL) {
    64  - ret = kIOReturnNoMemory;
    65  - goto fail;
    66  - }
     63 + if (cookies == NULL) {
     64 + ret = kIOReturnNoMemory;
     65 + goto fail;
     66 + }
    67 67   
    68  - // Update the elements, this replaced the shared kernel-user shared memory.
    69  - for (size_t index = 0; dataOffset < dataSize; ++index) { // [4]
    70  - const IOHIDElementValueHeader *headerPtr;
    71  - IOHIDElementPrivate *element;
    72  - OSData *elementVal;
     68 + // Update the elements, this replaced the shared kernel-user shared memory.
     69 + for (size_t index = 0; dataOffset < dataSize; ++index) { // [4]
     70 + const IOHIDElementValueHeader *headerPtr;
     71 + IOHIDElementPrivate *element;
     72 + OSData *elementVal;
    73 73   
    74  - headerPtr = (const IOHIDElementValueHeader *)(data + dataOffset);
    75  - element = GetElement(headerPtr->cookie);
    76  - dataOffset += headerPtr->length + sizeof(IOHIDElementValueHeader);
     74 + headerPtr = (const IOHIDElementValueHeader *)(data + dataOffset);
     75 + element = GetElement(headerPtr->cookie);
     76 + dataOffset += headerPtr->length + sizeof(IOHIDElementValueHeader);
    77 77   
    78  - elementVal = OSData::withBytesNoCopy((void*)headerPtr->value,
    79  - headerPtr->length); // [5]
    80  - require_action(elementVal, fail, ret = kIOReturnNoMemory);
    81  - element->setDataBits(elementVal);
    82  - elementVal->release();
     78 + elementVal = OSData::withBytesNoCopy((void*)headerPtr->value,
     79 + headerPtr->length); // [5]
     80 + require_action(elementVal, fail, ret = kIOReturnNoMemory);
     81 + element->setDataBits(elementVal);
     82 + elementVal->release();
    83 83   
    84  - cookies[index] = headerPtr->cookie; // [6]
    85  - }
     84 + cookies[index] = headerPtr->cookie; // [6]
     85 + }
    86 86   
    87  - // Actually post elements
    88  - ret = postElementValues((IOHIDElementCookie *)cookies, (UInt32)cookieCount, 0, completionTimeout, completion);
     87 + // Actually post elements
     88 + ret = postElementValues((IOHIDElementCookie *)cookies, (UInt32)cookieCount, 0, completionTimeout, completion);
    89 89   
    90 90  fail:
    91  - WORKLOOP_UNLOCK;
    92  - if (cookies != &cookies_[0]) {
    93  - IOFreeData(cookies, cookieSize);
    94  - }
     91 + WORKLOOP_UNLOCK;
     92 + if (cookies != &cookies_[0]) {
     93 + IOFreeData(cookies, cookieSize);
     94 + }
    95 95   
    96  - return ret;
     96 + return ret;
    97 97  }
    98 98  ```
    99 99   
    skipped 10 lines
    110 110  kern_return_t
    111 111  IMPL(IOHIDInterface, SetElementValues)
    112 112  {
    113  - IOReturn ret = kIOReturnError;
    114  - UInt8 *values = NULL;
    115  - IOBufferMemoryDescriptor *md = NULL;
     113 + IOReturn ret = kIOReturnError;
     114 + UInt8 *values = NULL;
     115 + IOBufferMemoryDescriptor *md = NULL;
    116 116  
    117  - md = OSDynamicCast(IOBufferMemoryDescriptor, elementValues);
    118  - require_action(md && count, exit, ret = kIOReturnBadArgument);
     117 + md = OSDynamicCast(IOBufferMemoryDescriptor, elementValues);
     118 + require_action(md && count, exit, ret = kIOReturnBadArgument);
    119 119   
    120  - values = (UInt8 *)md->getBytesNoCopy();
     120 + values = (UInt8 *)md->getBytesNoCopy();
    121 121  
    122  - // Post the data to the device
    123  - ret = _owner->postElementTransaction(values, (UInt32)md->getLength());
    124  - require_noerr_action(ret, exit, HIDServiceLogError("postElementValues failed: 0x%x", ret));
     122 + // Post the data to the device
     123 + ret = _owner->postElementTransaction(values, (UInt32)md->getLength());
     124 + require_noerr_action(ret, exit, HIDServiceLogError("postElementValues failed: 0x%x", ret));
    125 125   
    126 126  exit:
    127  - return ret;
     127 + return ret;
    128 128  }
    129 129  ```
    130 130   
    skipped 31 lines
    162 162   
    163 163  If this fails, you can also try building without signing using:
    164 164   
    165  - xcodebuild build CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO
     165 + xcodebuild build CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO
    166 166   
    167 167  And then manually signing using:
    168 168   
    169  - codesign -fs self-sign-cert --entitlements HIDDriverLoader/HIDDriverLoader.entitlements build/Release/HIDDriverLoader.app/Contents/MacOS/HIDDriverLoader
    170  - codesign -fs self-sign-cert --entitlements HIDDriver/HIDDriver.entitlements build/Release/HIDDriverLoader.app/Contents/Library/SystemExtensions/*.dext/*.driver
     169 + codesign -fs self-sign-cert --entitlements HIDDriverLoader/HIDDriverLoader.entitlements build/Release/HIDDriverLoader.app/Contents/MacOS/HIDDriverLoader
     170 + codesign -fs self-sign-cert --entitlements HIDDriver/HIDDriver.entitlements build/Release/HIDDriverLoader.app/Contents/Library/SystemExtensions/*.dext/*.driver
    171 171   
    172 172  ### Thank you for reading :)
    173 173   
Please wait...
Page is in error, reload to recover