To fix the issue, Apple chose to add a third loop in between loop `[1]` and loop `[4]`, validating each `length` field, and then caching it in a new `dataLengths` array, while ensuring the number of elements had not changed. The final loop then uses the cached lengths for its calculations, avoiding reading from the buffer another time.
148
148
149
149
## Issues with exploitation
150
-
The main obstacle to overcome when exploiting this issue is that the buffer we are overflowing out of belongs to `KHEAP_DATA_BUFFERS`, so exploitation targets are limited. In this proof-of-concept I chose to target kmsg headers, as these are one of very few structures in `KHEAP_DATA_BUFFERS` that contain kernel pointers. The "arbitrary kfree" primitive I obtained using this approach is the same primitive used in the multicast_bytecopy exploit, however the `IOSurfaceClient` array is now PAC'd and forged clients need to have a valid pointer back to the `IOSurfaceRootUserClient` that created them, rendering this no longer a desirable kernel r/w target.
150
+
The main obstacle to overcome when exploiting this issue is that the buffer we are overflowing out of belongs to `KHEAP_DATA_BUFFERS`, so exploitation targets are limited. In this proof-of-concept I chose to target kmsg headers, as these are one of very few structures in `KHEAP_DATA_BUFFERS` that contain kernel pointers. The "arbitrary kfree" primitive I obtained using this approach is the same primitive used in the [multicast_bytecopy](https://github.com/potmdehex/multicast_bytecopy) exploit, however the `IOSurfaceClient` array is now PAC'd and forged clients need to have a valid pointer back to the `IOSurfaceRootUserClient` that created them, rendering this no longer a desirable kernel r/w target.
151
151
152
152
## Building and installing
153
153
Apple have not made building and installing custom DriverKit extensions very easy, especially without a paid Apple Developer account, but it is possible.
Tommy Muir
committed
with
GitHub
1 year ago
1 parent 6509ceb7