Projects STRLCPY CVE-2022-32827 Files
🤬 Loading last commit info...

AppleAVD: Missing surface lock in deallocateKernelMemoryInternal

In AppleAVD.kext, pixel buffers are mapped by calling AppleAVDUserClient::_mapPixelBuffer, which eventually calls AppleAVD::allocateKernelMemoryInternal. If the buffer is an IOSurface, the function calls IOSurface::deviceLockSurface before allocating memory by calling prepare. But when a pixel buffer is unmapped by calling AppleAVDUserClient::_unmapPixelBuffer, which calls AppleAVD::deallocateKernelMemoryInternal, the IOSurface is not locked before calling complete. This means that mapping and unmapping can occur at the same time, leading to kernel memory corruption. This bug could allow escalation to kernel privileges from a local app.

To reproduce this issue:

1) Compile the attached file with:

clang -o myservice service.m -framework Foundation -framework IOKit -framework IOSurface

2) Run:


3) If the bug doesn't trigger, run it a second time


[email protected]

A crash log is attached.

I am only able to reproduce this bug by running a local program, though I've seen it occur when playing multiple media files at the same time for test purposes occasionally. I have not been able to reproduce it in any remote context.

Please wait...
Page is in error, reload to recover