AppleAVD: Memory Corruption in AppleAVDUserClient::decodeFrameFig

In the function AppleAVDUserClient::decodeFrameFig, a location in the decoder's IOSurface input buffer is calculated, and then bzero is called on it. The size of this IOSurface's allocation is controllable by the userspace caller, so the calculated pointer can go out of bounds, leading to memory corruption. This issue could potentially allow an unprivileged local application to escalate its privileges to the kernel.

To reproduce this issue:

1. Compile the attached file with:

clang -o bzero bzero.m -framework Foundation -framework IOKit -framework IOSurface

2. Put crashbuf in the same directory as the executable

3. Run:

./bzero ./crashbuf

Credits

[email protected]

Note that this PoC will sometimes crash due to a check error instead of a translation fault, and sometimes not crash, depending on the layout of other memory mappings. If either happens, try running it again.