AppleAVD deallocateKernelMemoryInternal Missing Surface Lock

Posted by deepcore on November 19, 2022 – 2:21 pm

In AppleAVD.kext, pixel buffers are mapped by calling AppleAVDUserClient::_mapPixelBuffer, which eventually calls AppleAVD::allocateKernelMemoryInternal. If the buffer is an IOSurface, the function calls IOSurface::deviceLockSurface before allocating memory by calling prepare. But when a pixel buffer is unmapped by calling AppleAVDUserClient::_unmapPixelBuffer, which calls AppleAVD::deallocateKernelMemoryInternal, the IOSurface is not locked before calling complete. This means that mapping and unmapping can occur at the same time, leading to kernel memory corruption. This bug could allow escalation to kernel privileges from a local app.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« AppleAVD AppleAVDUserClient::decodeFrameFig Memory Corruption ChurchInfo 1.2.13-1.3.0 Remote Code Execution »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

AppleAVD deallocateKernelMemoryInternal Missing Surface Lock

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL