Skip to content
This repository has been archived by the owner on Oct 3, 2023. It is now read-only.

Latest commit

 

History

History
5 lines (3 loc) · 802 Bytes

CVE-2021-30740.md

File metadata and controls

5 lines (3 loc) · 802 Bytes

CVE-2021-30740

This is the DriverKit vulnerability exploited by Fugu14. The DriverKit method CreateMemoryDescriptorFromClient, defined on IOUserClient, does not check if the user client has been initialized. If it hasn't been initialized, me->fTask will be NULL and IOMemoryDescriptor::withAddressRanges will be called with a NULL task. Passing a NULL task to IOMemoryDescriptor::withAddressRanges is interpreted as "treat the passed-in address as physical address" and because the DriverKit driver can specify arbitrary addresses, this allows creating an IOMemoryDescriptor for every physical address.

For more details, see https://github.com/LinusHenze/Fugu14/blob/master/Writeup.pdf