This is the DriverKit vulnerability exploited by Fugu14. The DriverKit method CreateMemoryDescriptorFromClient
, defined on IOUserClient, does not check if the user client has been initialized. If it hasn't been initialized, me->fTask will be NULL and IOMemoryDescriptor::withAddressRanges
will be called with a NULL task. Passing a NULL task to IOMemoryDescriptor::withAddressRanges
is interpreted as "treat the passed-in address as physical address" and because the DriverKit driver can specify arbitrary addresses, this allows creating an IOMemoryDescriptor
for every physical address.
For more details, see https://github.com/LinusHenze/Fugu14/blob/master/Writeup.pdf