AppleAVD deallocateKernelMemoryInternal Missing Surface Lock
In AppleAVD.kext, pixel buffers are mapped by calling AppleAVDUserClient::_mapPixelBuffer, which eventually calls AppleAVD::allocateKernelMemoryInternal. If the buffer is an IOSurface, the function calls IOSurface::deviceLockSurface before allocating memory by
calling prepare. But when a pixel buffer is unmapped by calling AppleAVDUserClient::_unmapPixelBuffer, which calls AppleAVD::deallocateKernelMemoryInternal, the IOSurface is not locked
before calling complete. This means that mapping and unmapping can occur
at the same time, leading to kernel memory corruption. This bug could
allow escalation to kernel privileges from a local app.
https://packetstormsecurity.com/files/169929/GS20221118141708.tgz
Fri, 18 Nov 2022 14:17:10 GMT
________________________________
--- The information is for inforamtional purposes only.
* Origin: Read us with
http://winpoint.org JID:
rs@captflint.com