The Apple Graphics stack was also used at Pwn2Own 2016 by our team to compromise OS X twice, by escaping the sandbox in 2 different pwns thanks to 2 different bugs both related to Graphics. You can check out more details at BH US 16.
This blog post talks about another disclosed bug originated from that auditing/fuzzing effort.
This bug affects all recent models of OS X machines running a Broadwell CPU, to check the bug you need to reverse the AppleIntelBDWGraphics kext on 10.11.5 or older.
This bug, like all our other Graphics related bugs is reachable by the Safari or Chrome Sandbox.
Sorry if the PoC is just pseudocode but I lost the PoC file and I’m too lazy to panic my machine now to test. So going by memory for this basic writeup I hope it will do just fine.
What’s going on
So what’s going on here?
This is from IGAccelCLContext::contextStop() which will be called when we do IOServiceClose().
You may not notice the subtle problem here (in fact this issue was triggered while coding another PoC, not by code auditing!).
Basically the developers of this driver never accounted for this method to be called when there is still 1 or more elements of mapped memory (caused by us with map_user_memory IOKitCall). They only tested with an even number of map_user_memory/unmap_user_memory calls, so if we enter this while loop with still 1 or more memory mappings in this UserClient, this while loop by calling get,remove, next will cause memory corruption.