Vulnerability in XNU | |
---|---|
Software | iOS and macOS |
Vulnerable in | ? - iOS 16.7.10, ? - macOS 13.7.10 |
Fixed in | iOS 17.0, macOS 14.0 |
Disclosed | 1 May 2023 |
Discovered by | Félix Poulin-Bélanger |
CVE | CVE-2023-41974 |
Apple KB | HT120949 |
CVE-2023-41974, also known as landa, is a Physical Use After Free vulnerability used in kfd. Landa is very similar to MacDirtyCow, which was a race condition that allowed writing to read-only mappings. Specifically, vm_map_copy_overwrite_nested() would check that the VMEs in the destination range are overwriteable, but vm_map_copy_overwrite_unaligned() could drop the map lock and it would not perform the same check after taking it back. Landa works the same way, but for VMEs that are "in transition" instead.
The bug is only reachable from the App Sandbox, not the WebContent sandbox. It received a $70,000 Apple Security Bounty reward after being reported. The exploit is available to use in Dopamine.