Vulnerability in XNU | |
---|---|
Software | iOS |
Vulnerable in | 15.0 - 15.4.1 |
Fixed in | 15.5 |
Disclosed | 16 May 2022 |
Discovered by | Linus Henze |
CVE | CVE-2022-26763 |
Apple KB | HT213258 |
CVE-2022-26763, also known as oobPCI, is a vulnerability in DriverKit that allows an attacker to read from and write to kernel memory, specifically in the IOPCIDevice class. This is due to an out-of-bounds read/write.
Taking a look at one of the vulnerable functions, it is easy to see how the bug works. IOPCIDevice::deviceMemoryWrite64
takes three parameters: a memory index, an offset, and the data to be written. The index specifies an index to a memory mapping, which is used as the base address for the write. Then, the offset is added to it and the data is written.
The vulnerability is that the offset is never validated, so an attacker can specify an offset that is so high it goes out of the PCI device memory region and into regular kernel memory. Thus, you can read and write to kernel memory this way.
This vulnerability is only exploitable if the binary has DriverKit entitlements, which are only provided to developer accounts with Apple's approval. Fugu15 and Dopamine use the CoreTrust Root Certificate Validation Vulnerability to obtain these entitlements.