Mobile Security & Enterprise Mobility Blog

CVE-2019-8545 : Vulnerability in IOHIDFamily.kext

Summary

A local user may be able to cause unexpected system termination or read kernel memory.

Details

In the function IOHIDEventServiceFastPathUserClient::getSharedMemorySize, the ClientObject (Offset 0xE0 of the user client) is given to a function which assumes it is initialised (It should be initialised via external method 0 — IOHIDEventServiceFastPathUserClient::_open).

Calling IOConnectMapMemory64 without calling _open (or with calling _open, but making sure it won’t initialize ClientObject), will result in a kernel panic.

Disclosure timeline

20/12/2018 – Bug discovered

2/1/2019 – Vendor notified

25/3/2019 – Patch released (fixed in 12.2)

I would like to thank Apple for their quick and professional response and the rest of the Zimperium zLabs team for their ongoing research and assistance.