[Found a] heap underwrite vulnerability in XNU’s dlil.c (which handles network interfaces) caused by an (uint16_t) integer overflow in if.c. This can be triggered by a root user creating 65536 total network interfaces.
From what I can tell, it seems the vulnerable code was introduced in XNU 517.3.7, Mac OSX 10.3.2, released on December 17th, 2003, making it a 19-year-old bug!
Ultimately I gave up, sent what I had to Apple, and moved on to the next bug (but I did learn a lot in the process).
That’s the unmistakable voice of a pure academic.
XNU is used in Apple’s laptops, phones, tablets, watches, TV… and the company quickly rolled the trivial fix into a January 23rd release of iOS 16.3 and iPadOS 16.3 including a rather important impact detail.
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: The issue was addressed with improved memory handling.
Execute arbitrary code with kernel privileges.