O'Reilly logo

A Bug Hunter's Diary by Tobias Klein

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

7.3 Vulnerability Remediation

Note

Wednesday, November 14, 2007

After I informed Apple about the bug, Apple fixed it by adding an extra check for the user-supplied IOCTL data.

Source code file

xnu-792.24.17/bsd/kern/tty.c[79]

[..]
1081       case TIOCSETD: {        /* set line discipline */
1082           register int t = *(int *)data;
1083           dev_t device = tp->t_dev;
1084
1085           if (t >= nlinesw || t < 0)
1086               return (ENXIO);
1087           if (t != tp->t_line) {
1088               s = spltty();
1089               (*linesw[tp->t_line].l_close)(tp, flag);
1090               error = (*linesw[t].l_open)(device, tp);
1091               if (error) {
1092                   (void)(*linesw[tp->t_line].l_open)(device, tp);
1093                   splx(s);
1094                   return (error);
1095               }
1096               tp->t_line = t;
1097               splx(s);
1098           }
1099           break;
1100       }
[..]

Line 1085 now checks whether the value ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required