7.3 Vulnerability Remediation

Note

Wednesday, November 14, 2007

After I informed Apple about the bug, Apple fixed it by adding an extra check for the user-supplied IOCTL data.

Source code file: xnu-792.24.17/bsd/kern/tty.c^[79]

[..]
1081       case TIOCSETD: {        /* set line discipline */
1082           register int t = *(int *)data;
1083           dev_t device = tp->t_dev;
1084
1085           if (t >= nlinesw || t < 0)
1086               return (ENXIO);
1087           if (t != tp->t_line) {
1088               s = spltty();
1089               (*linesw[tp->t_line].l_close)(tp, flag);
1090               error = (*linesw[t].l_open)(device, tp);
1091               if (error) {
1092                   (void)(*linesw[tp->t_line].l_open)(device, tp);
1093                   splx(s);
1094                   return (error);
1095               }
1096               tp->t_line = t;
1097               splx(s);
1098           }
1099           break;
1100       }
[..]

Line 1085 now checks whether the value ...

Get A Bug Hunter's Diary now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

A Bug Hunter's Diary by

7.3 Vulnerability Remediation

Note

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly