Skip to content

Latest commit

 

History

History

XNU_icmp_error_CVE-2018-4407

Apple XNU icmp_error CVE-2018-4407

Use this snapshot for the demo.

There are two parts to this demo. The first part is 00_mbuf_copydata_tainted_size.ql, which is the dataflow query that found the bug. It is explained in detail in this blog post. The problem with this query is that it does not find the true source of the untrusted data. This is because it assumes that any call to the function named m_mtod can return untrusted data. But not every mbuf contains untrusted data. So the second part of the demo, corresponding to this blog post, is to use dataflow analysis to find a path that gets an untrusted mbuf into icmp_error. The second part of the demo is developed in steps, starting with 01_paths_to_icmp_error.ql.