Wednesday, November 14, 2007
After I informed Apple about the bug, Apple fixed it by adding an extra check for the user-supplied IOCTL data.
xnu-792.24.17/bsd/kern/tty.c[79]
[..]
1081 case TIOCSETD: { /* set line discipline */
1082 register int t = *(int *)data;
1083 dev_t device = tp->t_dev;
1084
1085 if (t >= nlinesw || t < 0)
1086 return (ENXIO);
1087 if (t != tp->t_line) {
1088 s = spltty();
1089 (*linesw[tp->t_line].l_close)(tp, flag);
1090 error = (*linesw[t].l_open)(device, tp);
1091 if (error) {
1092 (void)(*linesw[tp->t_line].l_open)(device, tp);
1093 splx(s);
1094 return (error);
1095 }
1096 tp->t_line = t;
1097 splx(s);
1098 }
1099 break;
1100 }
[..]Line 1085 now checks whether the value of t is negative. If so, the user-derived data will not be processed any further. This little change was enough to successfully rectify the vulnerability.