Insufficent Locking in XNU leading to Use-After-Free
Original Post:
We discussed this vulnerability during Episode 110 on 11 January 2022
This is one of those issues that is an obvious code-smell once you’re aware of it, inp_join_group
will release a lock, so that is can call another function that requires the same lock, and then take the lock back after the function has executed creating a window where another function can obtain the lock and free the pointer from under it.