Use-after-free in the ipc_port subsystem of XNU, specifically the ipc_port_copy_send() function. This function would try to copy and send data on an IPC port, and attempts to account for a bunch of edge-cases on the state of the port. For example, if you pass a port that has a sentinel value instead of a pointer (like IP_NULL or IP_DEAD), it would return that same value and bail early. If a pointer is passed to a ‘dead’ port (IP_BITS_ACTIVE flag is cleared), it’ll also return IP_DEAD. Finally, if a valid live port is used, it’ll implicitly bump the reference count on the rights to that port and return a reference.

The problem is, some areas of code (such as ipc_right_copyin_two()) that call this function don’t check the return value, and thus it’s possible that a ‘dead’ port is passed and the reference count on the right is never increased. This is problematic because if the return value is never checked, the right is used and it’s possible some other routine can free it from underneath the caller.