XNU Heap Underwrite in dlil.c [CVE-2023-23504]

We discussed this vulnerability during Episode 186 on 07 February 2023

A 19-year-old bug in XNUs Data Link Interface Layer or DLIL that lead to an out-of-bounds write on the heap. The root cause is that ifnet_attach() will get the next interface index as a 32-bit integer and downcast it to a uint16_t when saving the index. If you can create enough interfaces to overflow past 0xFFFF, the truncation will cause the interface index to wrap back to zero when saved. This is problematic as ifnet_attach uses this saved index to get the respective ifnet_addrs and ifindex2ifnet entries, and ifnet_addrs is fetched as ifnet_addrs[ifp->if_index - 1]. This will of course access out-of-bounds memory for performing writes used in ifnet_attach() later on.

Exploiting this requires root to be able to create the interfaces. There are also other challenges in exploiting this, as since the backing array will grow fairly large, your target object to overwrite also has to be large and allocated into the same KMEM_RANGE. One object looked promising being the newofiles array in fdalloc() for file descriptor allocation, but all that could be hit was the file flags. You’d also need to open about 300k file descriptors, which again would require root to bypass the file user limit.

The author states this might be exploitable in some way, but they decided to stop before going any further.