XNU Heap Underwrite in dlil.c [CVE-2023-23504]
A 19-year-old bug in XNUs Data Link Interface Layer or DLIL that lead to an out-of-bounds write on the heap. The root cause is that ifnet_attach()
will get the next interface index
as a 32-bit integer and downcast it to a uint16_t
when saving the index. If you can create enough interfaces to overflow past 0xFFFF
, the truncation will cause the interface index
to wrap back to zero when saved. This is problematic as ifnet_attach
uses this saved index
to get the respective ifnet_addrs
and ifindex2ifnet
entries, and ifnet_addrs
is fetched as ifnet_addrs[ifp->if_index - 1]
. This will of course access out-of-bounds memory for performing writes used in ifnet_attach()
later on.
Exploiting this requires root to be able to create the interfaces. There are also other challenges in exploiting this, as since the backing array will grow fairly large, your target object to overwrite also has to be large and allocated into the same KMEM_RANGE
. One object looked promising being the newofiles
array in fdalloc()
for file descriptor allocation, but all that could be hit was the file flags. You’d also need to open about 300k file descriptors, which again would require root to bypass the file user limit.
The author states this might be exploitable in some way, but they decided to stop before going any further.