XNU: NFSSVC root check bypass; use after free due to insufficient locking in upcall worker threads
Original Post:
We discussed this vulnerability during Episode 198 on 21 March 2023
This was a fun authorization check bypass because when checking if higher privileges were needed the flag
value was checked for equality with the two privileged actions. Later on however, when deciding what handler to use to handle to request, it used a bitwise operation to check if the specific bit is set. So a value with a unused bit set could have the privileged action bit set, without being exactly equal to the privileged act.
This also allowed an attacker to hit a use-after-free situation, utimately caused by two different locks being used to control access to the same object.