Full Report
Within portions of the BSD kernel, the mbuf object is used in networking. It consists of a header and data, which are both fixed size. _MSIZE is used for the total message of the buffer and MLEN is used for the size of the data portion of the buffer. The vulnerability exists within a bcopy where it copies the socket address into the message buffer. Instead of using MLEN for the length check (224) it uses the full size of the buffer (255), including the header. This creates a buffer overflow of 31 bytes. The reason for the bug is likely a confusion between the two length types. This makes sense that it got through code review! The proof of concept for this requires 3 syscalls, which is fairly simple! I'm surprised that something like syskaller didn't find this. The crash trace shows that this corrupts an mbuf after their data. The bug is a super simple buffer overflow. To find it, it required a deep attention to detail on sizes. Naming of variables correctly is important :)
Analysis Summary
# Vulnerability: TURPENTINE - Apple XNU Kernel Mbuf Buffer Overflow
## CVE Details
- **CVE ID:** CVE-2024-27815
- **CVSS Score:** Not explicitly listed in text (NVD marks similar XNU overflows as High/Critical)
- **CWE:** CWE-120 (Buffer Copy without Checking Size of Input) / CWE-119 (Memory Corruption)
## Affected Systems
- **Products:** Apple macOS (and potentially other XNU-based operating systems like iOS).
- **Versions:** macOS 14.2, 14.3, and 14.4 (verified on X86_64). Specifically, versions using `xnu-10002.1.13`.
- **Configurations:** Systems where the kernel is compiled with `CONFIG_MBUF_MCACHE` enabled.
## Vulnerability Description
The vulnerability is a classic buffer overflow within the BSD kernel portion of XNU, specifically in the `sbconcat_mbufs` function in `uipc_socket2.c`.
Networking in the kernel uses `mbuf` objects, which consist of a 32-byte header (`m_hdr`) and a data portion. While the total size of the message buffer is `_MSIZE` (256 bytes), the actual available space for data is `MLEN` (224 bytes).
A logic error was introduced via a performance-optimizing macro that performed a bounds check using `_MSIZE` (256) instead of `MLEN` (224). When copying a socket address into the buffer using `bcopy`, an attacker can provide a source length (`sa_len`) of up to 255 bytes. This results in a **31-byte overflow**, allowing an attacker to overwrite the header of the adjacent `mbuf` object in memory.
## Exploitation
- **Status:** PoC available and verified.
- **Complexity:** Low (requires only 3 standard syscalls).
- **Attack Vector:** Local (requires the ability to execute syscalls: `socketpair`, `bind`, and `write`). No elevated privileges are required.
## Impact
- **Confidentiality:** High (Potential for kernel memory disclosure depending on subsequent primitives).
- **Integrity:** High (Attacker can deterministically set fields of the next `m_hdr` in memory to arbitrary values).
- **Availability:** High (Triggering the overflow results in a kernel panic/system crash).
## Remediation
### Patches
- **macOS 14.5:** Fixed in kernel version `xnu-10063.121.3`.
- The fix restores the correct check: `if (sa_len > MLEN) { return NULL; }`, ensuring data does not exceed the 224-byte limit.
### Workarounds
- No known software workarounds; users are advised to update to macOS 14.5 or later.
## Detection
- **Indicators of Compromise:** Kernel panics involving `sbconcat_mbufs`, `uipc_socket2.c`, or memory corruption traces in `IONetworkingFamily`.
- **Detection methods and tools:** System logs capturing "Kernel Trap" or "Kernel Extensions in backtrace" specifically citing `com.apple.iokit.IONetworkingFamily`.
## References
- **Vendor Advisory:** [https://support.apple.com/en-us/HT214106](https://support.apple.com/en-us/HT214106)
- **Technical Analysis:** [https://jprx.io/](https://jprx.io/)
- **Proof of Concept:** [https://github.com/jprx/CVE-2024-27815](https://github.com/jprx/CVE-2024-27815)
- **Source Code Reference:** [https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/bsd/kern/uipc_socket2.c#L1258](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/bsd/kern/uipc_socket2.c#L1258)