Susctl CVE-2024-54507: A particularly 'sus' sysctl in the XNU kernel
23 comments
·January 23, 2025nixpulvis
0x457
I saw that types are different, but I was thinking "must be some weird C thing that I don't know about"
inetknght
- int new_value = *(int *)oidp->oid_arg1;
+ int new_value = *(uint16_t *)oidp->oid_arg1;
Ahh, because `new_value` is being given to `sysctl_handle_int(..., &new_value, ...);` which of course expects an `int`. So then it begs the question: if the value is really a `uint16_t`, then why is it being handled through a plain `int`? It smells like there could easily be tons of other memory-safety and/or type confusion problems endemic to the sysctl API.
aritashion
> So then it begs the question: if the value is really a `uint16_t`, then why is it being handled through a plain `int`?
I don't think it begs the question, but it does raise one!
kccqzy
Well there's the so-called usual arithmetic conversions that will basically convert every uint16_t to an unsigned int. The C and C++ languages do a silent conversion on your back anyways so you might as well make it explicit.
inetknght
A well-configured C++ compiler will error-out on such a silent conversion.
nxobject
Did you get a bounty payout for this? I got the impression that Apple wasn't particularly on the ball with those.
ChocolateGod
Is it even exploitable in the real world?
Correct me if I'm wrong but you get 2 bytes of kernel data (potentially blank padding) and the same two bytes each time?
bean-weevil
If the linker puts a pointer there, this would let you leak part of the pointer which could let you bypass kaslr. Not too likely for that to occur. If I were submitting this bug I would feel complete if they bought me a sandwich.
axoltl
The bottom 2 bytes of a pointer contain two bits of the slide, assuming it's even a pointer into the kernelcache itself.
I'd take half a sandwich.
buzzergfxkjkl
Good to find the bug regardless! I appreciated the succinct and not overly dramatic write-up. I don't think anything significant was claimed other than the fact that it is a kernel bug (which is significant in itself don't get me wrong).
null
soheil
Leaking two random bytes and in some cases just padding bytes to user space is not the end of the world and I don't get why there are so many negative comments blaming Apple for not handing out a handsome bounty for this bug.
null
rvz
[flagged]
wilg
Is there any reason to assume a conspiracy and drama around the bounty here other that just being bored and cynical? Apple has a well known security bounty program https://security.apple.com/bounty/
rvz
So the researcher didn't get a bounty from Apple then, no?
zx8080
It's not possible to apply human morale and principles to companies. It just does not work that way.
Why would they pay if no profit if pay and they are not forced to pay?
readyplayernull
Do not fall into the trap of anthropomorphising Apple
bramhaag
Ideally Apple would incentivise people reporting security issues to them, instead of risking people selling them to someone else who pays more.
emptiestplace
To inspire more of the same.
Kenji
[dead]
null
Seems like something to be integration tested in the future. Honestly surprised this slipped through.