Bug Hunter Diary

DESCRIPTIONThe ioctl() function manipulates the underlying device parameters of specialfiles. In particular, many operating characteristics of characterspecial files (e.g. terminals) may be controlled with ioctl() requests.The argument d must be an open file descriptor.An ioctl request has encoded in it whether the argument is an "in"parameter or "out" parameter, and the size of the argument argp inbytes. Macros and defines used in specifying an ioctl request arelocated in the file .[..]If an IOCTL request is sent to the kernel, the argument requesthas to be filled with the appropriate IOCTL code, and argp has to befilled with the user-supplied IOCTL input data. The request and argparguments of ioctl() correspond to the kernel function arguments cmdand data.I had found what I was looking for: Most kernel functions thatprocess incoming IOCTL requests take an argument called data thatholds, or points to, the user-supplied IOCTL input data.Step 3: Trace the Input DataAfter I found the locations in the kernel where IOCTL requests arehandled, I traced the input data through the kernel functions whilelooking for potentially vulnerable locations. While reading the code,I stumbled upon some locations that looked intriguing. The mostinteresting potential bug I found happens if the kernel tries to handlea special TTY IOCTL request. The following listing shows the relevantlines from the source code of the XNU kernel.Source code file xnu-792.13.8/bsd/kern/tty.c[..]816 /*817 * Ioctls for all tty devices. Called after line-discipline specific ioctl818 * has been called to do discipline-specific functions and/or reject any819 * of these ioctl commands.820 */821 /* ARGSUSED */822 int823 ttioctl(register struct tty *tp,824 u_long cmd, caddr_t data, int flag,825 struct proc *p)826 {[..]872 switch (cmd) { /* Process the ioctl. */[..]1089 case TIOCSETD: { /* set line discipline */1090 register int t = *(int *)data;1091 dev_t device = tp->t_dev;10921093 if (t >= nlinesw)116 Chapter 7