CVE-2022-42864 - Diabolical Cookies
iOS 16.2 and macOS Ventura 13.1 released just over a month ago, fixing an interesting vulnerability that I reported in IOHIDFamily. I would like to share the details of that vulnerability today. The Bug Apple's comment from the source code when this issue was fixed sums this up nicely: // Find the number of cookies in the data. The data from elementData is shared with user space and may change at any time. Let us have a look at the function before the patch (I have tried to label relevant lines): IOReturn IOHIDDevice :: postElementTransaction( const void * elementData, UInt32 dataSize, UInt32 completionTimeout, IOHIDCompletion * completion) { IOReturn ret = kIOReturnError; uint32_t cookies_[kMaxLocalCookieArrayLength]; uint32_t * cookies = cookies_; uint32_t cookieCount = 0 ; uint32_t cookieSize = 0 ; uint32_t dataOffset = 0 ;