MacOS uses an insecure swap file

CVE-2017-2494


This came out of a discussion with Jann Horn this afternoon; credit is his.

It turns out that even with SIP enab MacOS uses an insecure swap file

CVE-2017-2494


This came out of a discussion with Jann Horn this afternoon; credit is his.

It turns out that even with SIP enabled a regular root user can write to the swapfile under /private/var/vm/swapfile0.

That file is created on demand when the system starts to swap; if you can't see it increase system load.

Then as root (with SIP enabled) do:

cat /dev/urandom > /private/var/vm/swapfile0

We observed multiple interesting-looking kernel panics including in the swapfile decompression code and also the intel GPU driver doing something with GPU pages.



Found by: ianbeer