(CVE-2023-41984) Apple AppleSPU Shared Memory Read/Write Mapping Leading to Kernel Panic and Code Execution
CVE: CVE-2023-41984
Affected Versions: macOS Monterey before 12.7; macOS Ventura before 13.6; macOS Sonoma before 14; iOS and iPadOS before 16.7; iOS 17 and iPadOS 17; tvOS before 17; watchOS before 10
CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
| Product | Apple AppleSPU (AppleSPUHIDDriverUserClient) |
|---|---|
| Vendor | Apple |
| Severity | High — a local user may be able to execute arbitrary code with kernel privileges |
| Affected Versions | macOS Monterey < 12.7; macOS Ventura < 13.6; macOS Sonoma < 14; iOS/iPadOS < 16.7; tvOS < 17; watchOS < 10 |
| Tested Versions | macOS 13.4; iOS 16.5 |
| CVE Identifier | CVE-2023-41984 |
| CVE Description | A memory handling issue in Apple operating systems may allow an app to execute arbitrary code with kernel privileges; addressed via improved memory handling |
| CWE Classification(s) | CWE-732: Incorrect Permission Assignment for Critical Resource |
CVSS3.1 Scoring System
Base Score: 7.8 (High)
Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
| Metric | Value |
|---|---|
| Attack Vector (AV) | Local |
| Attack Complexity (AC) | Low |
| Privileges Required (PR) | None |
| User Interaction (UI) | Required |
| Scope (S) | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| Availability (A) | High |
Product Background
AppleSPU is an IOKit driver that communicates with the Always-On Processor (AOP) and shares data structures such as ring buffers between the AP and AOP. It manages multiple IOServices and IOUserClients. One of these, AppleSPUHIDDriver, opens different user clients depending on an open_type parameter. The affected user client is AppleSPUHIDDriverUserClient, opened with open_type = 0x61736864.
Technical Details
When a kernel driver shares a memory buffer with userspace via IOMemoryMap, the mapping should be either read-only or use copy-on-write (COW) semantics:
- A write to a read-only mapping causes a bus error and terminates the process — no kernel impact.
- A write to a COW mapping creates a new private copy for userspace while the kernel retains the original — the kernel is protected.
However, AppleSPUHIDDriverUserClient maps a 0x90000-byte ring buffer as read/write without COW. The sequence is:
- Call
extBeginCopyEventMultipleMethodto allocate the shared ring buffer. - Use
IOMemoryMapto map the ring buffer into userspace with read/write permissions and no COW protection.
With a direct read/write mapping into the kernel’s ring buffer, an unprivileged user can write arbitrary data to the shared region. When the kernel subsequently accesses the corrupted ring buffer through any of the driver’s other methods, it panics immediately.
Running the PoC as a normal user triggers a kernel panic without requiring any elevated privileges:
cc poc.c -framework IOKit -o poc
./poc
Credit
Pan Zhenpeng of STAR Labs SG Pte. Ltd.
Timeline
- 2023-09-26 — Patch released: macOS Ventura 13.6, macOS Monterey 12.7, macOS Sonoma 14, iOS/iPadOS 16.7, iOS/iPadOS 17, tvOS 17, watchOS 10
- 2023-09-27 — CVE-2023-41984 published by Apple