Summary
A local user may be able to cause unexpected system termination or read kernel memory.
Details
In the function IOHIDEventServiceFastPathUserClient::getSharedMemorySize, the ClientObject (Offset 0xE0 of the user client) is given to a function which assumes it is initialised (It should be initialised via external method 0 — IOHIDEventServiceFastPathUserClient::_open).
Calling IOConnectMapMemory64 without calling _open (or with calling _open, but making sure it won’t initialize ClientObject), will result in a kernel panic.
Disclosure timeline
20/12/2018 – Bug discovered
2/1/2019 – Vendor notified
25/3/2019 – Patch released (fixed in 12.2)
I would like to thank Apple for their quick and professional response and the rest of the Zimperium zLabs team for their ongoing research and assistance.