An out-of-bounds write in the ZinComputeProgramGetNamesFromMultiPlaneLinear() and ZinComputeProgramGetNamesFromMultiPlaneTitledCompressed() functions of the Apple Neural Engine (ANE). These functions are responsible for parsing procedure I/O, and will take some arguments including an output planes array of kernel pointers to user-controlled data, as well as a planeCount for how many planes to copy into that array. The problem is, there’s no validation on how many planes a model can supply. This leads to an out of bounds write of kernel pointers to user-controlled data on the stack. This can be taken advantage of in multiple ways, including getting a heap overflow later on, or causing a type confusion by switching out some other kernel pointer on the stack for one with data you control.

Another vulnerability in Apple Neural Engine (ANE). Interestingly, this one’s a double fetch yielding out-of-bounds write in ZinComputeProgramUpdateMutables(). Somewhat complex codebase, but what’s important is that one of the functions that gets called by this function is ANECGetMutableOperationInfo(), which fetches an opsInfo object from shared memory. One field in particular, op_count, is used to allocate an array of mutable weight objects, but it’s double fetched. It’s fetched first to allocate the array, then again later on to populate it. By using a thread to switch out the op_count for a larger value post-allocation, you can achieve an OOB write of two 64-bit values (a kernel address to user-controlled data, and a semi-arbitrary 64-bit value).