Google Project Zero researcher Samuel Groß published a detailed account of a security research project targeting coreaudiod, the CoreAudio daemon on macOS. The project focused on fuzzing the Mach interface of this privileged system service, which runs as the root user and is reachable by sandboxed applications.

Building a Structure-Aware Mach Fuzzer

To effectively test the CoreAudio interface, a custom, structure-aware fuzzer was developed. The fuzzer operated by parsing the .defs files that define the Mach interface, a technique which allowed it to automatically generate validly structured messages for the API. An in-process, snapshot-based fuzzing architecture was employed for this research. This method involved hooking the mach_msg_server_once function to efficiently execute numerous fuzzing test cases against the live service.

Vulnerability Discovery in CoreAudio

The fuzzing campaign successfully identified multiple memory corruption vulnerabilities within the coreaudiod process. One specific vulnerability detailed in the report, tracked as CVE-2021-30661, was a heap buffer overflow in the AUSpatializer::SetCustomChannelLayout function. The root cause was an integer overflow that occurred when calculating the size for a memory allocation. A user-controlled UInt32 value from the Mach message was used in a multiplication, leading to an incorrectly small buffer size and a subsequent overflow. This vulnerability was patched by Apple in macOS Big Sur 11.3.