SUSCTL: CVE-2024-54507
Every time Apple releases a new version of XNU, I run a custom suite of tests under an address sanitizer to see if I can spot any regressions, or even possibly new bugs. When I was messing around with macOS 15.0, I was shocked to see a very simple command was causing the sanitizer to report an invalid load.
In case you aren't familiar with sysctl's, they are basically a set of runtime-controllable kernel variables that you can adjust from userspace. A lot of the time, the underlying resource of a given sysctl is literally just an integer in the kernel somewhere (like this). They're commonly used in kernel programming as a quick way to adjust parameters, and are used all over XNU.
There are a variety of ways to declare a sysctl using macros from sysctl.h with support for many common types, such as int's or struct's. These handle all the boilerplate for you of copying in values from userspace / copying kernel values out, and provide some security flags as well.
The more interesting kind of sysctl is SYSCTL_PROC, where a custom handler is used to service the sysctl instead of the kernel-supplied boilerplate. When writing a SYSCTL_PROC, you are responsible for validating user requests, updating the kernel state, and returning values to userspace.
