Have You Read Our Docs
Yes
Are You Reporting A Bug
Yes
Environment
- Kext Version: 2.3.0, 2.2.0
- WiFi Card Model: AC3165
- PCI Product ID:
- macOS Version: Monterey 12.7.4
Description
The AirportItlwm driver v2.3 causes a kernel panic due to a buffer overflow when processing Wi-Fi scan results. When my network lost internet connectivity, the driver triggered a kernel panic with this error:
__memcpy_chk object size check failed: (1024 < 2397)
What happened:
The driver's fakeScanDone method called IO80211ScanManager::scanDone
The scan results contained 2397 bytes of data
The destination buffer was only allocated for 1024 bytes
The fortified memcpy detected this overflow and panicked the kernel
Root Cause:
The driver incorrectly assumes scan results will always fit within a 1024-byte buffer, but when scanning in certain conditions (particularly during network disruption), the results can exceed this limit by over 2x.
System Info:
macOS: 21H1123 (Monterey)
Kernel: Darwin 21.6.0
Driver: AirportItlwm v2.3
Hardware: MacBookPro12,1
Trigger: Internet connectivity loss on network
Fix Required:
The driver needs proper bounds checking or dynamic buffer allocation for scan results to handle variable-sized data safely.
Full Kernel panic:
panic(cpu 2 caller 0xffffff8019f044f0): __memcpy_chk object size check failed: dst 0xffffff9a118918a0, src 0xffffff8bab7b3cc4, (1024 < 2397) @subrs.c:606
Panicked task 0xffffff9079806670: 179 threads: pid 0: kernel_task
Backtrace (CPU 2), panicked thread: 0xffffff95455daaa0, Frame : Return Address
0xffffffc8963f3930 : 0xffffff801a079a3d mach_kernel : _handle_debugger_trap + 0x41d
0xffffffc8963f3980 : 0xffffff801a1dcd16 mach_kernel : _kdp_i386_trap + 0x116
0xffffffc8963f39c0 : 0xffffff801a1cc083 mach_kernel : _kernel_trap + 0x4d3
0xffffffc8963f3a10 : 0xffffff801a019a90 mach_kernel : _return_from_trap + 0xe0
0xffffffc8963f3a30 : 0xffffff801a079e0d mach_kernel : _DebuggerTrapWithState + 0xad
0xffffffc8963f3b50 : 0xffffff801a0795c6 mach_kernel : _panic_trap_to_debugger + 0x2b6
0xffffffc8963f3bb0 : 0xffffff801a914e33 mach_kernel : _panic + 0x84
0xffffffc8963f3ca0 : 0xffffff8019f044f0
0xffffffc8963f3cc0 : 0xffffff801beedae4 com.apple.iokit.IO80211FamilyLegacy : __ZN18IO80211ScanManager8scanDoneEb + 0x104
0xffffffc8963f3d30 : 0xffffff801bed5dc7 com.apple.iokit.IO80211FamilyLegacy : __ZN16IO80211Interface11postMessageEjPvm + 0x9a3
0xffffffc8963f3da0 : 0xffffff801e24a90f com.zxystd.AirportItlwm : __ZN12AirportItlwm12fakeScanDoneEP8OSObjectP18IOTimerEventSource + 0x3f
0xffffffc8963f3dd0 : 0xffffff801a84a0e5 mach_kernel : _ZN18IOTimerEventSource15timeoutSignaledEPvS0 + 0xa5
0xffffffc8963f3e40 : 0xffffff801a849fe8 mach_kernel : _ZN18IOTimerEventSource17timeoutAndReleaseEPvS0 + 0xc8
0xffffffc8963f3e70 : 0xffffff801a0ccac5 mach_kernel : _thread_call_delayed_timer + 0x505
0xffffffc8963f3ee0 : 0xffffff801a0cdb92 mach_kernel : _thread_call_delayed_timer + 0x15d2
0xffffffc8963f3fa0 : 0xffffff801a01919e mach_kernel : _call_continuation + 0x2e
Kernel Extensions in backtrace:
com.apple.iokit.IO80211FamilyLegacy(1200.12.2b1)[F40186DD-A127-36B4-AA86-3A530FA70D2A]@0xffffff801be3e000->0xffffff801bf83fff
dependency: com.apple.driver.AppleMobileFileIntegrity(1.0.5)[2F9BBF9B-BDBA-3DB4-BC06-62AA3A27EA38]@0xffffff801b7b1000->0xffffff801b7d3fff
dependency: com.apple.driver.corecapture(1.0.4)[5FCE5F91-FA93-3BCB-9DEB-15B942DC7566]@0xffffff801d4a0000->0xffffff801d4b9fff
dependency: com.apple.iokit.CoreAnalyticsFamily(1)[F93FBDA7-F5FA-3815-834A-5E0107AAF3C3]@0xffffff801bad4000->0xffffff801badbfff
dependency: com.apple.iokit.IONetworkingFamily(3.4)[8D3DEB18-EC00-3E30-A751-F82914099436]@0xffffff801c99a000->0xffffff801c9b0fff
dependency: com.apple.iokit.IOSkywalkFamily(1.0)[8732712A-3178-31BA-9B39-F00B7CAE0E4B]@0xffffff801cd18000->0xffffff801cd62fff
dependency: com.apple.kec.corecrypto(12.0)[01223714-655F-39D1-A6A0-0DDEF96B5ED8]@0xffffff801d4c6000->0xffffff801d546fff
com.zxystd.AirportItlwm(2.3)[F345E8F7-5420-3B75-9024-DE09C70AF971]@0xffffff801e18b000->0xffffff801f11bfff
dependency: com.apple.iokit.IO80211FamilyLegacy(1200.12.2b1)[F40186DD-A127-36B4-AA86-3A530FA70D2A]@0xffffff801be3e000->0xffffff801bf83fff
dependency: com.apple.iokit.IONetworkingFamily(3.4)[8D3DEB18-EC00-3E30-A751-F82914099436]@0xffffff801c99a000->0xffffff801c9b0fff
dependency: com.apple.iokit.IOPCIFamily(2.9)[AD8F9185-74F7-33D0-AC4A-46D2EA340A85]@0xffffff801cc38000->0xffffff801cc64fff
Process name corresponding to current thread (0xffffff95455daaa0): kernel_task
Boot args: debug=0x100 keepsyms=1 -novht -noht40 chunklist-security-epoch=0 -chunklist-no-rev2-dev
Mac OS version:
21H1123
Kernel version:
Darwin Kernel Version 21.6.0: Mon Feb 19 20:24:34 PST 2024; root:xnu-8020.240.18.707.4~1/RELEASE_X86_64
Kernel UUID: FAD66064-42E1-3834-A041-64EB64CDD8CD
KernelCache slide: 0x0000000019e00000
KernelCache base: 0xffffff801a000000
Kernel slide: 0x0000000019e10000
Kernel text base: 0xffffff801a010000
__HIB text base: 0xffffff8019f00000
System model name: MacBookPro12,1 (Mac-E43C1C25D4880AD6)
System shutdown begun: NO
Panic diags file available: YES (0x0)
Hibernation exit count: 0
System uptime in nanoseconds: 359766948344
Last Sleep: absolute base_tsc base_nano
Uptime : 0x00000053c3c7ff90
Sleep : 0x0000000000000000 0x0000000000000000 0x0000000000000000
Wake : 0x0000000000000000 0x0000000e5c846862 0x0000000000000000
Compressor Info: 0% of compressed pages limit (OK) and 0% of segments limit (OK) with 1 swapfiles and OK swap space
Zone info:
Zone map: 0xffffff8079257000 - 0xffffffa079257000
. PGZ : 0xffffff8079257000 - 0xffffff8079e58000
. VM : 0xffffff8079e58000 - 0xffffff8546957000
. RO : 0xffffff8546957000 - 0xffffff86e0257000
. GEN0 : 0xffffff86e0257000 - 0xffffff8bacd57000
. GEN1 : 0xffffff8bacd57000 - 0xffffff9079857000
. GEN2 : 0xffffff9079857000 - 0xffffff9546357000
. GEN3 : 0xffffff9546357000 - 0xffffff9a12e57000
. DATA : 0xffffff9a12e57000 - 0xffffffa079257000
Metadata: 0xffffff8056e47000 - 0xffffff8076e47000
Bitmaps : 0xffffff8076e47000 - 0xffffff8079247000
Bug Report Archive
None
Kext Download Source
OpenIntelWireless
Have You Read Our Docs
Yes
Are You Reporting A Bug
Yes
Environment
Description
The AirportItlwm driver v2.3 causes a kernel panic due to a buffer overflow when processing Wi-Fi scan results. When my network lost internet connectivity, the driver triggered a kernel panic with this error:
__memcpy_chk object size check failed: (1024 < 2397)
What happened:
The driver's fakeScanDone method called IO80211ScanManager::scanDone
The scan results contained 2397 bytes of data
The destination buffer was only allocated for 1024 bytes
The fortified memcpy detected this overflow and panicked the kernel
Root Cause:
The driver incorrectly assumes scan results will always fit within a 1024-byte buffer, but when scanning in certain conditions (particularly during network disruption), the results can exceed this limit by over 2x.
System Info:
macOS: 21H1123 (Monterey)
Kernel: Darwin 21.6.0
Driver: AirportItlwm v2.3
Hardware: MacBookPro12,1
Trigger: Internet connectivity loss on network
Fix Required:
The driver needs proper bounds checking or dynamic buffer allocation for scan results to handle variable-sized data safely.
Full Kernel panic:
panic(cpu 2 caller 0xffffff8019f044f0): __memcpy_chk object size check failed: dst 0xffffff9a118918a0, src 0xffffff8bab7b3cc4, (1024 < 2397) @subrs.c:606
Panicked task 0xffffff9079806670: 179 threads: pid 0: kernel_task
Backtrace (CPU 2), panicked thread: 0xffffff95455daaa0, Frame : Return Address
0xffffffc8963f3930 : 0xffffff801a079a3d mach_kernel : _handle_debugger_trap + 0x41d
0xffffffc8963f3980 : 0xffffff801a1dcd16 mach_kernel : _kdp_i386_trap + 0x116
0xffffffc8963f39c0 : 0xffffff801a1cc083 mach_kernel : _kernel_trap + 0x4d3
0xffffffc8963f3a10 : 0xffffff801a019a90 mach_kernel : _return_from_trap + 0xe0
0xffffffc8963f3a30 : 0xffffff801a079e0d mach_kernel : _DebuggerTrapWithState + 0xad
0xffffffc8963f3b50 : 0xffffff801a0795c6 mach_kernel : _panic_trap_to_debugger + 0x2b6
0xffffffc8963f3bb0 : 0xffffff801a914e33 mach_kernel : _panic + 0x84
0xffffffc8963f3ca0 : 0xffffff8019f044f0
0xffffffc8963f3cc0 : 0xffffff801beedae4 com.apple.iokit.IO80211FamilyLegacy : __ZN18IO80211ScanManager8scanDoneEb + 0x104
0xffffffc8963f3d30 : 0xffffff801bed5dc7 com.apple.iokit.IO80211FamilyLegacy : __ZN16IO80211Interface11postMessageEjPvm + 0x9a3
0xffffffc8963f3da0 : 0xffffff801e24a90f com.zxystd.AirportItlwm : __ZN12AirportItlwm12fakeScanDoneEP8OSObjectP18IOTimerEventSource + 0x3f
0xffffffc8963f3dd0 : 0xffffff801a84a0e5 mach_kernel : _ZN18IOTimerEventSource15timeoutSignaledEPvS0 + 0xa5
0xffffffc8963f3e40 : 0xffffff801a849fe8 mach_kernel : _ZN18IOTimerEventSource17timeoutAndReleaseEPvS0 + 0xc8
0xffffffc8963f3e70 : 0xffffff801a0ccac5 mach_kernel : _thread_call_delayed_timer + 0x505
0xffffffc8963f3ee0 : 0xffffff801a0cdb92 mach_kernel : _thread_call_delayed_timer + 0x15d2
0xffffffc8963f3fa0 : 0xffffff801a01919e mach_kernel : _call_continuation + 0x2e
Kernel Extensions in backtrace:
com.apple.iokit.IO80211FamilyLegacy(1200.12.2b1)[F40186DD-A127-36B4-AA86-3A530FA70D2A]@0xffffff801be3e000->0xffffff801bf83fff
dependency: com.apple.driver.AppleMobileFileIntegrity(1.0.5)[2F9BBF9B-BDBA-3DB4-BC06-62AA3A27EA38]@0xffffff801b7b1000->0xffffff801b7d3fff
dependency: com.apple.driver.corecapture(1.0.4)[5FCE5F91-FA93-3BCB-9DEB-15B942DC7566]@0xffffff801d4a0000->0xffffff801d4b9fff
dependency: com.apple.iokit.CoreAnalyticsFamily(1)[F93FBDA7-F5FA-3815-834A-5E0107AAF3C3]@0xffffff801bad4000->0xffffff801badbfff
dependency: com.apple.iokit.IONetworkingFamily(3.4)[8D3DEB18-EC00-3E30-A751-F82914099436]@0xffffff801c99a000->0xffffff801c9b0fff
dependency: com.apple.iokit.IOSkywalkFamily(1.0)[8732712A-3178-31BA-9B39-F00B7CAE0E4B]@0xffffff801cd18000->0xffffff801cd62fff
dependency: com.apple.kec.corecrypto(12.0)[01223714-655F-39D1-A6A0-0DDEF96B5ED8]@0xffffff801d4c6000->0xffffff801d546fff
com.zxystd.AirportItlwm(2.3)[F345E8F7-5420-3B75-9024-DE09C70AF971]@0xffffff801e18b000->0xffffff801f11bfff
dependency: com.apple.iokit.IO80211FamilyLegacy(1200.12.2b1)[F40186DD-A127-36B4-AA86-3A530FA70D2A]@0xffffff801be3e000->0xffffff801bf83fff
dependency: com.apple.iokit.IONetworkingFamily(3.4)[8D3DEB18-EC00-3E30-A751-F82914099436]@0xffffff801c99a000->0xffffff801c9b0fff
dependency: com.apple.iokit.IOPCIFamily(2.9)[AD8F9185-74F7-33D0-AC4A-46D2EA340A85]@0xffffff801cc38000->0xffffff801cc64fff
Process name corresponding to current thread (0xffffff95455daaa0): kernel_task
Boot args: debug=0x100 keepsyms=1 -novht -noht40 chunklist-security-epoch=0 -chunklist-no-rev2-dev
Mac OS version:
21H1123
Kernel version:
Darwin Kernel Version 21.6.0: Mon Feb 19 20:24:34 PST 2024; root:xnu-8020.240.18.707.4~1/RELEASE_X86_64
Kernel UUID: FAD66064-42E1-3834-A041-64EB64CDD8CD
KernelCache slide: 0x0000000019e00000
KernelCache base: 0xffffff801a000000
Kernel slide: 0x0000000019e10000
Kernel text base: 0xffffff801a010000
__HIB text base: 0xffffff8019f00000
System model name: MacBookPro12,1 (Mac-E43C1C25D4880AD6)
System shutdown begun: NO
Panic diags file available: YES (0x0)
Hibernation exit count: 0
System uptime in nanoseconds: 359766948344
Last Sleep: absolute base_tsc base_nano
Uptime : 0x00000053c3c7ff90
Sleep : 0x0000000000000000 0x0000000000000000 0x0000000000000000
Wake : 0x0000000000000000 0x0000000e5c846862 0x0000000000000000
Compressor Info: 0% of compressed pages limit (OK) and 0% of segments limit (OK) with 1 swapfiles and OK swap space
Zone info:
Zone map: 0xffffff8079257000 - 0xffffffa079257000
. PGZ : 0xffffff8079257000 - 0xffffff8079e58000
. VM : 0xffffff8079e58000 - 0xffffff8546957000
. RO : 0xffffff8546957000 - 0xffffff86e0257000
. GEN0 : 0xffffff86e0257000 - 0xffffff8bacd57000
. GEN1 : 0xffffff8bacd57000 - 0xffffff9079857000
. GEN2 : 0xffffff9079857000 - 0xffffff9546357000
. GEN3 : 0xffffff9546357000 - 0xffffff9a12e57000
. DATA : 0xffffff9a12e57000 - 0xffffffa079257000
Metadata: 0xffffff8056e47000 - 0xffffff8076e47000
Bitmaps : 0xffffff8076e47000 - 0xffffff8079247000
Bug Report Archive
None
Kext Download Source
OpenIntelWireless