IGAccelVideoContextMedia is the userclient responsible for gpu accelerated video decoding - it's userclient type 0x101 of the IntelAccelerator IOService.
Clients of IGAccelVideoContextMedia call IOConnectMapMemory with type=0 to map a shared buffer which is used to pass tokens to the kernel.
The IGAccelVideoContextMedia::process_token_* methods parse these tokens (offset +0x10 of the IOAccelCommandStreamInfo& which is passed to the process_token_* methods is a pointer into the shared buffer.)
There are multiple cases of insufficient bounds checking allowing an attacker to get controlled writes to kernel memory
more here for PoCs.............https://code.google.com/p/google-security-research/issues/detail?id=30
Clients of IGAccelVideoContextMedia call IOConnectMapMemory with type=0 to map a shared buffer which is used to pass tokens to the kernel.
The IGAccelVideoContextMedia::process_token_* methods parse these tokens (offset +0x10 of the IOAccelCommandStreamInfo& which is passed to the process_token_* methods is a pointer into the shared buffer.)
There are multiple cases of insufficient bounds checking allowing an attacker to get controlled writes to kernel memory
more here for PoCs.............https://code.google.com/p/google-security-research/issues/detail?id=30