ziVA: Zimperium’s iOS Video Audio Kernel Exploit
A brief description of one of the vulnerabilities, CVE-2017-6979:
The function IOSurfaceRoot::createSurface is responsible for the creation of the IOSurface object. It receives an OSDictionary, which it forwards to the function IOSurface::init.
IOSurface::init parses the properties and in case one of these are invalid (e.g, a width that exceeds 32 bits), returns 0, and the creation of the IOSurface is halted.
The IOSurfaceRoot object must hold a lock while calling IOSurface::init because IOSurface::init adds the IOSurface object to the IOSurfaceRoot’s list of surfaces.
[source: https://blog.zimperium.com/ziva-video-audio-ios-kernel-exploit/]