This is the DriverKit vulnerability exploited by Fugu14. The DriverKit method CreateMemoryDescriptorFromClient, defined on IOUserClient, does not check if the user client has been initialized. If it hasn't been initialized, me->fTask will be NULL and IOMemoryDescriptor::withAddressRanges will be called with a NULL task. Passing a NULL task to IOMemoryDescriptor::withAddressRanges is interpreted as "treat the passed-in address as physical address" and because the DriverKit driver can specify arbitrary addresses, this allows creating an IOMemoryDescriptor for every physical address.
For more details, see https://github.com/LinusHenze/Fugu14/blob/master/Writeup.pdf