This is the DriverKit vulnerability exploited by Fugu15. The IOPCIDevice::deviceMemoryRead* and IOPCIDevice::deviceMemoryWrite* functions allow specifying an offset which is not checked at all, thereby allowing out-of-bounds access to a PCI device. By specifying an offset that is larger than the PCI device memory size, it becomes possible to read/write arbitrary kernel memory.
The exploit can be found here: https://github.com/pinauten/Fugu15/tree/master/Exploits/oobPCI/Sources