The array ppsPMR in DEVMEMXINT_RESERVATION holds references to PMR structures (using PMRRefPMR2()), intending to prevent the PMRs' physical memory from being released. However, PMRs with PVRSRV_MEMALLOCFLAG_NO_OSPAGES_ON_ALLOC (which for OSMem PMRs internally translates to FLAG_ONDEMAND) can release their backing physical pages while references to the PMR still exist; PMRLockSysPhysAddresses() must be used to prevent a PMR's backing pages from disappearing, like in DevmemIntMapPMR2(). Therefore, it is currently possible to free a PMR's backing pages while the PMR is mapped into a DEVMEMXINT_RESERVATION, leading to physical page use-after-free.
cc6e11ae0dee934a94a29ebded0e52e70690ca998d7efe6c5f0ffe85ffda4ebaQualcomm KGSL has an issue where reclaimed / in-reclaim objects can still be mapped into VBOs.
1428075df507c623a1bd9ac4565539be37fad3bf60c27a111608fd1f90e9a845An LSM can prevent the fcntl/close race cleanup path in fcntl_setlk() from working, leading to use-after-free read in lock_get_status() when reading /proc/locks.
be3debe6c62f6ce4ba3fee414d1fb7b202ab4839dec89a3b6e8e94e90eaac790PowerVR suffers from a use-after-free vulnerability in DevmemIntChangeSparse2() on a PMRGetUID() call.
995fc11455439b600de3444c34a92fcad3e63b940610a057e80033a2a169d793Linux has an issue where landlock can be disabled thanks to a missing cred_transfer hook.
a12bdeb84032ca0a10a49441e34ac1148d44ca6ae128dfe4fd56120c8dbf3c24Two security issues have been identified in PowerVR during patch review.
cdf2436c82b9dc3dd355eb1bdda7e1b097e169a71d8db78713cba518bf056306Linux DRM has drm_file_update_pid() call to get_pid() too late, which creates a race condition that can lead to use-after-free issue of a struct pid.
ea7aa640ea9bb86fe73ddf82c6205724499ae72e163dd9ad1ae1c987416c0d29Telegram for Android suffers from a use-after-free vulnerability in Connection::onReceivedData.
b50977499b859adec9bc55d49621466231a4ab00aa44223747f9839cecd9995ePowerVR has an issue where wrapping addition in _DevmemXReservationPageAddress() causes an MMU operation at the wrong address.
8cf4775aa2d6620274690594068ebd5446a26435ff99535d37ef3d64af38db87PowerVR has integer overflows in DevmemXIntMapPages() and DevmemXIntUnmapPages(), exploitable as dangling GPU page table entries.
607faad30ec56959223ff39f5065ae4bc346c6c969c93404b728ab4ed243fc1aPowerVR PMR allows physical memory to be freed before GPU TLB invalidation.
48938b3e44dc2ae24749118301fe7c8b943bd6b5bb5f57034378aa0f41845d6fPowerVR has an issue with missing tracking of multiple sparse mappings in DevmemIntChangeSparse2() that leads to a dangling page table entry.
426fb16d93d8096a50bbd9d26c9fe783fb082dc59ace42d221957b371d7eaae7The PowerVR driver does not sanitize ZS-Buffer / MSAA scratch firmware addresses.
c2daa30504b0e8c789700f2b12ba70633fcac40fa494865c6f36f0fc4494835bPowerVR suffers from an out-of-bounds write of firmware addresses in PVRSRVRGXKickTA3DKM().
bf643f590254db32f40863c345eaa6faa2bb814e2aa4cfd56828c8a49a38c33aPowerVR suffers from an uninitialized memory disclosure and crash due to out-of-bounds reads in hwperf_host_%d stream.
21afd37aba8ffcfc6bd66ce8187be897144f972c8efddd7b417e5044e23024a8PowerVR suffers from an issue where DevmemXIntMapPages() allows mapping sDevZeroPage/sDummyPage without holding reference.
a872ec3e6ff34c9730a9e040bcfef2da822351bb1bc1c1b8c09c8adf411bf0bdPowerVR suffers from a wrong order of operations in DevmemIntChangeSparse2() that leads to a temporarily dangling page table entry.
c60d53fd594988ae874f9172ca988e0a08a60b03ec48452203f70a979e6d922ePowerVR suffers from a use-after-free vulnerability in _UnrefAndMaybeDestroy().
62d48fec6da2920518cfbf331f251078d85c51ab0a1e30e21ab38e0edd6f3b51Arm Mali versions since r45p0 suffer from a broken KBASE_USER_BUF_STATE_* state machine for userspace mappings that can lead to a use-after-free condition.
6886ec45419b22efaa4183177ef852a685bb4e3e8f20fe513a25b84dccef3243In mmu_insert_pages_no_flush(), when a HUGE_HEAD page is mapped to a 2M aligned GPU address, this is done by creating an Address Translation Entry (ATE) at MIDGARD_MMU_LEVEL(2) (in other words, an ATE covering 2M of memory is created). This is wrong because it assumes that at least 2M of memory should be mapped. mmu_insert_pages_no_flush() can be called in cases where less than that should be mapped, for example when creating a short alias of a big native allocation. Later, when kbase_mmu_teardown_pgd_pages() tries to tear down this region, it will detect that unmapping a subsection of a 2M ATE is not possible and write a log message complaining about this, but then proceed as if everything was fine while leaving the ATE intact. This means the higher-level code will proceed to free the referenced physical memory while the ATE still points to it.
02b7002e9ef87f42111b8b994ec26a71eab28f5f71c23d3899c25a6cc7a85c92PowerVR has a security issue where a writability check in PMRMMapPMR() does not clear VM_MAYWRITE.
3c6be466dbc5e6f19541750720a0f82bfbd11613fafa5557f44c1df26aa893b2The Windows Kernel suffers from a subkey list use-after-free vulnerability due to a mishandling of partial success in CmpAddSubKeyEx.
371f9505662bb6a768bb624f24a62e46fef4ad9feab889c6189fe75092e31989PowerVR has an issue where DevmemIntUnexportCtx destroys export before unlinking it, leading to a use-after-free condition.
6f9202099fe090be7419d76b62ea9327f8db8be77898b1207baaaa4a3a3cd10eLinux versions starting with 6.5 suffer from a read-after-type-change of folio in cachestat() that leads to a kernel pointer leak.
9ed32c7cf46a882e510759c307e0ac2758225c4d00df31c8c83be548a01fd482There is a memory corruption issue in the MFC media processing core on the Pixel 7. It occurs when decoding a malformed H264 stream in Chrome, likely to due to an out of bounds quantization parameter. A write to plane 0 that occurs during macroblock decoding extends past the allocated bounds of the plane, and can overwrite the motion vector (MV) buffer or cause a crash if the adjacent address is unmapped. Both of these allocations are DMA buffers and it is unclear whether this condition is exploitable.
03533e71b8963179a0ae3ad68550b9e5e705a79dd75292d232b287f1c47b89f6
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed