exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 170 RSS Feed

Files from Jann Horn

Email addressjannh at google.com
First Active2013-03-14
Last Active2023-01-11
Linux khugepaged Race Conditions
Posted Jan 11, 2023
Authored by Jann Horn, Google Security Research

khugepaged on Linux races with rmap-based zap, races with GUP-fast, and fails to call MMU notifiers.

tags | exploit
systems | linux
SHA-256 | 4a7e3cd6f113b1a612bf06b09dde29c3da416e1312821de9fb2c055f4fb2c180
Linux 4.10 Use-After-Free
Posted Jan 10, 2023
Authored by Jann Horn, Google Security Research

Linux kernel version 4.10 suffers from a use-after-free vulnerability in __do_semtimedop() due to a lockless check outside the RCU section.

tags | exploit, kernel
systems | linux
SHA-256 | 07d8df8e54828f8f33482f1bf22aa6ffd633c656b7301bc40395e4379d31e449
Arm Mali CSF KBASE_REG_NO_USER_FREE Unsafe Use Use-After-Free
Posted Jan 10, 2023
Authored by Jann Horn, Google Security Research

The Mali driver tries to use the KBASE_REG_NO_USER_FREE flag to ensure that the memory region referenced by kbase_csf_tiler_heap::buf_desc_reg cannot be freed by userspace. However, this flag is only a single bit, and there can be multiple tiler heaps referencing the same memory region. This can lead to a use-after-free condition.

tags | exploit
advisories | CVE-2022-42716
SHA-256 | b873567924105769f827e9318b7b58298191410905a58cc3d3192c6ce29f3225
Linux PT_SUSPEND_SECCOMP Permission Bypass / Ptracer Death Race
Posted Jan 3, 2023
Authored by Jann Horn, Google Security Research

Linux suffers from two seccomp bugs with a PT_SUSPEND_SECCOMP permission bypass and ptracer death race condition.

tags | exploit
systems | linux
advisories | CVE-2022-30594
SHA-256 | 6d7f253f354c0c71a5692bbeb6bcd2a20b50e96fc05afeda0286131716d7b406
Linux munmap() Race Condition / Use-After-Free
Posted Oct 10, 2022
Authored by Jann Horn, Google Security Research

Linux has an issue with munmap() racing with pagemap_read() that leads to a page use-after-free vulnerability.

tags | exploit
systems | linux
SHA-256 | 6e43fff37a6d90cd02b391b72b480aba2d74433d269f96e0cefcf585c8e51dd3
Linux 3.19 anon_vma Use-After-Free
Posted Oct 6, 2022
Authored by Jann Horn, Google Security Research

Linux suffers from an anon_vma use-after-free vulnerability through the bogus merge of VMAs caused by double-reuse of leaf anon_vma because of ->degree misinterpretation.

tags | exploit
systems | linux
SHA-256 | e27e13af66dddafc7e4588c3b561b058fe6859b4fbc060de1741e0003a7d5b45
Linux Stable 5.4 / 5.10 Use-After-Free / Race Condition
Posted Sep 22, 2022
Authored by Jann Horn, Google Security Research

Linux stable versions 5.4 and 5.10 suffers from a page use-after-free via stale TLB caused by an rmap lock not held during PUD move.

tags | exploit
systems | linux
advisories | CVE-2022-41222
SHA-256 | b9d45dd1409659792dcfd15c2c4781345acb1b7ca05dc637d666213b43252dff
Arm Mali CSF Missing Buffer Size Check
Posted Sep 20, 2022
Authored by Jann Horn, Google Security Research

In the Linux Mali driver, when building with MALI_USE_CSF, the VFS read handler of the main Mali file descriptor (kbase_read()) never looks at its "count" parameter. This means that a simple userspace program that sets up a Mali file descriptor, then calls read(mali_fd, buf, 1), will see read() returning a higher length than requested, and out-of-bounds data in the userspace buffer will be clobbered.

tags | exploit
systems | linux
advisories | CVE-2022-36449
SHA-256 | 3d801b6f86d2cf6dcafab0fab084495a709669823b168ea8d4eaa15c04e2a64c
Arm Mali Race Condition
Posted Sep 20, 2022
Authored by Jann Horn, Google Security Research

The Mali driver frees GPU page tables before removing the higher-level PTEs pointing to those page tables (and, therefore, also before issuing the required flushes). This means a racing memory write instruction on the GPU can write to an attacker-controlled physical address.

tags | exploit
advisories | CVE-2022-36449
SHA-256 | b9314770c55b858e1768dc0c89581aba6dcd511b77abe5a7a6849771f7835386
Arm Mali Physical Address Exposure
Posted Sep 20, 2022
Authored by Jann Horn, Google Security Research

Arm Mali has an issue where a driver exposes physical addresses to unprivileged userspace.

tags | exploit
advisories | CVE-2022-36449
SHA-256 | 0dd6b9f2ab5a6a54b712bd8da62800520f10d77e1129a4be99b021e528de767a
Arm Mali Released Buffer Use-After-Free
Posted Sep 20, 2022
Authored by Jann Horn, Google Security Research

On Mali devices without the new CSF interface, IMPORTED_USER_BUF is released without flushing host-side VMAs, leading to a page use-after-free vulnerability.

tags | exploit
advisories | CVE-2022-36449
SHA-256 | 51a2923bc823fc6d20b96117084be18b4a15d5a3f49b9f2dc2e04e3c069198a0
Linux unmap_mapping_range() Race Condition
Posted Aug 30, 2022
Authored by Jann Horn, Google Security Research

For VM_PFNMAP VMAs, there is a race between unmap_mapping_range() and munmap() that can lead to a page being freed by a device driver while the page still has stale TLB entries.

tags | advisory
SHA-256 | 0c343119926cb622181935b2b8688c9dde2b0e898e81a4a44edd9820611241df
Linux KVM Instruction Emulation Issue
Posted Aug 30, 2022
Authored by Jann Horn, Google Security Research

KVM instruction emulation can run while KVM_VCPU_PREEMPTED is set, which can lead other vcpus to skip sending TLB flush IPIs. As a consequence, KVM instruction emulation can access memory through stale translations when the guest kernel thinks it has flushed all cached translations. This could potentially be used by unprivileged userspace inside a guest to compromise the guest kernel.

tags | exploit, kernel
SHA-256 | 16fd49b64aee26c8f9a9ad6cb4265e74537f37bede65109a50798f82ac77833b
Arm Mali CSF VMA Split Mishandling
Posted Aug 25, 2022
Authored by Jann Horn, Google Security Research

In the Arm Mali driver's handling of CSF user I/O mappings, VMA splitting is handled incorrectly, leading to a page being given back to the kernel's page allocator while it is still mapped into userspace. On devices with recent Mali GPUs that support CSF, this is a security bug that should be very straightforward to exploit.

tags | exploit, kernel
advisories | CVE-2022-33917
SHA-256 | 6ee0db58337e2459a3e0a317b84488b6c9019397c42a860c2baea1a6661f8592
Xen TLB Flush Bypass
Posted Jul 11, 2022
Authored by Jann Horn, Google Security Research

Xen's _get_page_type() contains an ABAC cmpxchg() race, where the code incorrectly assumes that if it reads a specific type_info value, and then later cmpxchg() succeeds, the type_info can't have changed in between.

tags | exploit
advisories | CVE-2022-26362
SHA-256 | 88fe91f31a1fa5b68860cd0112d829c44076320a17d995120f8a3d426cc59af7
Xen PV Guest Non-SELFSNOOP CPU Memory Corruption
Posted Jul 6, 2022
Authored by Jann Horn, Google Security Research

On CPUs without SELFSNOOP support, a Xen PV domain that has access to a PCI device (which grants the domain the ability to set arbitrary cache attributes on all its pages) can trick Xen into validating an L2 pagetable that contains a cacheline that is marked as clean in the cache but actually differs from main memory. After the pagetable has been validated, an attacker can flush the "clean" cacheline, such that on the next load, unvalidated data from main memory shows up in the pagetable.

tags | exploit, arbitrary
advisories | CVE-2022-26364
SHA-256 | 0ca3bec4eaa9cefc4bd68628da583653303fb2bb08f1b14700118565ff032f9c
ChromeOS usbguard Bypass
Posted May 26, 2022
Authored by Jann Horn, Google Security Research

ChromeOS uses usbguard when the screen is locked but appears to suffer from bypass issues.

tags | exploit
SHA-256 | 686e2d50596cc3cee3dd66e0fc5f2a715094be5a79c099a547c49d3457af1129
Linux USB Use-After-Free
Posted May 20, 2022
Authored by Jann Horn, Google Security Research

Linux usbnet code tells minidrivers to unbind while netdev is still up, causing use-after-free conditions.

tags | exploit
systems | linux
SHA-256 | 9cbdb1ccc149a355b2d267a848a75d3513d0e33cb89787801e49bf0110235f37
Linux PT_SUSPEND_SECCOMP Permission Bypass / Death Race
Posted May 9, 2022
Authored by Jann Horn, Google Security Research

Linux suffers from two bugs in PT_SUSPEND_SECCOMP. One allows for permission bypass and the other relates to a ptracer death race.

tags | exploit
systems | linux
SHA-256 | 090e7e5a723be850497afe230306c956241cce0eb429877bf07e8c0f06eb2a40
Watch Queue Out-Of-Bounds Write
Posted Apr 21, 2022
Authored by Jann Horn, bwatters-r7, bonfee | Site metasploit.com

This Metasploit module exploits a vulnerability in the Linux Kernel's watch_queue event notification system. It relies on a heap out-of-bounds write in kernel memory. The exploit may fail on the first attempt so multiple attempts may be needed. Note that the exploit can potentially cause a denial of service if multiple failed attempts occur, however this is unlikely.

tags | exploit, denial of service, kernel
systems | linux
advisories | CVE-2022-0995
SHA-256 | b59181d9b536ad31ebdc6b3f83985c65e49fbe3242468f7709e7bb7a2d4b1e5f
BlueZ Key Theft / bluetoothd Double-Free
Posted Apr 19, 2022
Authored by Jann Horn, Google Security Research

BlueZ suffers from a vulnerability where a malicious USB device can steal Bluetooth link keys over HCI using a fake BD_ADDR. It was also discovered that bluetoothd suffers from a double-free memory corruption flaw.

tags | exploit
SHA-256 | 8a1aa43e53f3253ec88afc78d193bedf1f90ff6d4fdbe4fc1be57e91906b1055
Linux FUSE Use-After-Free
Posted Apr 19, 2022
Authored by Jann Horn, Google Security Research

Linux suffers from a vulnerability where FUSE allows use-after-free reads of write() buffers, allowing theft of (partial) /etc/shadow hashes.

tags | exploit
systems | linux
advisories | CVE-2022-1011
SHA-256 | 2013a523f6140f5f94778f15578c0f1d52f0a0bddd81e46cc48963fbe8fd4efb
Linux watch_queue Filter Out-Of-Bounds Write
Posted Apr 19, 2022
Authored by Jann Horn, Google Security Research

The Linux watch_queue filter suffers from an out of bounds write vulnerability.

tags | exploit
systems | linux
advisories | CVE-2022-0995
SHA-256 | 48bdbb27c736f9c5dd12453993d4bc23ee38e3c25b3e23faef205b92dcf36f51
Linux ax88179_rx_fixup() Out-Of-Bounds Access
Posted Mar 21, 2022
Authored by Jann Horn, Google Security Research

In Linux, drivers/net/usb/ax88179_178a.c contains multiple out-of-bounds accesses in ax88179_rx_fixup(), the function responsible for taking a buffer received over USB and splitting it up into ethernet packets.

tags | advisory
systems | linux
SHA-256 | d31f6a101db6dc5fd85ff3bf16404acb26c0969c2cd57cc1adc10f3d4419cf21
Linux Garbage Collection Memory Corruption
Posted Jan 10, 2022
Authored by Jann Horn, Google Security Research

Linux suffers from a garbage collection memory corruption vulnerability by resurrecting a file reference through RCU.

tags | exploit
systems | linux
advisories | CVE-2021-4083
SHA-256 | 638d1db3f45bcd59a8ce424b7eb6551bbe0ff49ecd4eb9c767f096560f4687de
Page 1 of 7
Back12345Next

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close