khugepaged on Linux races with rmap-based zap, races with GUP-fast, and fails to call MMU notifiers.
4a7e3cd6f113b1a612bf06b09dde29c3da416e1312821de9fb2c055f4fb2c180Linux kernel version 4.10 suffers from a use-after-free vulnerability in __do_semtimedop() due to a lockless check outside the RCU section.
07d8df8e54828f8f33482f1bf22aa6ffd633c656b7301bc40395e4379d31e449The Mali driver tries to use the KBASE_REG_NO_USER_FREE flag to ensure that the memory region referenced by kbase_csf_tiler_heap::buf_desc_reg cannot be freed by userspace. However, this flag is only a single bit, and there can be multiple tiler heaps referencing the same memory region. This can lead to a use-after-free condition.
b873567924105769f827e9318b7b58298191410905a58cc3d3192c6ce29f3225Linux suffers from two seccomp bugs with a PT_SUSPEND_SECCOMP permission bypass and ptracer death race condition.
6d7f253f354c0c71a5692bbeb6bcd2a20b50e96fc05afeda0286131716d7b406Linux has an issue with munmap() racing with pagemap_read() that leads to a page use-after-free vulnerability.
6e43fff37a6d90cd02b391b72b480aba2d74433d269f96e0cefcf585c8e51dd3Linux suffers from an anon_vma use-after-free vulnerability through the bogus merge of VMAs caused by double-reuse of leaf anon_vma because of ->degree misinterpretation.
e27e13af66dddafc7e4588c3b561b058fe6859b4fbc060de1741e0003a7d5b45Linux stable versions 5.4 and 5.10 suffers from a page use-after-free via stale TLB caused by an rmap lock not held during PUD move.
b9d45dd1409659792dcfd15c2c4781345acb1b7ca05dc637d666213b43252dffIn the Linux Mali driver, when building with MALI_USE_CSF, the VFS read handler of the main Mali file descriptor (kbase_read()) never looks at its "count" parameter. This means that a simple userspace program that sets up a Mali file descriptor, then calls read(mali_fd, buf, 1), will see read() returning a higher length than requested, and out-of-bounds data in the userspace buffer will be clobbered.
3d801b6f86d2cf6dcafab0fab084495a709669823b168ea8d4eaa15c04e2a64cThe Mali driver frees GPU page tables before removing the higher-level PTEs pointing to those page tables (and, therefore, also before issuing the required flushes). This means a racing memory write instruction on the GPU can write to an attacker-controlled physical address.
b9314770c55b858e1768dc0c89581aba6dcd511b77abe5a7a6849771f7835386Arm Mali has an issue where a driver exposes physical addresses to unprivileged userspace.
0dd6b9f2ab5a6a54b712bd8da62800520f10d77e1129a4be99b021e528de767aOn Mali devices without the new CSF interface, IMPORTED_USER_BUF is released without flushing host-side VMAs, leading to a page use-after-free vulnerability.
51a2923bc823fc6d20b96117084be18b4a15d5a3f49b9f2dc2e04e3c069198a0For VM_PFNMAP VMAs, there is a race between unmap_mapping_range() and munmap() that can lead to a page being freed by a device driver while the page still has stale TLB entries.
0c343119926cb622181935b2b8688c9dde2b0e898e81a4a44edd9820611241dfKVM instruction emulation can run while KVM_VCPU_PREEMPTED is set, which can lead other vcpus to skip sending TLB flush IPIs. As a consequence, KVM instruction emulation can access memory through stale translations when the guest kernel thinks it has flushed all cached translations. This could potentially be used by unprivileged userspace inside a guest to compromise the guest kernel.
16fd49b64aee26c8f9a9ad6cb4265e74537f37bede65109a50798f82ac77833bIn the Arm Mali driver's handling of CSF user I/O mappings, VMA splitting is handled incorrectly, leading to a page being given back to the kernel's page allocator while it is still mapped into userspace. On devices with recent Mali GPUs that support CSF, this is a security bug that should be very straightforward to exploit.
6ee0db58337e2459a3e0a317b84488b6c9019397c42a860c2baea1a6661f8592Xen's _get_page_type() contains an ABAC cmpxchg() race, where the code incorrectly assumes that if it reads a specific type_info value, and then later cmpxchg() succeeds, the type_info can't have changed in between.
88fe91f31a1fa5b68860cd0112d829c44076320a17d995120f8a3d426cc59af7On CPUs without SELFSNOOP support, a Xen PV domain that has access to a PCI device (which grants the domain the ability to set arbitrary cache attributes on all its pages) can trick Xen into validating an L2 pagetable that contains a cacheline that is marked as clean in the cache but actually differs from main memory. After the pagetable has been validated, an attacker can flush the "clean" cacheline, such that on the next load, unvalidated data from main memory shows up in the pagetable.
0ca3bec4eaa9cefc4bd68628da583653303fb2bb08f1b14700118565ff032f9cChromeOS uses usbguard when the screen is locked but appears to suffer from bypass issues.
686e2d50596cc3cee3dd66e0fc5f2a715094be5a79c099a547c49d3457af1129Linux usbnet code tells minidrivers to unbind while netdev is still up, causing use-after-free conditions.
9cbdb1ccc149a355b2d267a848a75d3513d0e33cb89787801e49bf0110235f37Linux suffers from two bugs in PT_SUSPEND_SECCOMP. One allows for permission bypass and the other relates to a ptracer death race.
090e7e5a723be850497afe230306c956241cce0eb429877bf07e8c0f06eb2a40This Metasploit module exploits a vulnerability in the Linux Kernel's watch_queue event notification system. It relies on a heap out-of-bounds write in kernel memory. The exploit may fail on the first attempt so multiple attempts may be needed. Note that the exploit can potentially cause a denial of service if multiple failed attempts occur, however this is unlikely.
b59181d9b536ad31ebdc6b3f83985c65e49fbe3242468f7709e7bb7a2d4b1e5fBlueZ suffers from a vulnerability where a malicious USB device can steal Bluetooth link keys over HCI using a fake BD_ADDR. It was also discovered that bluetoothd suffers from a double-free memory corruption flaw.
8a1aa43e53f3253ec88afc78d193bedf1f90ff6d4fdbe4fc1be57e91906b1055Linux suffers from a vulnerability where FUSE allows use-after-free reads of write() buffers, allowing theft of (partial) /etc/shadow hashes.
2013a523f6140f5f94778f15578c0f1d52f0a0bddd81e46cc48963fbe8fd4efbThe Linux watch_queue filter suffers from an out of bounds write vulnerability.
48bdbb27c736f9c5dd12453993d4bc23ee38e3c25b3e23faef205b92dcf36f51In Linux, drivers/net/usb/ax88179_178a.c contains multiple out-of-bounds accesses in ax88179_rx_fixup(), the function responsible for taking a buffer received over USB and splitting it up into ethernet packets.
d31f6a101db6dc5fd85ff3bf16404acb26c0969c2cd57cc1adc10f3d4419cf21Linux suffers from a garbage collection memory corruption vulnerability by resurrecting a file reference through RCU.
638d1db3f45bcd59a8ce424b7eb6551bbe0ff49ecd4eb9c767f096560f4687de
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Subscribe to an RSS Feed