exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 194 RSS Feed

Files from Jann Horn

Email addressjannh at google.com
First Active2013-03-14
Last Active2024-02-19
Chrome chrome.pageCapture.saveAsMHTML() Extension API Blocked Origin Bypass
Posted Feb 19, 2024
Authored by Jann Horn, Google Security Research

Chrome has an issue where the chrome.pageCapture.saveAsMHTML() extension API can be used on blocked origins due to a racy access check.

tags | exploit
advisories | CVE-2024-0811
SHA-256 | c081d9b3a89b0a80ccfbb9fc08c3373284b83957b305d8759f551dfbed038c66
Linux 5.6 io_uring Cred Refcount Overflow
Posted Jan 19, 2024
Authored by Jann Horn, Google Security Research

Linux versions 5.6 and above appear to suffer from a cred refcount overflow when handling approximately 39 gigabytes of memory usage via io_uring.

tags | exploit, overflow
systems | linux
SHA-256 | eb6cd67301b0a3753b8bd45f998819605fcd09521aac98683535cba1e70af180
Linux 4.20 KTLS Read-Only Write
Posted Jan 12, 2024
Authored by Jann Horn, Google Security Research

Linux versions 4.20 and above have an issue where ktls writes into spliced readonly pages.

tags | exploit
systems | linux
advisories | CVE-2022-0847
SHA-256 | c8a387c3d377fb9915457e6c2add6c04bc585011d822e7f419d1a632b108342d
Linux Broken Unix GC Interaction Use-After-Free
Posted Jan 12, 2024
Authored by Jann Horn, Google Security Research

Linux suffers from an io_uring use-after-free vulnerability due to broken unix GC interaction.

tags | exploit
systems | linux, unix
advisories | CVE-2022-2602, CVE-2023-6531
SHA-256 | f69e0977a025727662a99855b4620c72daf61a181fc942af121b5a2aba667456
Linux 6.4 io_uring Use-After-Free
Posted Jan 8, 2024
Authored by Jann Horn, Google Security Research

Linux versions 6.4 and above suffer from an io_uring page use-after-free vulnerability via buffer ring mmap.

tags | exploit
systems | linux
SHA-256 | bdd56a2cf8ae5ffb5b1e0cf855da69a640ead67ed0ab5559b57abc88c22cd6f9
io_uring __io_uaddr_map() Dangerous Multi-Page Handling
Posted Jan 8, 2024
Authored by Jann Horn, Google Security Research

__io_uaddr_map() in io_uring suffers from dangerous handling of the multi-page region.

tags | exploit
advisories | CVE-2023-6560
SHA-256 | 36027428c2c544777c9a58e5240c8a00ac64b96a28b3c1c2a02ca9c040ca0b42
Arm Mali CSF Overflow / Use-After-Free
Posted Dec 8, 2023
Authored by Jann Horn, Google Security Research

Arm Mali CSF has a refcount overflow bugfix in r43p0 that was misclassified as a memory leak fix.

tags | exploit, overflow, memory leak
advisories | CVE-2023-4295
SHA-256 | 05a93b8780cfb3ee2e1142acedfd65b47dbf3a86e2c48f3c8256e45ceaf5837b
ARM Mali r44p0 Use-After-Free
Posted Dec 4, 2023
Authored by Jann Horn, Google Security Research

ARM Mali r44p0 suffers from a use-after-free vulnerability by freeing waitqueue with elements on it.

tags | exploit
advisories | CVE-2023-5427
SHA-256 | 4fea6948aa6c6c134d3f0e82d4d907da692a000feadff0b07880f486048867a4
PowerVR Out-Of-Bounds Access / Information Leak
Posted Oct 23, 2023
Authored by Jann Horn, Google Security Research

PowerVR suffers from a multitude of memory management bugs including out-of-bounds access and information leakage.

tags | exploit
advisories | CVE-2021-1050, CVE-2023-35685
SHA-256 | c135dd9da4f49945f6ffab49beafba001bf366477d6ac30866c7fd5a8b312a8e
Linux DCCP Information Leak
Posted Oct 16, 2023
Authored by Jann Horn, Google Security Research

Linux suffers from a small remote binary information leak in DCCP.

tags | exploit, remote
systems | linux
SHA-256 | 8f509db352a5daf100520971c2666cea99bc2b733614a6fbd107c438f44733be
Linux 6.4 Use-After-Free
Posted Sep 11, 2023
Authored by Jann Horn, Google Security Research

The Linux 6.4 kernel suffers from a use-after-free condition due to per-VMA locks that introduce a race between page fault and MREMAP_DONTUNMAP.

tags | exploit, kernel
systems | linux
SHA-256 | 3d39c971dd3c9a3c68ba92f6935c1ac85bc812d562760cadb42454ab84afcb68
Linux 6.4 Use-After-Free / Race Condition
Posted Sep 4, 2023
Authored by Jann Horn, Google Security Research

There is a race between mbind() and VMA-locked page faults in the Linux 6.4 kernel, leading to a use-after-free condition.

tags | exploit, kernel
systems | linux
SHA-256 | 78b0a4905933278287d325ebef0bf5c144a4c579eaaf4874daf17a797f5aa2b7
Qualcomm Adreno/KGSL Insecure Execution
Posted Jul 4, 2023
Authored by Jann Horn, Google Security Research

Qualcomm Adreno/KGSL suffers from an issue where code in user-writable mapping is executed in non-protected mode.

tags | exploit
advisories | CVE-2023-21670
SHA-256 | 795d9bc48251143119585b455550c6ef9db1db6cead5a6bfba90baa195ff4c43
Qualcomm Adreno/KGSL Data Leakage
Posted May 31, 2023
Authored by Jann Horn, Google Security Research

On Qualcomm Adreno/KGSL builds where CONFIG_QCOM_KGSL_USE_SHMEM is not set (or on older KGSL versions without CONFIG_QCOM_KGSL_USE_SHMEM), KGSL allocates GPU-shared memory from its own page pool. Pages from this pool are inserted into VMAs that don't have any weird flags like VM_PFNMAP set, which means userspace can grab extra references to these pages through get_user_pages() (for example, using vmsplice()). But when GPU-shared memory is freed, KGSL puts the freed pages into its own page pool without checking the page refcount. This means that pages that are still accessible from userspace can be reallocated as GPU memory by another process.

tags | exploit
advisories | CVE-2023-21666
SHA-256 | 912899972d766ddbe72f5a9e3255c982b1f4d47a09b7d4e6f29f8440583aa47c
Qualcomm Adreno/KGSL Unchecked Cast / Type Confusion
Posted May 31, 2023
Authored by Jann Horn, Google Security Research

Qualcomm Adreno/KGSL suffers from an unchecked cast of vma->vm_file->private_data in kgsl_setup_dmabuf_useraddr().

tags | exploit
advisories | CVE-2022-25743, CVE-2023-21665
SHA-256 | 607fa965d699b8530e3007ef7ceaca726a5ef18f66dd831e4ec632ad32adcccd
Qualcomm Adreno/KGSL Insecure Secure Buffers
Posted May 9, 2023
Authored by Jann Horn, Google Security Research

Qualcomm Adreno/KGSL suffers from an issue where secure buffers are addressable by all GPU users. Qualcomm believes this finding has no security impact and will not address it.

tags | exploit
SHA-256 | d9b987714309cbf4e6d06626329557ab19e9a3e5c17b45b14e62e612bd881e23
wfc-pkt-router Incorrect Bind
Posted May 5, 2023
Authored by Jann Horn, Google Security Research

wfc-pkt-router suffers from a vulnerability where it can wrongly bind to an external network interface instead of the VPN tunnel.

tags | advisory
advisories | CVE-2023-29092
SHA-256 | 03509814b094fdcb874430f7b5654f15f7ca1ccdd20e1463ac75f2a0d6edef4c
CentOS Stream 9 Missing Kernel Security Fix
Posted Apr 18, 2023
Authored by Jann Horn, Google Security Research

CentOS Stream 9 has a missing kernel security fix for a tun double-free amongst other missing fixes. Included is a local root exploit to demonstrate the issue.

tags | exploit, kernel, local, root
systems | linux, centos
advisories | CVE-2022-4744, CVE-2023-1249
SHA-256 | ff7d7021860395c29340e572b9c37574d2458d361ce7c71f08cc837f0834b69e
CentOS Stream 9 Missing Kernel Security Fixes
Posted Mar 21, 2023
Authored by Jann Horn, Google Security Research

The kernel tree of CentOS Stream 9 suffers from multiple use-after-free conditions that were already patched in upstream stable trees.

tags | advisory, kernel
systems | linux, centos
advisories | CVE-2023-0590, CVE-2023-1249, CVE-2023-1252
SHA-256 | a5f94e90c58a4d65e7349c5ac6abff2cbc680f758ae71b7d0bf35a8ec6642057
Linux USB Use-After-Free
Posted Mar 13, 2023
Authored by Jann Horn, Google Security Research

Linux USB usbnet tells minidrivers to unbind while netdev is still up, causing use-after-free conditions.

tags | exploit
systems | linux
SHA-256 | a79f67a4ff4419f1ee030e5d31da09ffc097f7a7aff75a313677c344131a2bc4
Android GKI Kernels Contain Broken Non-Upstream Speculative Page Faults MM Code
Posted Mar 6, 2023
Authored by Jann Horn, Google Security Research

Android GKI kernels contain broken non-upstream Speculative Page Faults MM code that can lead to multiple use-after-free conditions.

tags | exploit, kernel
advisories | CVE-2023-20937
SHA-256 | 52bdc4d424513850282af302704976ef18a76f8dae3b5f71cf887f9e9577e262
Arm Mali CSF kbase_kcpu_command_queue Use-After-Free
Posted Feb 27, 2023
Authored by Jann Horn, Google Security Research

kbase_csf_kcpu_queue_enqueue() locks the kctx->csf.kcpu_queues, looks up a pointer from inside that structure, then drops the lock before continuing to use the kbase_kcpu_command_queue that was looked up. This is a classic use-after-free pattern, where the lookup of a pointer is protected but the protective lock is then released without first acquiring any other lock or reference to keep the referenced object alive.

tags | exploit
SHA-256 | 4fd61c0109d183f3b2a909d608ec4f7ebeb118f98b4d057a01a280c10f5a5339
Arm Mali Insufficient Cache Invalidation
Posted Feb 24, 2023
Authored by Jann Horn, Google Security Research

Arm Mali suffers from an insufficient cache invalidation for non-page-aligned user buffer imports.

tags | exploit
SHA-256 | 1cc19cb79a91228a44e5c6196c91a498b37c74f153ea14e278fe6327355cc218
Android Binder VMA Management Security Issues
Posted Feb 6, 2023
Authored by Jann Horn, Google Security Research

Android Binder VMA management suffers from multiple security issues.

tags | exploit
advisories | CVE-2023-20928
SHA-256 | ab667a607662e113616863f74924dec25552f0f3627b28b830dcd1cef1dc0df9
Linux khugepaged Race Conditions
Posted Jan 11, 2023
Authored by Jann Horn, Google Security Research

khugepaged on Linux races with rmap-based zap, races with GUP-fast, and fails to call MMU notifiers.

tags | exploit
systems | linux
SHA-256 | 4a7e3cd6f113b1a612bf06b09dde29c3da416e1312821de9fb2c055f4fb2c180
Page 1 of 8
Back12345Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close