exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 206 RSS Feed

Files from Jann Horn

Email addressjannh at google.com
First Active2013-03-14
Last Active2024-07-02
PowerVR Driver Missing Sanitization
Posted Jul 2, 2024
Authored by Jann Horn, Google Security Research

The PowerVR driver does not sanitize ZS-Buffer / MSAA scratch firmware addresses.

tags | exploit
advisories | CVE-2024-31337
SHA-256 | c2daa30504b0e8c789700f2b12ba70633fcac40fa494865c6f36f0fc4494835b
PowerVR Out-Of-Bounds Write
Posted Jun 18, 2024
Authored by Jann Horn, Google Security Research

PowerVR suffers from an out-of-bounds write of firmware addresses in PVRSRVRGXKickTA3DKM().

tags | exploit
SHA-256 | bf643f590254db32f40863c345eaa6faa2bb814e2aa4cfd56828c8a49a38c33a
PowerVR Uninitialized Memory Disclosure
Posted Jun 18, 2024
Authored by Jann Horn, Google Security Research

PowerVR suffers from an uninitialized memory disclosure and crash due to out-of-bounds reads in hwperf_host_%d stream.

tags | exploit
SHA-256 | 21afd37aba8ffcfc6bd66ce8187be897144f972c8efddd7b417e5044e23024a8
PowerVR DevmemXIntMapPages() Mapping Issue
Posted Jun 4, 2024
Authored by Jann Horn, Google Security Research

PowerVR suffers from an issue where DevmemXIntMapPages() allows mapping sDevZeroPage/sDummyPage without holding reference.

tags | exploit
advisories | CVE-2024-31334
SHA-256 | a872ec3e6ff34c9730a9e040bcfef2da822351bb1bc1c1b8c09c8adf411bf0bd
PowerVR DevmemIntChangeSparse2() Dangling Page Table Entry
Posted May 21, 2024
Authored by Jann Horn, Google Security Research

PowerVR suffers from a wrong order of operations in DevmemIntChangeSparse2() that leads to a temporarily dangling page table entry.

tags | exploit
advisories | CVE-2024-31335
SHA-256 | c60d53fd594988ae874f9172ca988e0a08a60b03ec48452203f70a979e6d922e
PowerVR _UnrefAndMaybeDestroy() Use-After-Free
Posted May 21, 2024
Authored by Jann Horn, Google Security Research

PowerVR suffers from a use-after-free vulnerability in _UnrefAndMaybeDestroy().

tags | exploit
advisories | CVE-2024-34724
SHA-256 | 62d48fec6da2920518cfbf331f251078d85c51ab0a1e30e21ab38e0edd6f3b51
Arm Mali r45p0 Broken State Use-After-Free
Posted May 21, 2024
Authored by Jann Horn, Google Security Research

Arm Mali versions since r45p0 suffer from a broken KBASE_USER_BUF_STATE_* state machine for userspace mappings that can lead to a use-after-free condition.

tags | exploit
advisories | CVE-2024-1065
SHA-256 | 6886ec45419b22efaa4183177ef852a685bb4e3e8f20fe513a25b84dccef3243
Arm Mali 5th Gen Dangling ATE
Posted May 13, 2024
Authored by Jann Horn, Google Security Research

In mmu_insert_pages_no_flush(), when a HUGE_HEAD page is mapped to a 2M aligned GPU address, this is done by creating an Address Translation Entry (ATE) at MIDGARD_MMU_LEVEL(2) (in other words, an ATE covering 2M of memory is created). This is wrong because it assumes that at least 2M of memory should be mapped. mmu_insert_pages_no_flush() can be called in cases where less than that should be mapped, for example when creating a short alias of a big native allocation. Later, when kbase_mmu_teardown_pgd_pages() tries to tear down this region, it will detect that unmapping a subsection of a 2M ATE is not possible and write a log message complaining about this, but then proceed as if everything was fine while leaving the ATE intact. This means the higher-level code will proceed to free the referenced physical memory while the ATE still points to it.

tags | exploit
advisories | CVE-2024-0671
SHA-256 | 02b7002e9ef87f42111b8b994ec26a71eab28f5f71c23d3899c25a6cc7a85c92
PowerVR PMRMMapPMR() Writability Check
Posted Apr 25, 2024
Authored by Jann Horn, Google Security Research

PowerVR has a security issue where a writability check in PMRMMapPMR() does not clear VM_MAYWRITE.

tags | exploit
SHA-256 | 3c6be466dbc5e6f19541750720a0f82bfbd11613fafa5557f44c1df26aa893b2
PowerVR DevmemIntUnexportCtx Use-After-Free
Posted Apr 8, 2024
Authored by Jann Horn, Google Security Research

PowerVR has an issue where DevmemIntUnexportCtx destroys export before unlinking it, leading to a use-after-free condition.

tags | exploit
SHA-256 | 6f9202099fe090be7419d76b62ea9327f8db8be77898b1207baaaa4a3a3cd10e
Linux 6.5 Kernel Pointer Leak
Posted Apr 5, 2024
Authored by Jann Horn, Google Security Research

Linux versions starting with 6.5 suffer from a read-after-type-change of folio in cachestat() that leads to a kernel pointer leak.

tags | exploit, kernel
systems | linux
advisories | CVE-2024-26630
SHA-256 | 9ed32c7cf46a882e510759c307e0ac2758225c4d00df31c8c83be548a01fd482
PowerVR RGXCreateZSBufferKM2 Use-After-Free
Posted Apr 2, 2024
Authored by Jann Horn, Google Security Research

PowerVR has an issue where the RGXCreateZSBufferKM2 error path frees object while on list.

tags | exploit
SHA-256 | b77c7757a3ce5ef36d49453304cff99bfbbd56c1ff428ecdf3cd2b4c3033e628
Chrome chrome.pageCapture.saveAsMHTML() Extension API Blocked Origin Bypass
Posted Feb 19, 2024
Authored by Jann Horn, Google Security Research

Chrome has an issue where the chrome.pageCapture.saveAsMHTML() extension API can be used on blocked origins due to a racy access check.

tags | exploit
advisories | CVE-2024-0811
SHA-256 | c081d9b3a89b0a80ccfbb9fc08c3373284b83957b305d8759f551dfbed038c66
Linux 5.6 io_uring Cred Refcount Overflow
Posted Jan 19, 2024
Authored by Jann Horn, Google Security Research

Linux versions 5.6 and above appear to suffer from a cred refcount overflow when handling approximately 39 gigabytes of memory usage via io_uring.

tags | exploit, overflow
systems | linux
SHA-256 | eb6cd67301b0a3753b8bd45f998819605fcd09521aac98683535cba1e70af180
Linux 4.20 KTLS Read-Only Write
Posted Jan 12, 2024
Authored by Jann Horn, Google Security Research

Linux versions 4.20 and above have an issue where ktls writes into spliced readonly pages.

tags | exploit
systems | linux
advisories | CVE-2022-0847
SHA-256 | c8a387c3d377fb9915457e6c2add6c04bc585011d822e7f419d1a632b108342d
Linux Broken Unix GC Interaction Use-After-Free
Posted Jan 12, 2024
Authored by Jann Horn, Google Security Research

Linux suffers from an io_uring use-after-free vulnerability due to broken unix GC interaction.

tags | exploit
systems | linux, unix
advisories | CVE-2022-2602, CVE-2023-6531
SHA-256 | f69e0977a025727662a99855b4620c72daf61a181fc942af121b5a2aba667456
Linux 6.4 io_uring Use-After-Free
Posted Jan 8, 2024
Authored by Jann Horn, Google Security Research

Linux versions 6.4 and above suffer from an io_uring page use-after-free vulnerability via buffer ring mmap.

tags | exploit
systems | linux
SHA-256 | bdd56a2cf8ae5ffb5b1e0cf855da69a640ead67ed0ab5559b57abc88c22cd6f9
io_uring __io_uaddr_map() Dangerous Multi-Page Handling
Posted Jan 8, 2024
Authored by Jann Horn, Google Security Research

__io_uaddr_map() in io_uring suffers from dangerous handling of the multi-page region.

tags | exploit
advisories | CVE-2023-6560
SHA-256 | 36027428c2c544777c9a58e5240c8a00ac64b96a28b3c1c2a02ca9c040ca0b42
Arm Mali CSF Overflow / Use-After-Free
Posted Dec 8, 2023
Authored by Jann Horn, Google Security Research

Arm Mali CSF has a refcount overflow bugfix in r43p0 that was misclassified as a memory leak fix.

tags | exploit, overflow, memory leak
advisories | CVE-2023-4295
SHA-256 | 05a93b8780cfb3ee2e1142acedfd65b47dbf3a86e2c48f3c8256e45ceaf5837b
ARM Mali r44p0 Use-After-Free
Posted Dec 4, 2023
Authored by Jann Horn, Google Security Research

ARM Mali r44p0 suffers from a use-after-free vulnerability by freeing waitqueue with elements on it.

tags | exploit
advisories | CVE-2023-5427
SHA-256 | 4fea6948aa6c6c134d3f0e82d4d907da692a000feadff0b07880f486048867a4
PowerVR Out-Of-Bounds Access / Information Leak
Posted Oct 23, 2023
Authored by Jann Horn, Google Security Research

PowerVR suffers from a multitude of memory management bugs including out-of-bounds access and information leakage.

tags | exploit
advisories | CVE-2021-1050, CVE-2023-35685
SHA-256 | c135dd9da4f49945f6ffab49beafba001bf366477d6ac30866c7fd5a8b312a8e
Linux DCCP Information Leak
Posted Oct 16, 2023
Authored by Jann Horn, Google Security Research

Linux suffers from a small remote binary information leak in DCCP.

tags | exploit, remote
systems | linux
SHA-256 | 8f509db352a5daf100520971c2666cea99bc2b733614a6fbd107c438f44733be
Linux 6.4 Use-After-Free
Posted Sep 11, 2023
Authored by Jann Horn, Google Security Research

The Linux 6.4 kernel suffers from a use-after-free condition due to per-VMA locks that introduce a race between page fault and MREMAP_DONTUNMAP.

tags | exploit, kernel
systems | linux
SHA-256 | 3d39c971dd3c9a3c68ba92f6935c1ac85bc812d562760cadb42454ab84afcb68
Linux 6.4 Use-After-Free / Race Condition
Posted Sep 4, 2023
Authored by Jann Horn, Google Security Research

There is a race between mbind() and VMA-locked page faults in the Linux 6.4 kernel, leading to a use-after-free condition.

tags | exploit, kernel
systems | linux
SHA-256 | 78b0a4905933278287d325ebef0bf5c144a4c579eaaf4874daf17a797f5aa2b7
Qualcomm Adreno/KGSL Insecure Execution
Posted Jul 4, 2023
Authored by Jann Horn, Google Security Research

Qualcomm Adreno/KGSL suffers from an issue where code in user-writable mapping is executed in non-protected mode.

tags | exploit
advisories | CVE-2023-21670
SHA-256 | 795d9bc48251143119585b455550c6ef9db1db6cead5a6bfba90baa195ff4c43
Page 1 of 9
Back12345Next

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close