In the Arm Mali driver's handling of CSF user I/O mappings, VMA splitting is handled incorrectly, leading to a page being given back to the kernel's page allocator while it is still mapped into userspace. On devices with recent Mali GPUs that support CSF, this is a security bug that should be very straightforward to exploit.
6ee0db58337e2459a3e0a317b84488b6c9019397c42a860c2baea1a6661f8592Xen's _get_page_type() contains an ABAC cmpxchg() race, where the code incorrectly assumes that if it reads a specific type_info value, and then later cmpxchg() succeeds, the type_info can't have changed in between.
88fe91f31a1fa5b68860cd0112d829c44076320a17d995120f8a3d426cc59af7On CPUs without SELFSNOOP support, a Xen PV domain that has access to a PCI device (which grants the domain the ability to set arbitrary cache attributes on all its pages) can trick Xen into validating an L2 pagetable that contains a cacheline that is marked as clean in the cache but actually differs from main memory. After the pagetable has been validated, an attacker can flush the "clean" cacheline, such that on the next load, unvalidated data from main memory shows up in the pagetable.
0ca3bec4eaa9cefc4bd68628da583653303fb2bb08f1b14700118565ff032f9cChromeOS uses usbguard when the screen is locked but appears to suffer from bypass issues.
686e2d50596cc3cee3dd66e0fc5f2a715094be5a79c099a547c49d3457af1129Linux usbnet code tells minidrivers to unbind while netdev is still up, causing use-after-free conditions.
9cbdb1ccc149a355b2d267a848a75d3513d0e33cb89787801e49bf0110235f37Linux suffers from two bugs in PT_SUSPEND_SECCOMP. One allows for permission bypass and the other relates to a ptracer death race.
090e7e5a723be850497afe230306c956241cce0eb429877bf07e8c0f06eb2a40This Metasploit module exploits a vulnerability in the Linux Kernel's watch_queue event notification system. It relies on a heap out-of-bounds write in kernel memory. The exploit may fail on the first attempt so multiple attempts may be needed. Note that the exploit can potentially cause a denial of service if multiple failed attempts occur, however this is unlikely.
b59181d9b536ad31ebdc6b3f83985c65e49fbe3242468f7709e7bb7a2d4b1e5fBlueZ suffers from a vulnerability where a malicious USB device can steal Bluetooth link keys over HCI using a fake BD_ADDR. It was also discovered that bluetoothd suffers from a double-free memory corruption flaw.
8a1aa43e53f3253ec88afc78d193bedf1f90ff6d4fdbe4fc1be57e91906b1055Linux suffers from a vulnerability where FUSE allows use-after-free reads of write() buffers, allowing theft of (partial) /etc/shadow hashes.
2013a523f6140f5f94778f15578c0f1d52f0a0bddd81e46cc48963fbe8fd4efbThe Linux watch_queue filter suffers from an out of bounds write vulnerability.
48bdbb27c736f9c5dd12453993d4bc23ee38e3c25b3e23faef205b92dcf36f51In Linux, drivers/net/usb/ax88179_178a.c contains multiple out-of-bounds accesses in ax88179_rx_fixup(), the function responsible for taking a buffer received over USB and splitting it up into ethernet packets.
d31f6a101db6dc5fd85ff3bf16404acb26c0969c2cd57cc1adc10f3d4419cf21Linux suffers from a garbage collection memory corruption vulnerability by resurrecting a file reference through RCU.
638d1db3f45bcd59a8ce424b7eb6551bbe0ff49ecd4eb9c767f096560f4687deThis bug report describes a vulnerability in ART that allows normal applications to insert arbitrary code into unused executable memory in zygote and other applications.
0b76a7bc1be55f6a0ca439ea53194142e663f42e1e49261458b945a5c953244cAndroid's vold's incremental-fs APIs trust paths from system_server for mounting. There is supposed to be privilege separation between vold (TCB) and system_server (privileged process). However, vold's IPC handlers related to incremental-fs (mountIncFs, unmountIncFs, bindMount) allow system_server to specify semi-arbitrary paths, allowing system_server to trigger mounting on directories that shouldn't be under system_server control.
6308f611ecd07bd987f8455171c29a25eff87e81ccf2cc8daeca7812645ea262Linux suffered from a use-after-free read vulnerability related to an SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()). This has been addressed in stable versions 5.14.10, 5.10.71, 5.4.151, 4.19.209, 4.14.249, 4.4.288, and 4.9.286.
e9d2577d94228c65d76a056d879671aaba39469ae3acffd647bebed060eeeb31Linux suffers from a use-after-free read in the SELinux handler for PTRACE_TRACEME.
796440de4a29bc2603d127196092fc9ccdd7e9044bbb208b4660cc96ceeb0dcdTor suffers from an issue where half-closed connection tracking ignores layer_hint and due to this, entry/middle relays can spoof RELAY_END cells on half-closed streams, which can lead to stream confusion between OP and exit.
0544acc1f8cb71eaae260f7d2c03e6b0c3ebabe6b8549cd83018b8757f7db64aChromeOS suffers from a missing path restriction vulnerability in arc-obb-mounter.
5a39171dc660d2c47df5696635fea0f20a0814593c67d9aa4f2ca1cf665e8660Linux suffers from broken locking in TIOCSPGRP that can lead to a corrupted refcount.
3d16d56ff43c2ab3355f19116f22e1a94fc89347899d1d2c15556ab0e4b4191bLinux io_uring suffers from mm and files access across suid binaries.
31c54d98daff1e1981a30c608516455dff4f229558f13e5503ad476e283c3e0fudisks and the Linux kernel have an issue where udisks permits users to mount romfs and romfs leaks uninitialized memory to userspace.
35a3fb65f205fc4d18eb799a00a5f48e0f59e4554d59a19758e3936768b1b633A race condition exists with munmap() downgrades in Linux kernel versions since 4.20.
12c19d8bb64bc07c6c91f0dc616830116f9cf648c2c843890b7c779c318ceed4A Linux copy-on-write issue can wrongly grant write access.
fb12dc1d9b3c3b8710974411c8e04357da6fc10cd0ae77c98600c7e8fdfa8813On Android, app zygotes do not properly guard against UID reuse attacks, leak AID_READPROC, and expose mlstrustedsubject.
259e249f92035fcc7a0f05456a83799f739c985a9863269f49049822d3dfa37fc-ares version 1.16.0 has an issue where ares_destroy() with pending ares_getaddrinfo() leads to a use-after-free condition.
7dac05abea704e153870ceb3821b9fcf3b37ca198add02caa774bdda39438cd9
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed