iOS suffers from a Page Protection Layer (PPL) bypass due to incorrect argument verification in pmap_protect_options_internal() and pmap_remove_options_internal().
32cee1a372a12e5942e506e272fddc32f9ae961ee5184a1f29319a3e36fa6521This function, reached through ioctl VS4L_VERTEXIOC_QBUF in the Samsung kernel, has an error case that cannot function correctly. It reads in an array of pointers from userspace and in-place replaces each userspace pointer with a kernel pointer allocated with kzalloc(). Unfortunately, in the error case it will iterate over all the pointers in the array (regardless of how many, if any, were converted to kernel pointers) and call kfree() on each of them. Thus, all it takes to call kfree() on an arbitrary number of controlled pointers is to make the second copy_from_user() fail after successfully copying in the desired number of pointers to free.
efd831d3ab7c9c5578f97a34507b505b0fb6cf8ddb61a22e805c5ade1953fcdfIn the Samsung kernel, the /dev/hdcp2 device ioctls seem to implement no locking, leading to multiple exploitable race conditions. For example, you can open a session with the HDCP_IOC_SESSION_OPEN ioctl, and then close it in multiple threads in parallel with the HDCP_IOC_SESSION_CLOSE. Since no locking is implemented in hdcp_session_close(), memory will be corrupted and the system will become unstable.
133fd193ed2f3352ad3d3ca59c54ca66ce35d1f5a46084a1a696a14e6b2f9edcThe function __vipx_ioctl_put_container() in the Samsung kernel calls copy_to_user() on a vs4l_container_list structure that contains a kernel pointer, exposing that kernel pointer to userspace just before it gets passed to kfree().
cf04790c8d0e642b1910122bf8fab8586f7ff1ad7f3556e2103975c6e9559788macOS and iOS suffers from an out-of-bounds timestamp write in IOAccelCommandQueue2::processSegmentKernelCommand().
44d1c9f9c03139e137baf5a1b9455bae2035ef2354655800e429870317e03d58The XNU function IOUserClient::_sendAsyncResult64() discloses the address of the ipc_port to which the notification is sent in the Mach message enqueued on the notification port.
1cba10482a4515fe180660f8993986da772e8592cc84ee4824062959ab67fb0emacOS and iOS suffer from a race condition in XNU's mk_timer_create_trap() that can lead to type confusion.
d1bfcbb0f7141fd12ac902ba274b00d9b3331a6891c61615250c4fbba3b53358macOS and iOS suffer from an issue where kern_stack_snapshot_internal() shares non-zeroed kernel pages with userspace.
52d0584bd42acc20df7ff47526fc6df9ba5e929c135b31cd786f0169c97c85f9In the macOS kernel, the XNU function wait_for_namespace_event() in bsd/vfs/vfs_syscalls.c releases a file descriptor for use by userspace but may then subsequently destroy that file descriptor using fp_free(), which unconditionally frees the fileproc and fileglob. This opens up a race window during which the process could manipulate those objects while they're being freed. Exploitation requires root privileges.
6d4e9cc704a5f5bbb4de66537161f105b64b583414a93c0e902c25bb793772b5iOS and macOS suffer from an if_ports_used_update_wakeuuid() 16-byte uninitialized kernel stack disclosure vulnerability.
bdfda9bc65d52d6ed0d3984c8d4faf09c2f19226fdea8d12eea56e1cf1534dd7task_swap_mach_voucher() on iOS and macOS have an issue where task_swap_mach_voucher() does not respect MIG semantics leading to a use-after-free condition.
0257494f6d9310ec9e5e1c1bff8a123fa3b6a565f2650f06da253e0be3adc7d9
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed