exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 10 of 10 RSS Feed

Files from Seth Jenkins

Email addresssethjenkins at google.com
First Active2023-01-06
Last Active2024-10-22
Linux Dangling PFN Mapping / Use-After-Free
Posted Oct 22, 2024
Authored by Jann Horn, Google Security Research, Seth Jenkins

An error path in usbdev_mmap() (where remap_pfn_range() fails midway through) frees pages before the PFN mapping pointing to those pages is cleaned up, making physical page use-after-free possible. Some other drivers look like they might have similar issues.

tags | exploit
advisories | CVE-2024-47674
SHA-256 | 9954c73a5d4b25cfd2ae71c579096d9048f40475e6683e174f991dae3312c11d
msm 5.15 Arbitrary Kernel Address Access
Posted Oct 15, 2024
Authored by Google Security Research, Seth Jenkins

This bug was found in msm-5.15 using tag KERNEL.PLATFORM.2.1.r1-05400-kernel.0. The fastrpc_file struct contains a flag, is_compat, that is set if the 32-bit compat_ioctl vfs handler is ever called on a fastrpc file (e.g. by opening and ioctling on /dev/adsprpc-smd). This flag is later used inside of e.g. fastrpc_internal_invoke2's macro invocations of K_COPY_FROM_USER to make decisions about whether the provided pointer is a userland pointer or a kernel-land pointer. However, because the state for making this K_COPY_FROM_USER decision is stored within the broadly accessible fastrpc_file struct instead of stored per ioctl invocation, this means that 64-bit ioctl invocations of fastrpc_internal_invoke2 will use userland provided addresses as kernel pointers if the 32-bit ioctl interface of the same fastrpc_file was ever previously invoked. This leads directly to attacker-controlled reads of arbitrary kernel addresses.

tags | exploit, arbitrary, kernel
advisories | CVE-2024-21455
SHA-256 | 7ce3664c0a974696d288f060528f707f1555a333b471fe3ba0f054dda88b4c2a
fastrpc_mmap_create Use-After-Free
Posted Oct 4, 2024
Authored by Google Security Research, Seth Jenkins

A condition exists when fastrpc_mmap_create creates a new globally visible mapping that can lead to a use-after-free.

tags | exploit
advisories | CVE-2024-33060
SHA-256 | f676785fdf4478de819b5665c9ba33c67535e75932f2e0c3889dcb7a0811f410
fastrpc_mmap_find Information Leak
Posted Oct 4, 2024
Authored by Google Security Research, Seth Jenkins

An incorrect searching algorithm in fastrpc_mmap_find can lead to kernel address space information leaks.

tags | advisory, kernel
advisories | CVE-2024-33060
SHA-256 | 46fa1c601050810eb66a262de97a8b9a9dbe879e08b68141820f5aeffa5d1da5
MediaTek WLAN Driver Memory Corruption
Posted Feb 8, 2024
Authored by Google Security Research, Seth Jenkins

The MediaTek WLAN driver has VFS read handlers that do not check buffer size leading to userland memory corruption.

tags | exploit
SHA-256 | e02f5b1f1d435ca3340b9ddef6433031cb241ad315800f041e8e425d3ac596dd
mtk-jpeg Driver Out-Of-Bounds Read / Write
Posted Nov 14, 2023
Authored by Google Security Research, Seth Jenkins

An out-of-bounds read / write due to missing bounds check in the mtk-jpeg driver can lead to memory corruption and potential escalation of privileges.

tags | exploit
advisories | CVE-2023-32837
SHA-256 | e41201a7980c88fc58347c600192d9a70df411c527756cf6c4ba17ebb7bb7705
Android mtk_jpeg Driver Race Condition / Privilege Escalation
Posted Nov 14, 2023
Authored by Google Security Research, Seth Jenkins

A race condition in the Android mtk_jpeg driver can lead to memory corruption and potential local privilege escalation.

tags | exploit, local
advisories | CVE-2023-32832
SHA-256 | b9bbc877dec293cdae380289c906920975d5c1e2eb6ec78818aa966c315357ce
edgetpu_pin_user_pages Race Condition
Posted Oct 5, 2023
Authored by Google Security Research, Seth Jenkins

There is a race condition in edgetpu_pin_user_pages which is reachable from some unprivileged contexts, including the Camera app, or the Google Meet app.

tags | exploit
advisories | CVE-2023-35645
SHA-256 | f2c097f59fbb9a93bf14610f9faf8be4d99e83e00ca52f16c11b8af6ef496e22
Linux videobuf2 Use-After-Free
Posted Jan 9, 2023
Authored by Google Security Research, Seth Jenkins

A vb2_mmap race with vb2_core_reqbufs leads to a use-after-free vulnerability in the Linux videobuf2 system.

tags | exploit
systems | linux
SHA-256 | d61a2203442211de402e6420b838d2d46c53994de2af84b1f343bfe1d3ad0231
Linux videobuf2 Use-After-Free
Posted Jan 6, 2023
Authored by Google Security Research, Seth Jenkins

An unsafe use of follow_pfn in get_vaddr_frames in videobuf2 on Linux leads to use-after-free issues or writes to ro-pages.

tags | exploit
systems | linux
SHA-256 | f545295793aea2d033e2e1720bb35ac7db855bcaa8fafcd55848d3dffe8ce90b
Page 1 of 1
Back1Next

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close