PowerVR has an issue where PVRSRVAcquireProcessHandleBase() can cause psProcessHandleBase reuse when PIDs are reused.
18d88674b2b9ce3ddaccd51818379af5893ab0c36e6eb07d67ee93245da55ea8A security-relevant race between mremap() and THP code has been discovered. Reaching the buggy code typically requires the ability to create unprivileged namespaces. The bug leads to installing physical address 0 as a page table, which is likely exploitable in several ways: For example, triggering the bug in multiple processes can probably lead to unintended page table sharing, which probably can lead to stale TLB entries pointing to freed pages.
d415d186ac0cd0e8590e6af8e512c75a753a301cb3c1ff5d14ad6ae5cf28a43eSQLite3 suffers from a stack buffer underflow condition in seriesBestIndex in the generate_series extension.
7e10b24906e04816e624fc48916e56477f071a9fab7ccffed58b4658d09bf483khugepaged in Linux races with rmap-based zap, races with GUP-fast, and fails to call MMU notifiers.
70b8b4891864d68dc660a11b7c18246507754b38f9be401d06a0d1879b3a45ccAn error path in usbdev_mmap() (where remap_pfn_range() fails midway through) frees pages before the PFN mapping pointing to those pages is cleaned up, making physical page use-after-free possible. Some other drivers look like they might have similar issues.
9954c73a5d4b25cfd2ae71c579096d9048f40475e6683e174f991dae3312c11dThis bug was found in msm-5.15 using tag KERNEL.PLATFORM.2.1.r1-05400-kernel.0. The fastrpc_file struct contains a flag, is_compat, that is set if the 32-bit compat_ioctl vfs handler is ever called on a fastrpc file (e.g. by opening and ioctling on /dev/adsprpc-smd). This flag is later used inside of e.g. fastrpc_internal_invoke2's macro invocations of K_COPY_FROM_USER to make decisions about whether the provided pointer is a userland pointer or a kernel-land pointer. However, because the state for making this K_COPY_FROM_USER decision is stored within the broadly accessible fastrpc_file struct instead of stored per ioctl invocation, this means that 64-bit ioctl invocations of fastrpc_internal_invoke2 will use userland provided addresses as kernel pointers if the 32-bit ioctl interface of the same fastrpc_file was ever previously invoked. This leads directly to attacker-controlled reads of arbitrary kernel addresses.
7ce3664c0a974696d288f060528f707f1555a333b471fe3ba0f054dda88b4c2aXNU suffers from a race condition leading to a use-after-free between the NFSSVC_NFSD command and an upcall worker thread.
7ffbd2f24181807ee212967faac09584f8f2b2db84a64cd1af883cc860d8e6a6Android GKI kernels contain broken non-upstream Speculative Page Faults MM code that can lead to use-after-free conditions.
66f3d20525ff0676542d2ca32e25362978413e0665982d4a600608e52b0a2fcfThere is an integer overflow in dav1d when decoding an AV1 video with large width/height. The integer overflow may result in an out-of-bounds write.
2e6ee0c003e7075d02a19941dea59ff9838200ead28039478bb67d1a365c5bdcA condition exists when fastrpc_mmap_create creates a new globally visible mapping that can lead to a use-after-free.
f676785fdf4478de819b5665c9ba33c67535e75932f2e0c3889dcb7a0811f410An incorrect searching algorithm in fastrpc_mmap_find can lead to kernel address space information leaks.
46fa1c601050810eb66a262de97a8b9a9dbe879e08b68141820f5aeffa5d1da5There appears to be some (possibly deprecated) code associated with AF_QIPCRTR sockets in bpf_service.c. Within this file are some ioctl handlers - e.g. qrtr_bpf_filter_attach and qrtr_bpf_filter_detach. In the case of qrtr_bpf_filter_detach, the global pointer bpf_filter is fetched and freed while only holding a socket lock (and an irrelevant rcu_read_lock) - this may lead directly to double frees or use-after-free (kernel memory corruption) if a malicious user is able to call the QRTR_DETTACH_BPF ioctl on multiple AF_QIPCRTR sockets at once. Based on Android SELinux files, it appears this may be possible from some lower-privileged vendor and HAL services.
9a1258e6adb1b608d6d8bf4e2c0f15fb713920d26890f57e49ad4ff67b1e99c1Linux i915 suffers from an out-of-bounds PTE write in vm_fault_gtt() that leads to a PTE use-after-free vulnerability.
1823d9d4f6feebcd5eb07b8d171404b0ef201f506b2f82c58803bb51a4f92f10The array ppsPMR in DEVMEMXINT_RESERVATION holds references to PMR structures (using PMRRefPMR2()), intending to prevent the PMRs' physical memory from being released. However, PMRs with PVRSRV_MEMALLOCFLAG_NO_OSPAGES_ON_ALLOC (which for OSMem PMRs internally translates to FLAG_ONDEMAND) can release their backing physical pages while references to the PMR still exist; PMRLockSysPhysAddresses() must be used to prevent a PMR's backing pages from disappearing, like in DevmemIntMapPMR2(). Therefore, it is currently possible to free a PMR's backing pages while the PMR is mapped into a DEVMEMXINT_RESERVATION, leading to physical page use-after-free.
cc6e11ae0dee934a94a29ebded0e52e70690ca998d7efe6c5f0ffe85ffda4ebaQualcomm KGSL has an issue where reclaimed / in-reclaim objects can still be mapped into VBOs.
1428075df507c623a1bd9ac4565539be37fad3bf60c27a111608fd1f90e9a845An LSM can prevent the fcntl/close race cleanup path in fcntl_setlk() from working, leading to use-after-free read in lock_get_status() when reading /proc/locks.
be3debe6c62f6ce4ba3fee414d1fb7b202ab4839dec89a3b6e8e94e90eaac790PowerVR suffers from a use-after-free vulnerability in DevmemIntChangeSparse2() on a PMRGetUID() call.
995fc11455439b600de3444c34a92fcad3e63b940610a057e80033a2a169d793Linux has an issue where landlock can be disabled thanks to a missing cred_transfer hook.
a12bdeb84032ca0a10a49441e34ac1148d44ca6ae128dfe4fd56120c8dbf3c24Two security issues have been identified in PowerVR during patch review.
cdf2436c82b9dc3dd355eb1bdda7e1b097e169a71d8db78713cba518bf056306Linux DRM has drm_file_update_pid() call to get_pid() too late, which creates a race condition that can lead to use-after-free issue of a struct pid.
ea7aa640ea9bb86fe73ddf82c6205724499ae72e163dd9ad1ae1c987416c0d29Telegram for Android suffers from a use-after-free vulnerability in Connection::onReceivedData.
b50977499b859adec9bc55d49621466231a4ab00aa44223747f9839cecd9995ePowerVR has an issue where wrapping addition in _DevmemXReservationPageAddress() causes an MMU operation at the wrong address.
8cf4775aa2d6620274690594068ebd5446a26435ff99535d37ef3d64af38db87PowerVR has integer overflows in DevmemXIntMapPages() and DevmemXIntUnmapPages(), exploitable as dangling GPU page table entries.
607faad30ec56959223ff39f5065ae4bc346c6c969c93404b728ab4ed243fc1aPowerVR PMR allows physical memory to be freed before GPU TLB invalidation.
48938b3e44dc2ae24749118301fe7c8b943bd6b5bb5f57034378aa0f41845d6fPowerVR has an issue with missing tracking of multiple sparse mappings in DevmemIntChangeSparse2() that leads to a dangling page table entry.
426fb16d93d8096a50bbd9d26c9fe783fb082dc59ace42d221957b371d7eaae7
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed