what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 10 of 10 RSS Feed

Files from Seth Jenkins

Email addresssethjenkins at google.com
First Active2023-01-06
Last Active2024-10-22
Linux Dangling PFN Mapping / Use-After-Free
Posted Oct 22, 2024
Authored by Jann Horn, Google Security Research, Seth Jenkins

An error path in usbdev_mmap() (where remap_pfn_range() fails midway through) frees pages before the PFN mapping pointing to those pages is cleaned up, making physical page use-after-free possible. Some other drivers look like they might have similar issues.

tags | exploit
advisories | CVE-2024-47674
SHA-256 | 9954c73a5d4b25cfd2ae71c579096d9048f40475e6683e174f991dae3312c11d
msm 5.15 Arbitrary Kernel Address Access
Posted Oct 15, 2024
Authored by Google Security Research, Seth Jenkins

This bug was found in msm-5.15 using tag KERNEL.PLATFORM.2.1.r1-05400-kernel.0. The fastrpc_file struct contains a flag, is_compat, that is set if the 32-bit compat_ioctl vfs handler is ever called on a fastrpc file (e.g. by opening and ioctling on /dev/adsprpc-smd). This flag is later used inside of e.g. fastrpc_internal_invoke2's macro invocations of K_COPY_FROM_USER to make decisions about whether the provided pointer is a userland pointer or a kernel-land pointer. However, because the state for making this K_COPY_FROM_USER decision is stored within the broadly accessible fastrpc_file struct instead of stored per ioctl invocation, this means that 64-bit ioctl invocations of fastrpc_internal_invoke2 will use userland provided addresses as kernel pointers if the 32-bit ioctl interface of the same fastrpc_file was ever previously invoked. This leads directly to attacker-controlled reads of arbitrary kernel addresses.

tags | exploit, arbitrary, kernel
advisories | CVE-2024-21455
SHA-256 | 7ce3664c0a974696d288f060528f707f1555a333b471fe3ba0f054dda88b4c2a
fastrpc_mmap_create Use-After-Free
Posted Oct 4, 2024
Authored by Google Security Research, Seth Jenkins

A condition exists when fastrpc_mmap_create creates a new globally visible mapping that can lead to a use-after-free.

tags | exploit
advisories | CVE-2024-33060
SHA-256 | f676785fdf4478de819b5665c9ba33c67535e75932f2e0c3889dcb7a0811f410
fastrpc_mmap_find Information Leak
Posted Oct 4, 2024
Authored by Google Security Research, Seth Jenkins

An incorrect searching algorithm in fastrpc_mmap_find can lead to kernel address space information leaks.

tags | advisory, kernel
advisories | CVE-2024-33060
SHA-256 | 46fa1c601050810eb66a262de97a8b9a9dbe879e08b68141820f5aeffa5d1da5
MediaTek WLAN Driver Memory Corruption
Posted Feb 8, 2024
Authored by Google Security Research, Seth Jenkins

The MediaTek WLAN driver has VFS read handlers that do not check buffer size leading to userland memory corruption.

tags | exploit
SHA-256 | e02f5b1f1d435ca3340b9ddef6433031cb241ad315800f041e8e425d3ac596dd
mtk-jpeg Driver Out-Of-Bounds Read / Write
Posted Nov 14, 2023
Authored by Google Security Research, Seth Jenkins

An out-of-bounds read / write due to missing bounds check in the mtk-jpeg driver can lead to memory corruption and potential escalation of privileges.

tags | exploit
advisories | CVE-2023-32837
SHA-256 | e41201a7980c88fc58347c600192d9a70df411c527756cf6c4ba17ebb7bb7705
Android mtk_jpeg Driver Race Condition / Privilege Escalation
Posted Nov 14, 2023
Authored by Google Security Research, Seth Jenkins

A race condition in the Android mtk_jpeg driver can lead to memory corruption and potential local privilege escalation.

tags | exploit, local
advisories | CVE-2023-32832
SHA-256 | b9bbc877dec293cdae380289c906920975d5c1e2eb6ec78818aa966c315357ce
edgetpu_pin_user_pages Race Condition
Posted Oct 5, 2023
Authored by Google Security Research, Seth Jenkins

There is a race condition in edgetpu_pin_user_pages which is reachable from some unprivileged contexts, including the Camera app, or the Google Meet app.

tags | exploit
advisories | CVE-2023-35645
SHA-256 | f2c097f59fbb9a93bf14610f9faf8be4d99e83e00ca52f16c11b8af6ef496e22
Linux videobuf2 Use-After-Free
Posted Jan 9, 2023
Authored by Google Security Research, Seth Jenkins

A vb2_mmap race with vb2_core_reqbufs leads to a use-after-free vulnerability in the Linux videobuf2 system.

tags | exploit
systems | linux
SHA-256 | d61a2203442211de402e6420b838d2d46c53994de2af84b1f343bfe1d3ad0231
Linux videobuf2 Use-After-Free
Posted Jan 6, 2023
Authored by Google Security Research, Seth Jenkins

An unsafe use of follow_pfn in get_vaddr_frames in videobuf2 on Linux leads to use-after-free issues or writes to ro-pages.

tags | exploit
systems | linux
SHA-256 | f545295793aea2d033e2e1720bb35ac7db855bcaa8fafcd55848d3dffe8ce90b
Page 1 of 1
Back1Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close