2548 matches found
Microsoft Windows Kernel - win32k!NtGdiGetFontResourceInfoInternalW Stack Memory Disclosure
Microsoft Windows Kernel - win32k!NtGdiGetFontResourceInfoInternalW Stack Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1275 We have discovered that the nt!NtGdiGetFontResourceInfoInternalW system call discloses portions of uninitialized kernel stack memory...
Microsoft Windows Kernel - win32k!NtGdiGetFontResourceInfoInternalW Stack Memory Disclosure Exploit
Exploit for windows platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1275 We have discovered that the nt!NtGdiGetFontResourceInfoInternalW system call discloses portions of uninitialized kernel stack memory to user-mode clients. This is caused by...
Microsoft Windows Kernel - 'win32k!NtGdiEngCreatePalette' Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1276&desc=2 We have discovered that the nt!NtGdiEngCreatePalette system call discloses large portions of uninitialized kernel stack memory to user-mode clients. This is caused by the fact that for palettes created in the PALINDEX...
WebKit JSC BytecodeGenerator::emitGetByVal Incorrect Optimization Exploit
Exploit for multiple platform in category dos / poc WebKit: JSC: Incorrect optimization in BytecodeGenerator::emitGetByVal CVE-2017-7061 Let's start with JS code. let o = ; for let i in xx: 0 oi; 0; i-- ForInContext& context = mforInContextStacki - 1.get; if context.local != property continue; if...
WebKit JSC - BytecodeGenerator::emitGetByVal Incorrect Optimization (1)
WebKit JSC - BytecodeGenerator::emitGetByVal Incorrect Optimization 1 Let's start with JS code. let o = ; for let i in xx: 0 oi; 0; i-- ForInContext& context = mforInContextStacki - 1.get; if context.local != property continue; if !context.isValid break; if context.type ==...
App Layering: PVS Cache Disks May Need to Be Larger with Elastic Layering
...
CVE-2015-9067
In all Qualcomm products with Android releases from CAF using the Linux kernel, a potential compiler optimization of memset is addressed...
Code injection
In all Qualcomm products with Android releases from CAF using the Linux kernel, a potential compiler optimization of memset is addressed...
CVE-2015-9067
In all Qualcomm products with Android releases from CAF using the Linux kernel, a potential compiler optimization of memset is addressed...
CVE-2015-9067
CVE-2015-9067 concerns Qualcomm products with Android CAF builds using the Linux kernel. The description indicates a potential compiler optimization of memset() that is addressed in these releases. The connected documents do not provide concrete technical details such as affected versions, exact ...
Microsoft Edge 40.15063.0.0 Chakra - Incorrect JIT Optimization with TypedArray Setter #3 Exploit
Exploit for windows platform in category dos / poc 'use strict'; function funca, b, c a0 = 1.2; b0 = c; a1 = 2.2; a0 = 2.3023e-320; function main let a = 1.1, 2.2; let b = new Uint32Array100; for let i = 0; i a0 = ; return 0; ; a0.toString; main; // Tested on Microsoft Edge 40.15063.0.0Insider...
Microsoft Edge: Chakra: incorrect jit optimization with TypedArray setter #2(CVE-2017-8548)
I think the fix for 1045 is incorrect. Here's the original PoC. 'use strict'; function funca, b, c a0 = 1.2; b0 = c; a1 = 2.2; a0 = 2.3023e-320; function main var a = 1.1, 2.2; var b = new Uint32Array100; // force to optimize for var i = 0; i a0 = ; return 0; ; a0.toString; main; I just changed...
Microsoft Edge Chakra Incorrect Jit Optimization Exploit
Yet another finding that the fix for an incorrect jit optimization with TypedArray setter in Microsoft Edge Chakra may not be sufficient. Microsoft Edge: Chakra: incorrect jit optimization with TypedArray setter 3 CVE-2017-8601 Coincidentally, Microsoft released the patch for the issue 1290 the d...
Microsoft Edge Chakra - Incorrect JIT Optimization with TypedArray Setter #2
Microsoft Edge Chakra - Incorrect JIT Optimization with TypedArray Setter 2 a0 = ; return 0; ; a0.toString; main; I just changed "var b = new Uint32Array100;" to "var b = new Uint32Array0;", and it worked well. PoC: -- 'use strict'; function funca, b, c a0 = 1.2; b0 = c; a1 = 2.2; a0 = 2.3023e-32...
Microsoft Edge Chakra Incorrect Jit Optimization Exploit
This is a follow-up finding that the fix for an incorrect jit optimization with TypedArray setter in Microsoft Edge Chakra may not be sufficient. Microsoft Edge: Chakra: incorrect jit optimization with TypedArray setter 2 CVE-2017-8548 I think the fix for 1045 is incorrect. Here's the original Po...
Microsoft Edge 40.15063.0.0 Chakra - Incorrect JIT Optimization with TypedArray Setter #3
Microsoft Edge 40.15063.0.0 Chakra - Incorrect JIT Optimization with TypedArray Setter 3 'use strict'; function funca, b, c a0 = 1.2; b0 = c; a1 = 2.2; a0 = 2.3023e-320; function main let a = 1.1, 2.2; let b = new Uint32Array100; for let i = 0; i a0 = ; return 0; ; a0.toString; main; // Tested on...
Microsoft Edge: Chakra: incorrect jit optimization with TypedArray setter #3(CVE-2017-8601)
Coincidentally, Microsoft released the patch for the issue 1290 the day after I reported it. But it seems they fixed it incorrectly again. This time, "funca, b, i;" is replaced with "funca, b, ;". PoC: 'use strict'; function funca, b, c a0 = 1.2; b0 = c; a1 = 2.2; a0 = 2.3023e-320; function main...
Microsoft Edge Chakra - Incorrect JIT Optimization with TypedArray Setter #2
a0 = ; return 0; ; a0.toString; main; I just changed "var b = new Uint32Array100;" to "var b = new Uint32Array0;", and it worked well. PoC: -- 'use strict'; function funca, b, c a0 = 1.2; b0 = c; a1 = 2.2; a0 = 2.3023e-320; function main var a = 1.1, 2.2; var b = new Uint32Array0; // 0 // force t...
Microsoft Edge 40.15063.0.0 Chakra - Incorrect JIT Optimization with TypedArray Setter #3
'use strict'; function funca, b, c a0 = 1.2; b0 = c; a1 = 2.2; a0 = 2.3023e-320; function main let a = 1.1, 2.2; let b = new Uint32Array100; for let i = 0; i a0 = ; return 0; ; a0.toString; main; // Tested on Microsoft Edge 40.15063.0.0Insider Preview...
Microsoft Edge Chakra Incorrect Jit Optimization
Microsoft Edge: Chakra: incorrect jit optimization with TypedArray setter 3 CVE-2017-8601 Coincidentally, Microsoft released the patch for the issue 1290 the day after I reported it. But it seems they fixed it incorrectly again. This time, "funca, b, i;" is replaced with "funca, b, ;". PoC: 'use...