1390 matches found
AZL-54936 CVE-2024-53156 affecting package kernel for versions less than 6.6.64.2-1
In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: add range check for connrspepid in htcconnectservice I found the following bug in my fuzzer: UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htchst.c:26:51 index 255 is out of range for type...
zlib-rs stack overflow during decompression with malicious input
A denial of service vulnerability was found in zlib-rs, triggered by specially constructed input. This input causes a stack overflow, resulting in the process using zlib-rs to crash. Impact Due to the way LLVM handles the zlib-rs codebase, tail calls were not guaranteed. This caused certain input...
CVE-2024-50100
CVE-2024-50100 affects the Linux kernel USB gadget dummy-hcd driver. A change to use hrtimers introduced a mismatch between timer_pending() and hrtimer_active(), causing the URB dequeue path to miss a restarted timer and leading to usb_kill_urb() hangs. The fix adds a dedicated timer_pending flag...
PT-2024-40616 · Git +1 · H3
Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided description. Description: A heap-buffer-overflow WRITE 8 crash has been reported. The crash occurs in the polygonToCellsExperimental function, as indicated by the fuzzer...
PT-2024-40601 · Git +1 · H3
Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided description. Description: A heap-buffer-overflow WRITE 8 crash has been reported. The crash occurs in the polygonToCellsExperimental function, as indicated by the fuzzer report fr...
Effective Fuzzing: A Dav1d Case Study
Guest post by Nick Galloway, Senior Security Engineer, 20% time on Project Zero Late in 2023, while working on a 20% project with Project Zero, I found an integer overflow in the dav1d AV1 video decoder. That integer overflow leads to an out-of-bounds write to memory. Dav1d 1.4.0 patched this, an...
PUB-A-299775134
In smsExtractCbLanguage of smsCellBroadcast.c, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...
Fuzzing µC/OS protocol stacks, Part 3: TCP/IP server fuzzing, implementing a TAP driver
This is the final post in the three-part series that details techniques I used to fuzz two µC/OS protocol stacks: µC/TCP-IP and µC/HTTP-server. The first post highlighted code modifications necessary for developing a fuzzing harness tailored for the µC/HTTP-server. The second discussed a techniqu...
CVE-2022-48869
CVE-2022-48869 concerns the Linux kernel gadgetfs USB driver. The issue arises from a race between gadgetfs_fill_super() (mount path) and gadgetfs_kill_sb() (unmount path), where the_device could be deallocated while gadgetfs_fill_super() still uses it, resulting in a use-after-free. The provided...
CVE-2022-48869 USB: gadgetfs: Fix race between mounting and unmounting
In the Linux kernel, the following vulnerability has been resolved: USB: gadgetfs: Fix race between mounting and unmounting The syzbot fuzzer and Gerald Lee have identified a use-after-free bug in the gadgetfs driver, involving processes concurrently mounting and unmounting the gadgetfs filesyste...
PT-2024-40825 · Git +1 · Kimageformats
Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided description. Description: The issue is related to a heap-buffer-overflow write error. Technical details include a crash type of Heap-buffer-overflow WRITE 1. The crash state...
UBUNTU-CVE-2022-48834
In the Linux kernel, the following vulnerability has been resolved: usb: usbtmc: Fix bug in pipe direction for control transfers The syzbot fuzzer reported a minor bug in the usbtmc driver: usb 5-1: BOGUS control dir, pipe 80001e80 doesn't match bRequestType 0 WARNING: CPU: 0 PID: 3813 at...
CVE-2022-48838 usb: gadget: Fix use-after-free bug by not setting udc->dev.driver
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: Fix use-after-free bug by not setting udc-dev.driver The syzbot fuzzer found a use-after-free bug: BUG: KASAN: use-after-free in devuevent+0x712/0x780 drivers/base/core.c:2320 Read of size 8 at addr ffff88802b934098 ...
CVE-2022-48834 usb: usbtmc: Fix bug in pipe direction for control transfers
In the Linux kernel, the following vulnerability has been resolved: usb: usbtmc: Fix bug in pipe direction for control transfers The syzbot fuzzer reported a minor bug in the usbtmc driver: usb 5-1: BOGUS control dir, pipe 80001e80 doesn't match bRequestType 0 WARNING: CPU: 0 PID: 3813 at...
CVE-2022-48834
CVE-2022-48834 refers to a Linux kernel issue in the usb: usbtmc driver where usbtmc_ioctl_request incorrectly used usb_rcvctrlpipe() for all transfers (in or out). The fix separates control transfers by direction. The vulnerability impact described is a local issue tied to incorrect control pipe...
PT-2024-40807 · Git +1 · Openssl
Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided description. Description: The issue is related to a null-dereference read crash. Technical details include a crash type of null-dereference READ and a crash state involving do evp...
CVE-2024-40996 bpf: Avoid splat in pskb_pull_reason
In the Linux kernel, the following vulnerability has been resolved: bpf: Avoid splat in pskbpullreason syzkaller builds CONFIGDEBUGNET=y frequently trigger a debug hint in pskbmaypull. We'd like to retain this debug check because it might hint at integer overflows and other issues kernel code...
AZL-43267 CVE-2024-39472 affecting package kernel for versions less than 5.15.167.1-1
In the Linux kernel, the following vulnerability has been resolved: xfs: fix log recovery buffer allocation for the legacy hsize fixup Commit a70f9fe52daa "xfs: detect and handle invalid iclog size set by mkfs" added a fixup for incorrect hsize values used for the initial umount record in old...
BIT-BPFTOOL-2021-45940
libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow 4 bytes in bpfobjectopen called from bpfobjectopenmem and bpf-object-fuzzer.c...
CVE-2024-38618
In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Set lower bound of start tick time Currently ALSA timer doesn't have the lower limit of the start tick time, and it allows a very small size, e.g. 1 tick with 1ns resolution for hrtimer. Such a situation may lead to ...