Shopify: mruby-engine: UAF in MRubyEngine#initialize enables local RCE

Summary Double-init of MRubyEngine frees engine + unmaps mspace, but leaves Ruby DATAPTR dangling. Kernel reuses freed VA via mmapMAPFIXED. Attacker forges memrubyengine struct + mrbstate in reclaimed region, points mrbstate-allocf at libc.system, arranges bytes of mrbstate to also spell a shell...

The vulnerability of the packet_create() function in the net/packet/af_packet.c module of the Linux kernel allows a attacker to compromise the confidentiality, integrity, and accessibility of the protected information.

The vulnerability of the packetcreate function in the net/packet/afpacket.c module of the Linux kernel is related to the reutilization of previously freed memory. Exploiting this vulnerability could allow an attacker to compromise the confidentiality, integrity, and accessibility of the protected...

The vulnerability of the do_vcc_ioctl() function in the net/atm/ioctl.c module, which implements the ATM network protocol in the Linux operating system’s kernel, allows a attacker to compromise the confidentiality, integrity, and accessibility of the protected information.

The vulnerability of the dovccioctl function in the net/atm/ioctl.c module, which implements the ATM network protocol in the Linux operating system, is related to the reallocation of previously freed memory due to concurrent access to resources. Exploiting this vulnerability could allow an attack...

The vulnerability of the fs/io_uring.c component in the Linux operating system allows a hacker to cause a service failure.

The vulnerability of the fs/iouring.c component in the Linux kernel operating system is related to the reutilization of freed memory. Exploiting this vulnerability can allow an attacker to cause a service failure...