Linux kernel out of bounds read via Xen-related sysfs file

ISSUE DESCRIPTION The Linux sysfs file /sys/hypervisor/properties/buildid does not contain printable information, but a binary value of typically 16 or 20 bytes, which is not terminated by a zero byte. The kernel driver making this information available is using the sprintf function for writing t...

Microsoft Windows - nt!NtQueryVolumeInformationFile (FileFsVolumeInformation) Kernel Pool Memory Dis

Exploit for windows platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1166 We have discovered that the nt!NtQueryVolumeInformationFile system call discloses portions of uninitialized pool memory to user-mode clients, due to output structure alignme...

Microsoft Windows - 'IOCTL_DISK_GET_DRIVE_GEOMETRY_EX' Kernel partmgr Pool Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1156&desc=2 We have discovered that the handler of the IOCTLDISKGETDRIVEGEOMETRYEX IOCTL in partmgr.sys discloses portions of uninitialized pool memory to user-mode clients, due to output structure alignment holes. On our test...