Apple macOSiOS Kernel - Use-After-Free Due to Bad Locking in Unix Domain Socket File Descriptor Externalization

Apple macOSiOS Kernel - Use-After-Free Due to Bad Locking in Unix Domain Socket File Descriptor Externalization / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1123 unpexternalize is responsible for externalizing the file descriptors carried within a unix domain socket message...

Apple iOS / macOS Kernel - Use-After-Free Due to Bad Locking in Unix Domain Socket File Descriptor E

Exploit for multiple platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1123 unpexternalize is responsible for externalizing the file descriptors carried within a unix domain socket message. That means allocating new fd table entries in the receiver...

Design/Logic Flaw

All versions of the NVIDIA GPU Display Driver contain a vulnerability in the kernel mode layer handler for DxgDdiEscape where due to improper locking on certain conditions may lead to a denial of service...

CVE-2017-0353

All versions of the NVIDIA GPU Display Driver contain a vulnerability in the kernel mode layer handler for DxgDdiEscape where due to improper locking on certain conditions may lead to a denial of service...

XNU kernel UaF due to lack of locking in set_dp_control_port (CVE-2016-7644)

setdpcontrolport is a MIG method on the hostprivport so this bug is a root-kernel escalation. kernreturnt setdpcontrolport hostprivt hostpriv, ipcportt controlport if hostpriv == HOSTPRIVNULL return KERNINVALIDHOST; if IPVALIDdynamicpagercontrolport ipcportreleasesenddynamicpagercontrolport;...

macOS / iOS Kernel 10.12.3 (16D32) - Double-Free Due to Bad Locking in fsevents Device Exploit

Exploit for multiple platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1129 fseventsfioctl handles ioctls on fsevent fds acquired via FSEVENTSCLONE64 on /dev/fsevents Heres the code for the FSEVENTSDEVICEFILTER64 ioctl: case FSEVENTSDEVICEFILTER64:...

Apple macOS/iOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1116 necpopen is a syscall used to obtain a new necp file descriptor The necp file's fp's fgdata points to a struct necpfddata allocated on the heap. Here's the relevant code from necpopen: error = fallocp, &fp, &fd,...

Apple macOS/iOS Kernel 10.12.3 (16D32) - Double-Free Due to Bad Locking in fsevents Device

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1129 fseventsfioctl handles ioctls on fsevent fds acquired via FSEVENTSCLONE64 on /dev/fsevents Heres the code for the FSEVENTSDEVICEFILTER64 ioctl: case FSEVENTSDEVICEFILTER64: if !procis64bitvfscontextprocctx ret = EINVAL; brea...

Apple macOSiOS Kernel 10.12.3 (16D32) - Double-Free Due to Bad Locking in fsevents Device

Apple macOSiOS Kernel 10.12.3 16D32 - Double-Free Due to Bad Locking in fsevents Device / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1129 fseventsfioctl handles ioctls on fsevent fds acquired via FSEVENTSCLONE64 on /dev/fsevents Heres the code for the FSEVENTSDEVICEFILTER64...

macOS / iOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free Exploit

Exploit for multiple platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1116 necpopen is a syscall used to obtain a new necp file descriptor The necp file's fp's fgdata points to a struct necpfddata allocated on the heap. Here's the relevant code fr...

MacOS/iOS kernel double free due to bad locking in fsevents device（CVE-2017-2490）

fseventsfioctl handles ioctls on fsevent fds acquired via FSEVENTSCLONE64 on /dev/fsevents Heres the code for the FSEVENTSDEVICEFILTER64 ioctl: case FSEVENTSDEVICEFILTER64: if ! procis64bitvfscontextprocctx ret = EINVAL; break; devfiltargs = fseventdevfilterargs64 data; handledevfilter: int...

MacOS/iOS kernel uaf due to bad locking in necp_open (CVE-2017-2478)

necpopen is a syscall used to obtain a new necp file descriptor The necp file's fp's fgdata points to a struct necpfddata allocated on the heap. Here's the relevant code from necpopen: error = fallocp, &fp, &fd, vfscontextcurrent; --------------------- a if error != 0 goto done; if fddata =...

Apple macOSiOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free

Apple macOSiOS Kernel 10.12.3 16D32 - Bad Locking in necpopen Use-After-Free / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1116 necpopen is a syscall used to obtain a new necp file descriptor The necp file's fp's fgdata points to a struct necpfddata allocated on the heap...

CVE-2014-9914

Race condition in the ip4datagramreleasecb function in net/ipv4/datagram.c in the Linux kernel before 3.15.2 allows local users to gain privileges or cause a denial of service use-after-free by leveraging incorrect expectations about locking during multithreaded access to internal data structures...

DEBIAN-CVE-2014-9914

Race condition in the ip4datagramreleasecb function in net/ipv4/datagram.c in the Linux kernel before 3.15.2 allows local users to gain privileges or cause a denial of service use-after-free by leveraging incorrect expectations about locking during multithreaded access to internal data structures...

macOS 10.12.1 / iOS Kernel - host_self_trap Use-After-Free Exploit

Exploit for multiple platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1034 The task struct has a lock itklockdata, taken via the itklock macros which is supposed to protect the task-itk ports. The hostselftrap mach trap accesses task-itkhost witho...

Apple macOS 10.12.1 / iOS Kernel - 'host_self_trap' Use-After-Free

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1034 The task struct has a lock itklockdata, taken via the itklock macros which is supposed to protect the task-itk ports. The hostselftrap mach trap accesses task-itkhost without taking this lock leading to a use-after-free give...

Google Android max86902 Driver - sysfs Interfaces Race Condition

Google Android max86902 Driver - sysfs Interfaces Race Condition Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=963 The MAX86902 sensor has a driver that exposes several interfaces through which the device may be configured. In addition to exposing a character device, it also...

iOS 10.1.1 / macOS 10.12 16A323 XNU Kernel - set_dp_control_port Lack of Locking Use-After-Free Vuln

Exploit for multiple platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=965 setdpcontrolport is a MIG method on the hostprivport so this bug is a root-kernel escalation. kernreturnt setdpcontrolport hostprivt hostpriv, ipcportt controlport if hostpriv...

Apple macOS 10.12 16A323 XNU Kernel iOS 10.1.1 - set_dp_control_port Lack of Locking Use-After-Free

Apple macOS 10.12 16A323 XNU Kernel iOS 10.1.1 - setdpcontrolport Lack of Locking Use-After-Free Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=965 setdpcontrolport is a MIG method on the hostprivport so this bug is a root-kernel escalation. kernreturnt setdpcontrolport hostpri...