Linux kernel 竞争条件问题漏洞

The Linux kernel is a computer operating system kernel written in C and assembly language, compliant with the POSIX standard, and distributed under the GNU General Public License. A competitive condition vulnerability exists in mm/mmap.c in Linux kernel versions prior to 5.7.11. The vulnerability...

Linux expand_downwards() / munmap() Race Condition

Linux =4.20: expanddownwards can race with munmap page table freeing Since 4.20, domunmap downgrades the mmapsem from write-locked to read-locked after detaching the VMAs from the mmstruct, but before dropping references to pages and freeing page tables. This ought to be safe because VMA tree...

PT-2020-4970 · Linux +4 · Linux Kernel +4

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 5.7.11 Description: A race condition exists between certain expand functions expand downwards and expand upwards and page-table free operations from an munmap call. This issue can be exploited to cause a denial ...

Denial Of Service (DoS)

kernel-rt is vulnerable to denial of service. A local user is able to crash the system via vectors involving munmap and close system call due to multiple race conditions in the function madviseremove in mm/madvise.c...

Android - binder Use-After-Free of VMA via race Between reclaim and munmap

Android - binder Use-After-Free of VMA via race Between reclaim and munmap The following bug report solely looks at the situation on the upstream master branch; while from a cursory look, at least the wahoo kernel also looks affected, I have only properly tested this on upstream master. There is ...

Android - binder Use-After-Free of VMA via race Between reclaim and munmap

The following bug report solely looks at the situation on the upstream master branch; while from a cursory look, at least the wahoo kernel also looks affected, I have only properly tested this on upstream master. There is a race condition between the direct reclaim path enters binder through the...

Android - binder Use-After-Free of VMA via race Between reclaim and munmap Exploit

Android - binder Use-After-Free of VMA via race Between reclaim and munmap The following bug report solely looks at the situation on the upstream master branch; while from a cursory look, at least the wahoo kernel also looks affected, I have only properly tested this on upstream master. There is ...

Android - Inter-Process munmap due to Race Condition in ashmem

The MemoryIntArray class allows processes to share an in-memory array of integers backed by an "ashmem" file descriptor. As the class implements the Parcelable interface, it can be inserted into a Parcel, and optionally placed in a Bundle and transferred via binder to remote processes. Instead of...

Android: Ashmem race conditions in android.util.MemoryIntArray (CVE-2017-0412)

The MemoryIntArray class allows processes to share an in-memory array of integers by transferring an ashmem file descriptor. As the class implements the Parcelable interface, it can be passed within a Parcel or a Bundle and transferred via binder to remote processes. Instead of directly tracking...

Google Android - Inter-process munmap in android.util.MemoryIntArray

Google Android - Inter-process munmap in android.util.MemoryIntArray Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1001 The MemoryIntArray class allows processes to share an in-memory array of integers by transferring an ashmem file descriptor. As the class implements the...

Google Android - Inter-process munmap in android.util.MemoryIntArray Vulnerability

Exploit for Android platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1001 The MemoryIntArray class allows processes to share an in-memory array of integers by transferring an ashmem file descriptor. As the class implements the Parcelable interface, ...

Google Android - android.util.MemoryIntArray Ashmem Race Conditions Vulnerability

Exploit for Android platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1002 The MemoryIntArray class allows processes to share an in-memory array of integers by transferring an ashmem file descriptor. As the class implements the Parcelable interface, ...

Google Android - Inter-Process munmap with User-Controlled Size in android.graphics.Bitmap

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=928 Bitmap objects can be passed between processes by flattening them to a Parcel in one process and un-flattening them in another. In order to conserve memory, there exists a code path which allows Bitmaps to be shared between...

Google Android - Inter-Process munmap with User-Controlled Size in android.graphics.Bitmap

Google Android - Inter-Process munmap with User-Controlled Size in android.graphics.Bitmap Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=928 Bitmap objects can be passed between processes by flattening them to a Parcel in one process and un-flattening them in another. In order...

FreeBSD Kernel (FreeBSD 10.2 x64) - sendmsg Kernel Heap Overflow (PoC)

FreeBSD Kernel FreeBSD 10.2 x64 - sendmsg Kernel Heap Overflow PoC include include include include include include include include include include void atagetxportvoid; int kprintfconst char fmt, ...; char ostype; void resolvechar name struct kldsymlookup ksym; ksym.version = sizeofksym;...

Linux kernel 2.2 ldd core Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/344/info Due to a rare and subtle bug in the 2.2.0 kernel, a linux machine can be forced to reboot by an unpriviliged local user. The reason for this is because of the invalid ELF core layout and the fact that munmap wipe...

Linux Kernel 'perf_count_sw_cpu_clock' event Denial of Service

No description provided by source. //Vince / Error with overflows and perf::perfcountswcpuclock / / This test will crash Linux 3.0.0 / / compile with gcc -O2 -o ofloswcpuclockcrash ofloswcpuclockcrash.c / / by Vince Weaver vweaver1 at eecs.utk.edu / define GNUSOURCE 1 include stdio.h include...

kernel: mm: use-after-free in madvise_remove()

Multiple race conditions in the madviseremove function in mm/madvise.c in the Linux kernel before 3.4.5 allow local users to cause a denial of service use-after-free and system crash via vectors involving a 1 munmap or 2 close system call...

kernel: mm: use-after-free in madvise_remove()

Multiple race conditions in the madviseremove function in mm/madvise.c in the Linux kernel before 3.4.5 allow local users to cause a denial of service use-after-free and system crash via vectors involving a 1 munmap or 2 close system call...

kernel: mm: use-after-free in madvise_remove()

Multiple race conditions in the madviseremove function in mm/madvise.c in the Linux kernel before 3.4.5 allow local users to cause a denial of service use-after-free and system crash via vectors involving a 1 munmap or 2 close system call...