An error path in usbdev_mmap() (where remap_pfn_range() fails midway through) frees pages before the PFN mapping pointing to those pages is cleaned up, making physical page use-after-free possible. Some other drivers look like they might have similar issues.
9954c73a5d4b25cfd2ae71c579096d9048f40475e6683e174f991dae3312c11dThis bug was found in msm-5.15 using tag KERNEL.PLATFORM.2.1.r1-05400-kernel.0. The fastrpc_file struct contains a flag, is_compat, that is set if the 32-bit compat_ioctl vfs handler is ever called on a fastrpc file (e.g. by opening and ioctling on /dev/adsprpc-smd). This flag is later used inside of e.g. fastrpc_internal_invoke2's macro invocations of K_COPY_FROM_USER to make decisions about whether the provided pointer is a userland pointer or a kernel-land pointer. However, because the state for making this K_COPY_FROM_USER decision is stored within the broadly accessible fastrpc_file struct instead of stored per ioctl invocation, this means that 64-bit ioctl invocations of fastrpc_internal_invoke2 will use userland provided addresses as kernel pointers if the 32-bit ioctl interface of the same fastrpc_file was ever previously invoked. This leads directly to attacker-controlled reads of arbitrary kernel addresses.
7ce3664c0a974696d288f060528f707f1555a333b471fe3ba0f054dda88b4c2aA condition exists when fastrpc_mmap_create creates a new globally visible mapping that can lead to a use-after-free.
f676785fdf4478de819b5665c9ba33c67535e75932f2e0c3889dcb7a0811f410An incorrect searching algorithm in fastrpc_mmap_find can lead to kernel address space information leaks.
46fa1c601050810eb66a262de97a8b9a9dbe879e08b68141820f5aeffa5d1da5The MediaTek WLAN driver has VFS read handlers that do not check buffer size leading to userland memory corruption.
e02f5b1f1d435ca3340b9ddef6433031cb241ad315800f041e8e425d3ac596ddAn out-of-bounds read / write due to missing bounds check in the mtk-jpeg driver can lead to memory corruption and potential escalation of privileges.
e41201a7980c88fc58347c600192d9a70df411c527756cf6c4ba17ebb7bb7705A race condition in the Android mtk_jpeg driver can lead to memory corruption and potential local privilege escalation.
b9bbc877dec293cdae380289c906920975d5c1e2eb6ec78818aa966c315357ceThere is a race condition in edgetpu_pin_user_pages which is reachable from some unprivileged contexts, including the Camera app, or the Google Meet app.
f2c097f59fbb9a93bf14610f9faf8be4d99e83e00ca52f16c11b8af6ef496e22A vb2_mmap race with vb2_core_reqbufs leads to a use-after-free vulnerability in the Linux videobuf2 system.
d61a2203442211de402e6420b838d2d46c53994de2af84b1f343bfe1d3ad0231An unsafe use of follow_pfn in get_vaddr_frames in videobuf2 on Linux leads to use-after-free issues or writes to ro-pages.
f545295793aea2d033e2e1720bb35ac7db855bcaa8fafcd55848d3dffe8ce90b
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed