The two null-dereferences are pretty straight forward instances, the first being that when an error happens early on, a buffer is never assigned a value after the initial NULL
assignment.In generic error handling code, it gets dereferenced assuming the error happened after it had been setup…
Plenty of background regarding even getting to a place to start hunting for bugs on this printer, leading up two heap based overflows in pjcc_act_checkUserPassword2
, and some discussion about exploiting the DryOS heap allocator.
The majority of this post is going into background on Fuchsia and exploiting a fake vulnerability, there was one novel vulnerability that the author came across though.To obtain a KASLR bypass, the author thought to try and gain access to the kernel log for any pointers that might be leaked…
Three bugs for one guest-to-host escape.
On its own a pretty simple overflow.There exists a buffer for up to 32 elements to be read into, but the value that is used to determine how many elements to copy is not bounded and can be as high as 255…
Taking an unexpected reference to a memoryview
object resulting in a use-after-free when the parent of said object is destroyed.Though this is a rather low impact bug because it requires control over the code being executed, so one could just write an os.system(...)
call or something similar…
Heap overflow in the mbuf zone in the PPPoE driver, which the PS4/PS5 borrow from NetBSD.The issue is the fact that pppoe_send_padr()
can calculate a packet length that exceeds MCLBYTES
(2048 bytes)…
Couple of bugs originating in Solana’s JIT: one an optimization issue, the other a bad instruction choice, both found through fuzzing.
Multiple memory corruption bugs in Accel-PPP, an open-source VPN server.These bugs all follow the same basic flawed logic, a length is read from an attacker controlled buffer and then that length of data is copied from the buffer into an awaiting structure…
Memory corruption but only a denial of service out of it, a user-defined size is read and used in a calculation as it calculates the amount of bytes left ot read. This can potentially lead to a buffer overflow, but only writting into unmapped memory rather than corrupting any useful targets.