Vulnerabilities tagged "binary"

Four issues in HyperKit, a hypervisor based on bhyve used in docker for macOS.

Bit of a saga starting with a patch to Apache httpd earlier this year that introduced an old vulnerability back into the Apache when encountering

There is a use-after-free on Chrome for Android when fetching credit card details to autofill. This vulnerability does require the victim have credit card details saved by Chrome.

First a bit of background terminology as I understand it. Not being familiar with v8 there are likely some subtleties I am missing.

Straight forward version is two Out-Of-Bounds accesses in reading and writing the `Driver feature set`. A guest provided value is stored, and then used as an array index without any validation both in `PciVirtIOWriteMM` and in `PciVirtIOReadMM` giving relative read/write primitives.

A Use-After-Free in Android's ION Allocator used by the kernel for DMA buffers that can be shared across user/kernel/device boundaries.The issue starts from the `DMA_BUF_IOCTL_SYNC` that is exposed by the buffer's file descriptor, this IOCTL can arbitrarily increment or decrement the reference counter for the shared buffer...

An interesting primitive in `io_uring` resulting in the ability to free adjacent kernel buffers.

This Talos report covers a non-trivial issue where a stack pointer is used after it went out of scope when invoking JS bindings, which are provided to document creators by Nitro Pro PDF for automating aspects of the document.When one of these bindings needs to be executed by the SpiderMonkey library, the `js32u.dll!js_Invoke` function is used to create stack space and push a `JSStackFrame` object to be used by the invoked binding...

This post covers an infoleak in Microsoft's Azure Sphere Security Monitor, which is a linux-based operating system for IOT devices.They focus on the `SMSyscallPeripheralAcquire` system call, which is used for switching the mux mode on a given pin, and change the layout of how the pins are configured...

Its hard to even call this one a vulnerability, the driver developers simply expose some kernel primitives directly to userland, nothing crazy needed.The driver supporting HP OMEN Gaming Hub software directly exposes several privileged instructions through IOCTLs...