The Mediatek wlan driver on Android has several files exposed under the `/proc` virtual filesystem.Some of these read handles do not check the caller-provided buffer size before copying data out into the user buffer...
The vulnerability in the `__io_uaddr_map()` function of the Linux kernel involves the incorrect handling of multi-page regions imported from userspace.This function is intended to map a physically contiguous region of memory from userspace into the kernel's linear mapping area...
A buffer overflow vulnerability was introduced in a 2021 patch to glibc's dynamic loader when processing `GLIBC_TUNABLES` environment variables.Tunables are basically configuration settings of the runtime that can be set via key/value pairs in the form of `key=val`...
A bit of an unexpected fault in GCC's `-fstack-protector` implementation that meant that the saved return address wasn't actually protected by the stack-protector on AArch64 in some cases.
A pretty classic string escaping bug in GhostScript, one common and buggy edge case when escaping characters in a buffer is to not properly account for escapes that happen at the very limit of the destination buffer.As was the case here, despite checking that the limit of the buffer was not reached on every iteration, when a character was found that should be escaped, it would write to the destination buffer write, first with the escape character (`0x01`) and then again with an XOR'd version of the character to be escaped...
A fun bug, likely stemming from misunderstanding the return value from an `snprintf` call. Unfortunately (for us, good for security) only seems to be useful for a denial of service attack.
I thought this was an excellent post when it came to explaining the exploitation strategy, and has it dealt with encrypted pointers the exploitation was pretty cool to see documented. However I did have some problems following on the actual vulnerability details.
A high performance, but apparently low security library for some industrial software, root cause is the use of a signed comparison of a value that is then used as an unsigned size value in a memcpy. End result being a much too large copy, overflowing the destination buffer.
An exploit chain that targets Samsung's TEEgris OS running in the ARM TrustZone secure world.TEEgris consists of a secure kernel and trustlets that run on the userspace side, which Android in the non-secure world can communicate with via Secure Monitor Calls (SMCs)...
World's worst fuzzer, leading to a traditional stack overflow in the kernel.Really not much to say about the vulnerability, `copy_from_user` with no bounds check into a fixed sized buffer on the stack...