I thought this was an excellent post when it came to explaining the exploitation strategy, and has it dealt with encrypted pointers the exploitation was pretty cool to see documented. However I did have some problems following on the actual vulnerability details.
A high performance, but apparently low security library for some industrial software, root cause is the use of a signed comparison of a value that is then used as an unsigned size value in a memcpy. End result being a much too large copy, overflowing the destination buffer.
An exploit chain that targets Samsung's TEEgris OS running in the ARM TrustZone secure world.TEEgris consists of a secure kernel and trustlets that run on the userspace side, which Android in the non-secure world can communicate with via Secure Monitor Calls (SMCs)...
World's worst fuzzer, leading to a traditional stack overflow in the kernel.Really not much to say about the vulnerability, `copy_from_user` with no bounds check into a fixed sized buffer on the stack...
A hard to reach bug condition leading to a buffer overflow in Western Digital's MyCloudHome, a consumer-grade NAS.
Multiple vulnerabilities were announced in Git, the most interesting to me though are the integer overflows in parsing `.gitattributes` leading to out-of-bounds reads and writes.
Straight-forward issue, but kinda fun as it impacts the network code in several first-part Nintendo games across multiple consoles (3DS, Wii U, Switch).The `NetworkBuffer` in the network library has two methods `Add` and `Set` which are used to fill the backing buffer with data from the network...
Off-by-one issue as the bounds check `if (written_out > max_out)` will continue for one extra iteration after it has written `max_out` number of integers.
An integer overflow in SQLite's `sqlite3_str_vappendf`, large inputs when dealing with `q` `Q` or `w` format specifiers (unique to SQLite's implementation of `printf` used to escape quotes).In calculating the maximum buffer once escapes have been added the size may overflow to a negative value leading to SQLite using a 70byte (by default) stack allocated buffer...
An integer overflow in the official SHA-3 implementation as used by PHP, Python, Ruby and I'm sure other places.When updating a block that already has some data in it, it will try to calculate if the new partial block bytes will go out of bounds, it makes the classic mistake of adding the current index and the length of new data, then just checking if it is lower than a bounding value...