Two logic bugs that cause memory corruption in the handling of TLS packets due to unhandled error / return values when using the nanoSSL library, and a higher level design flaw with the firmware update system.
We have [previously](https://dayzerosec.com/vulns/2022/03/02/linux-kernel-heap-out-of-bounds-write-in-nfdupnetdevc-since-54.html) covered this bug, its an out-of-bounds access due to a broken assumption in every `dup` command having an associated immediate. When that assumption is broken by manually crafting netfilter rules `nft_fwd_dup_netdev_offload` function will perform an out of bounds access as it increments too far.
Out of bounds read in Chrome's PDFium Engine in the `RequestThumbnail()` method.The `page_index` parameter is used to index into a vector of pages to call that page's `RequestThumbnail()` callback, however the `page_index` isn't validated in production builds...
Trivial instance of client-sided validation, in this case to enforce a timeout they were using the device's time. So by changing the time on the device you can make more attempts at the pin.
A chain of issues going from an XSS to a remote file download in a server-side PDF renderer, leading to remote-code execution.The XSS initally seemed a bit weak as the application had no secrets or even authentication so attacking other users would not provide much gain...
Simple container escape compared to several we've covered in the past, the `sysctls` passed into the `pinns` utility are delimited by a `+` which can be maliciously included in a value to inject otherwise blocked `sysctls`. There is some minimal validation on the `sysctls` being passed in to ensure the keys don't match any sensitive keys, however an attacker can set a value to `+sensitive.key=othervalue` to smuggle in a blocked option.
Great bounty for a fairly simple bug, the `showSaveFilePicker`would allow JavaScript to provide options including a default filename, which could include `%envrionment% vars on Windows. The JavaScript could then access the name of the saved file in the resulting promise.
Yet another branch predictor bug was discovered by grsecurity when testing a performance optimization for Reuse Attack Protector (RAP) return hash sequences.RAP sequences have an unconditional jump, followed by a `movabs` instruction and some `int3` instructions for debugging purposes...
We have [previously discussed](https://dayzerosec.com/vulns/2021/09/29/iouring-vulnerability-resulting-in-freeing-wrong-kernel-buffer.html) this vulnerability, which provides a primitive to free adjacent memory.
A UAF in the Common Logging File System (CLFS).Some background is needed on how this custom filesystem works to provide context for the bug...