AppArmor has a reference count leak in aa_fs_seq_hash_show that can be used to overflow the reference counter and trigger a kernel use-after-free.
aeb4adc2c9454e00e280467d5afe605088bc235c957b16c9ba2883396aeb3993The usermode audio subsystem for the "Samsung Android Professional Audio" is based on JACK and appears to suffer from a privilege escalation vulnerability.
6e6f5be9346ce92749741f62f51847396d676dba887f707954ead81bbe16e561The usermode audio subsystem for the "Samsung Android Professional Audio" is based on JACK, which appears to be designed for single-user usage. The common JACK configuration on Linux systems appears to be a JACK server running under the current user account, and interacting with JACK clients from the same user account; so with a minimal privilege difference; this is not the case with the configuration on Android, where the JACK service runs as a more privileged user in a less restrictive SELinux domain to the clients that can connect to it. The JACK shared memory implementation uses the struct jack_shm_info_t defined in /common/shm.h to do some bookkeeping. This struct is stored at the start of every JackShmAble object. This means that whenever the JACK server creates an object backed by shared memory, it also stores a pointer to that object (in the address space of the JACK server), allowing a malicious client to bypass ASLR in the JACK server process.
154f9eac96eeb68b35b32d286401c145dafcaee91d33e5328b096764d282a114Several functions in the GPU command buffer service interact with the GPU mailbox manager (gpu/command_buffer/service/mailbox_manager_impl.cc), passing a reference to shared memory as the mailbox argument. MailboxManagerImpl does not expect this mailbox argument to be malleable in this way, and it is in several places copied and passed to various stl functions, resulting in unexpected behavior from double-reads when an attacker modifies the mailbox name mid function.
f8a976a14646044c7e5586eef81525079a7a9db25b46316e0dc9807036d3e4bcThe GPU buffer manager doesn't handle pointers to shared memory with adequate care, allowing an attacker to bypass chrome's validation and pass invalid buffer data to the hosting OpenGL implementation.
3578fb463723277d9877188292fda698fe97933942361d753ccab3bd0d6f2d9eThe wireless driver for the Android One (sprout) devices has a bad copy_from_user in the handling for the wireless driver socket private read ioctl IOCTL_GET_STRUCT with subcommand PRIV_CMD_SW_CTRL. This ioctl is permitted for access from the untrusted-app selinux domain, so this is an app-to-kernel privilege escalation from any app with android.permission.INTERNET.
f09afcb089991f9bdfe7878694f1b4aa53a78b0716b0db1d420fbf8364088819This Metasploit module exploits a vulnerability found in Adobe Flash Player. A compilation logic error in the PCRE engine, specifically in the handling of the \c escape sequence when followed by a multi-byte UTF8 character, allows arbitrary execution of PCRE bytecode.
1641e648bb596d49cb885ae8a06d070b985c8aa9c12581f0fbac21adc6d108a6
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed