The function __vipx_ioctl_put_container() in the Samsung kernel calls copy_to_user() on a vs4l_container_list structure that contains a kernel pointer, exposing that kernel pointer to userspace just before it gets passed to kfree().
In the Samsung kernel, the /dev/hdcp2 device ioctls seem to implement no locking, leading to multiple exploitable race conditions. For example, you can open a session with the HDCP_IOC_SESSION_OPEN ioctl, and then close it in multiple threads in parallel with the HDCP_IOC_SESSION_CLOSE. Since no locking is implemented in hdcp_session_close(), memory will be corrupted and the […]
XNU suffers from a use-after-free vulnerability in tcp_input.
This function, reached through ioctl VS4L_VERTEXIOC_QBUF in the Samsung kernel, has an error case that cannot function correctly. It reads in an array of pointers from userspace and in-place replaces each userspace pointer with a kernel pointer allocated with kzalloc(). Unfortunately, in the error case it will iterate over all the pointers in the array […]
Chrome suffers from a heap use-after-free vulnerability in DesktopMediaPickerController::WebContentsDestroyed.
http://www.banann.go.th/vuln.gif notified by Xpordi
Tags: defacementSpotFTP-FTP Password Recover version 2.4.8 suffers from a denial of service vulnerability.