Arm Mali CSF kbase_kcpu_command_queue Use-After-Free

Posted by deepcore on February 28, 2023 – 7:24 am

kbase_csf_kcpu_queue_enqueue() locks the kctx->csf.kcpu_queues, looks up a pointer from inside that structure, then drops the lock before continuing to use the kbase_kcpu_command_queue that was looked up. This is a classic use-after-free pattern, where the lookup of a pointer is protected but the protective lock is then released without first acquiring any other lock or reference to keep the referenced object alive.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« ABUS Security Camera TVIP 20000-21150 LFI / Remote Code Execution pfBlockerNG 2.1.4_26 Remote Code Execution »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

Arm Mali CSF kbase_kcpu_command_queue Use-After-Free

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL