4,620
edits
Changes
→System Modules
! Public disclosure timeframe
! Public disclosure timeframe
! Discovered by
! Discovered by
|-
| [[Sockets_services|bsdsockets]] ioctl SIOCGIFMEDIA input can contain ptr
| Originally bsd ioctl SIOCGIFMEDIA used the user-specified ifmediareq structure directly from the input buffer. This includes a ptr. This ptr probably isn't actually used?
With [5.0.0+] the structure used as input for the ioctl was changed to using <code>int ifm_ulist[1]</code> instead of <code>int *ifm_ulist</code> (which is unused). The input structure is copied to a tmp struct which is used as the original ifmediareq structure, with ifm_ulist always NULL. The user can still specify a non-zero ifm_count value, however that's not useful with ifm_ulist being always NULL.
| Useless?
| [[5.0.0]]
| [[13.1.0]]
| February 14, 2022
| February 14, 2022
| [[User:Yellows8|yellows8]], probably others
|-
| [[Sockets_services|bsdsockets]] ioctl SIOCGIFCONF infoleak
| Originally bsd ioctl SIOCGIFCONF was handled by setting the data in IPC outbuf0 to the size/addr of IPC outbuf1. These buffers are HipcAutoSelect, so if buf1 is small enough for HipcPointer (otherwise it would be HipcMapAlias) the IPC-buf-ptr leaked into outbuf0 would be located in the codebin-region. Since this is done before the actual ioctl-handling, it doesn't matter whether the fd is valid.
This was fixed in [5.0.0+] by using a tmp struct on stack instead of buf0.
| bsdsockets-sysmodule codebin-region addr infoleak, which allows defeating ASLR.
| [[5.0.0]]
| [[13.1.0]]
| February 14, 2022 (probably earlier)
| February 14, 2022
| [[User:Yellows8|yellows8]], probably others
|-
|-
| [[Bluetooth_Driver_services|bluetooth]] BSA gatt_process_notification stack buffer overflow
| [[Bluetooth_Driver_services|bluetooth]] BSA gatt_process_notification stack buffer overflow