Line 437:
Line 437:
| November 24, 2018
| November 24, 2018
| [[User:hexkyz|hexkyz]]
| [[User:hexkyz|hexkyz]]
+
|-
+
| Infoleak in nvservices system module
+
| The [[NV_services|nvservices]] ioctl [[NV_services#NVMAP_IOC_ALLOC|NVMAP_IOC_ALLOC]] takes an optional argument "addr" which allows the calling process to pass a pointer to user allocated memory for backing a nvmap object. If "addr" is left as 0, nvservices uses the transfer memory region (donated by the user during initialization) instead, when allocating memory for the nvmap object.
+
By design, freeing the nvmap object by calling the ioctl [[NV_services#NVMAP_IOC_FREE|NVMAP_IOC_FREE]] returns, in its "refcount" argument, the user address previously supplied if the reference count reaches 0.
+
However, prior to [[6.2.0]], the case where the transfer memory region is used to allocate the nvmap object was not taken into account, thus resulting in [[NV_services#NVMAP_IOC_FREE|NVMAP_IOC_FREE]] leaking back an address from within the transfer memory region mapped in nvservices' memory space.
+
+
In [[6.2.0]], [[NV_services#NVMAP_IOC_FREE|NVMAP_IOC_FREE]] no longer returns the address when the transfer memory region is used instead of user supplied memory.
+
| Combined with other vulnerabilities: Defeating ASLR in nvservices sysmodule.
+
| [[6.2.0]]
+
| [[6.2.0]]
+
| April 2017
+
| November 24, 2018
+
| Everyone
|-
|-
|}
|}