New issue
Advanced search Search tips
ListGrid
Loading...
  ID Type  Status  Priority  Milestone  Owner  Summary + Labels ...
  9 ---- Fixed ---- ---- cevans@google.com Safari sandbox logic error enables reading of arbitrary files  
  10 ---- Fixed ---- ---- cevans@google.com Safari sandbox IPC memory corruption with WebEvent::Wheel  
  11 ---- Fixed ---- ---- cevans@google.com Safari sandbox IPC memory corruption with WebEvent::Char  
  12 ---- Fixed ---- ---- cevans@google.com launchd heap corruption due to integer overflow in launch_data_unpack  
  13 ---- Fixed ---- ---- cevans@google.com launchd heap corruption due to incorrect rounding in launch_data_unpack  
  14 ---- Fixed ---- ---- cevans@google.com launchd heap overflow in log_forward  
  15 ---- Fixed ---- ---- cevans@google.com Lack of bounds checking in notifyd CCProjectZeroMembers  
  16 ---- Fixed ---- ---- cevans@google.com launchd heap corruption due to unchecked strcpy in init_session MIG ipc  
  17 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to lack of bounds checking in IOAccel2DContext2::blit  
  18 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel memory disclosure due to lack of bounds checking in AGPMClient::getPstatesOccupancy  
  19 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to unchecked pointer parameter in IGAccelCLContext::unmap_user_memory  
  20 ---- Fixed ---- ---- cevans@google.com OS X IOKit Multiple exploitable kernel NULL dereferences (x4)  
  21 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel memory disclosure due to lack of bounds checking in IOUSBControllerUserClient::ReadRegister  
  22 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to incorrect bounds checking in Intel GPU driver ( x2 )  
  23 ---- Fixed ---- ---- cevans@google.com OS X kASLR defeat using sgdt  
  24 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to NULL pointer dereference in IOThunderboltFamily  
  28 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to lack of bounds checking in GPU command buffers  
  29 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to off-by-one error in IGAccelGLContext::processSidebandToken  
  30 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel multiple exploitable memory safety issues in token parsing in IGAccelVideoContextMedia (x5)  
  31 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to NULL pointer dereference in IOAccelContext2::clientMemoryForType  
  32 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to lack of bounds checking in IGAccelVideoContextMain::process_token_ColorSpaceConversion  
  33 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to lack of bounds checking in IOAccelDisplayPipeTransaction2::set_plane_gamma_table  
  34 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to multiple bounds checking issues in IGAccelGLContext token parsing (x3)  
  35 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to controlled kmem_free size in IOSharedDataQueue  
  36 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to lack of bounds checking in AppleMultitouchIODataQueue  
  37 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to bad free in IOBluetoothFamily  
  38 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to integer overflow in IOBluetoothDataQueue (root only)  
  39 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to integer overflow in IODataQueue::enqueue  
  40 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to heap overflow in IOHIKeyboardMapper::parseKeyMapping  
  41 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to NULL pointer dereference in IOHIKeyboardMapper::stickyKeysfree  
  42 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel memory disclosure due to lack of bounds checking in IOHIKeyboardMapper::modifierSwapFilterKey  
  77 ---- Duplicate ---- ---- cevans@google.com WebKit JavaScriptCore integer truncation vulnerability  
  80 ---- Fixed ---- ---- cevans@google.com OS X coresymbolicationd multiple user to root privilege escalations due to XPC type confusion CCProjectZeroMembers  
  92 ---- Fixed ---- ---- cevans@google.com OS X sandbox escape due to XPC type confusion in networkd CCProjectZeroMembers  
  93 ---- Fixed ---- ---- cevans@google.com Flash memory corruption in Actionscript 2 Array.join CCProjectZeroMembers  
  106 ---- Fixed ---- ---- cevans@google.com Flash logic error in bytecode verifier CCProjectZeroMembers  
  109 ---- Fixed ---- ---- cevans@google.com Flash heap overflow in bytecode verifier CCProjectZeroMembers  
  112 ---- Fixed ---- ---- cevans@google.com Adobe Flash incorrect jit optimization with op_pushwith CCProjectZeroMembers  
  114 ---- Fixed ---- ---- cevans@google.com Adobe Flash incorrect jit optimization with op_pushscope CCProjectZeroMembers  
  115 ---- Fixed ---- ---- cevans@google.com Adobe Flash incorrect jit optimization with op_setglobalslot CCProjectZeroMembers  
  121 ---- Fixed ---- ---- cevans@google.com OS X privilege escalation due to XPC type confusion in sysmond (with exploit) CCProjectZeroMembers  
  126 ---- Invalid ---- ---- cevans@google.com OS X kASLR defeat due to kernel pointers in IOKit registry CCProjectZeroMembers  
  130 ---- Fixed ---- ---- cevans@google.com OS X networkd "effective_audit_token" XPC type confusion sandbox escape (with exploit) CCProjectZeroMembers  
  135 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to NULL pointer dereference in IntelAccelerator CCProjectZeroMembers  
  136 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel memory corruption due to bad bzero in IOBluetoothDevice CCProjectZeroMembers  
  181 ---- Fixed ---- ---- cevans@google.com OS X IOKit EoP due to lack of bounds checking in Intel GPU driver CCProjectZeroMembers  
  182 ---- Fixed ---- ---- cevans@google.com OS X IOKit EoP due to lack of bounds checking in Intel GPU driver (IOAccelResource2::dirtyLevel) CCProjectZeroMembers  
  191 ---- Fixed ---- ---- cevans@google.com Exploitable Kernel NULL dereference in IGAccelCLContext::map_user_memory CCProjectZeroMembers  
  214 ---- Fixed ---- ---- cevans@google.com OS X IOKit kIOMapReadOnly read-only kernel shared memory bypass leading to kernel memory corruption bug in IOAccelContext2 CCProjectZeroMembers  
  217 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to off-by-one in IOAccel2DContext::blit CCProjectZeroMembers  
  218 ---- Fixed ---- ---- cevans@google.com Flash heap buffer overflow due to integer overflow in JSON.stringify CCProjectZeroMembers  
  221 ---- Fixed ---- ---- cevans@google.com OS X+iOS IOKit kernel code execution due to bad cast when using kernel c++ reflection in IOSurfaceRoot CCProjectZeroMembers  
  223 ---- Fixed ---- ---- ianbeer@google.com Flash heap buffer overflow when stringifying Proxy objects CCProjectZeroMembers  
  227 ---- Fixed ---- ---- ianbeer@google.com Flash UaF due to unrooted Atom array used during JSON stringification CCProjectZeroMembers  
  232 ---- Fixed ---- ---- ianbeer@google.com OS X sandbox escape due to fontd trusting client-supplied pointers CCProjectZeroMembers  
  233 ---- Fixed ---- ---- ianbeer@google.com OS X sandbox escape due to heap corruption in fontd (AGSwapAttributeGroup) CCProjectZeroMembers  
  235 ---- Fixed ---- ---- cevans@google.com OS X sandbox escape due to heap corruption in fontd (SwapHFSName) CCProjectZeroMembers  
  241 ---- Fixed ---- ---- ianbeer@google.com OS X sandbox escape due to multiple heap corruption bugs in fontd (FODBReviveFromDumpFile) CCProjectZeroMembers  
  263 ---- Fixed ---- ---- ianbeer@google.com OS X sandbox escape due to heap corruption in fontd (com.apple.FontServer - GetUncompressedBitmapRepresentationData) CCProjectZeroMembers  
  314 ---- Fixed ---- ---- ianbeer@google.com OS X privilege escalation due to bad error handling in Install.framework suid helper CCProjectZeroMembers  
  327 ---- Fixed ---- ---- ianbeer@google.com OS X IOKit kernel code execution due to lack of bounds checking in IGAccelVideoContextMain::patch_encoding_common CCProjectZeroMembers  
  328 ---- Fixed ---- ---- ianbeer@google.com OS X IOKit kernel code execution due to lack of bounds checking in IGAccelGLContext::BindQueryBufferMultiple CCProjectZeroMembers  
  329 ---- Fixed ---- ---- ianbeer@google.com OS X IOKit kernel code execution due to lack of bounds checking in IGAccelVideoContextMedia::process_token_JPEGDecode CCProjectZeroMembers  
  331 ---- Fixed ---- ---- ianbeer@google.com OS X IOKit kernel code execution due to lack of bounds checking in IGAccelVideoContextMain::process_token_JPEGBLF CCProjectZeroMembers  
  332 ---- Fixed ---- ---- ianbeer@google.com OS X IOKit kernel code execution due to lack of bounds checking in IGAccelVideoContextMain::process_token_AllPostProcGVA CCProjectZeroMembers  
  333 ---- Fixed ---- ---- ianbeer@google.com OS X IOKit kernel code execution due to lack of bounds checking in IGAccelVideoContextMain::process_token_AllPostProcGVA and patch_vphal_ssh_instance CCProjectZeroMembers  
  334 ---- Fixed ---- ---- ianbeer@google.com OS X IOKit kernel code execution due to use of IOAccelSurface2::convertGLIndexToBufferIndex error code return value as buffer index CCProjectZeroMembers  
  341 ---- Fixed ---- ---- ianbeer@google.com OS X IOKit kernel code execution due to insufficient bounds checking in nvidia GeForce command buffer processing CCProjectZeroMembers  
  343 ---- Fixed ---- ---- ianbeer@google.com OS X arbitrary file creation as root due to kextd trusting path components in Distributed Notification messages CCProjectZeroMembers  
  353 ---- Fixed ---- ---- ianbeer@google.com OS X kextd bad path checking and toctou allow a regular user to load an unsigned kernel extension CCProjectZeroMembers  
  394 ---- Fixed ---- ---- ianbeer@google.com OS X HFS_EXTEND_FS sysctl discloses uninitialized kernel stack memory to userspace CCProjectZeroMembers  
  428 ---- Fixed ---- ---- ianbeer@google.com Stack buffer overflow in OS X regex engine (TRE) CCProjectZeroMembers  
  429 ---- Fixed ---- ---- ianbeer@google.com Integer signedness and overflow issues in OS X regex engine (TRE) CCProjectZeroMembers  
  430 ---- Fixed ---- ---- ianbeer@google.com Bad alloca in OS X regex engine (TRE) CCProjectZeroMembers  
  477 ---- Fixed ---- ---- ianbeer@google.com OS X Install.framework suid root binary allows arbitrary mkdir, unlink and chown (to admin group) due to unexpected interactions with distributed objects CCProjectZeroMembers  
  478 ---- Fixed ---- ---- ianbeer@google.com OS X Install.framework suid root runner binary priv-esc due to not accounting for implicitly parallel nature of Distributed Objects CCProjectZeroMembers  
  491 ---- Fixed ---- ---- hawkes@google.com Samsung seiren kernel driver buffer overflow CCProjectZeroMembers  
  496 ---- Fixed ---- ---- ianbeer@google.com OS X kernel panic due to bad patch for CVE-2015-3712 in GeForce.kext CCProjectZeroMembers  
  501 ---- Fixed ---- ---- ianbeer@google.com Android libstagefright heap buffer overflow due to integer overflow in MP3 ID3 tag parsing CCProjectZeroMembers  
  511 ---- Fixed ---- ---- ianbeer@google.com Integer Overflow in IOHDIXControllerUserClient::convertClientBuffer leading to undersized kalloc allocation passed to DMA code CCProjectZeroMembers  
  512 ---- Fixed ---- ---- ianbeer@google.com Failure to check return value of OSMetaClassBase::safeMetaCast in IOAccelContext2::connectClient leads to kernel address space layout leak and exploitable NULL dereference CCProjectZeroMembers  
  542 ---- Fixed ---- ---- ianbeer@google.com iOS and OS X kernel code execution via double-delete in IOHIDEventQueue::start due to incorrect error handling CCProjectZeroMembers  
  543 ---- Fixed ---- ---- ianbeer@google.com iOS and OS X kernel code execution due to integer overflow in NECP system control socket packet parsing CCProjectZeroMembers  
  553 ---- Fixed ---- ---- ianbeer@google.com OS X and iOS unsandboxable kernel use-after-free in mach vouchers CCProjectZeroMembers  
  561 ---- Duplicate ---- ---- ianbeer@google.com IOKit doesn't correctly handle spoofed no-more-senders notifications leading to many bugs (OS X and iOS) CCProjectZeroMembers  
  562 ---- Fixed ---- ---- ianbeer@google.com Opening userclient type 12 of IOSCSIPeripheralDeviceType00 leads to an exploitable kernel NULL dereference CCProjectZeroMembers  
  565 ---- Duplicate ---- ---- ianbeer@google.com OS X Kernel UaF with IOAccelDisplayPipeUserClient2 with spoofed no more senders notifications CCProjectZeroMembers  
  566 ---- Duplicate ---- ---- ianbeer@google.com Kernel UaF with IOAccelMemoryInfoUserClient with spoofed no more senders notifications CCProjectZeroMembers  
  567 ---- Duplicate ---- ---- ianbeer@google.com OS X Kernel UaF due to audit session port failing to correctly account for spoofed no-more-senders notifications CCProjectZeroMembers  
  569 ---- Fixed ---- ---- ianbeer@google.com Lack of bounds checking in IOBluetoothHCIUserClient external method dispatching allows arbitrary kernel code execution CCProjectZeroMembers  
  572 ---- Duplicate ---- ---- ianbeer@google.com Spoofed no-more-senders notifications with IOBluetoothHCIPacketLogUserClient leads to unsafe parallel OSArray manipulation CCProjectZeroMembers  
  580 ---- Fixed ---- ---- ianbeer@google.com OS X Kernel UaF in hypervisor driver CCProjectZeroMembers  
  595 ---- Fixed ---- ---- ianbeer@google.com Exploitable kernel NULL dereference in IntelAccelerator::gstqConfigure CCProjectZeroMembers  
  596 ---- Fixed ---- ---- ianbeer@google.com Lack of bounds checking in gst_configure leads to kernel buffer overflow due to toctou (plus kernel memory disclosure) CCProjectZeroMembers  
  597 ---- Fixed ---- ---- ianbeer@google.com io_service_close leads to potentially dangerous IOKit methods being called without locks CCProjectZeroMembers  
  598 ---- Fixed ---- ---- ianbeer@google.com OS X and iOS kernel double free due to lack of locking in iokit registry iterator manipulation CCProjectZeroMembers  
  599 ---- Fixed ---- ---- ianbeer@google.com OS X and iOS kernel UaF/double free due to lack of locking in IOHDIXControllUserClient::clientClose CCProjectZeroMembers  
  603 ---- Fixed ---- ---- ianbeer@google.com iOS kernel UaF in IOReportHub CCProjectZeroMembers  
  604 ---- Fixed ---- ---- ianbeer@google.com iOS kernel UaF in IOHIDEventService CCProjectZeroMembers  
  605 ---- Fixed ---- ---- ianbeer@google.com iOS kernel UaF in AppleOscarCMA CCProjectZeroMembers