| |
ID ▼ |
Type ▼ |
Status ▼ |
Priority ▼ |
Milestone ▼ |
Owner ▼ |
Summary + Labels ▼ |
... |
|---|
|
|
135 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel code execution due to NULL pointer dereference in IntelAccelerator
CCProjectZeroMembers
|
|
|
|
136 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel memory corruption due to bad bzero in IOBluetoothDevice
CCProjectZeroMembers
|
|
|
|
214 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kIOMapReadOnly read-only kernel shared memory bypass leading to kernel memory corruption bug in IOAccelContext2
CCProjectZeroMembers
|
|
|
|
217 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel code execution due to off-by-one in IOAccel2DContext::blit
CCProjectZeroMembers
|
|
|
|
221 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X+iOS IOKit kernel code execution due to bad cast when using kernel c++ reflection in IOSurfaceRoot
CCProjectZeroMembers
|
|
|
|
327 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
OS X IOKit kernel code execution due to lack of bounds checking in IGAccelVideoContextMain::patch_encoding_common
CCProjectZeroMembers
|
|
|
|
328 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
OS X IOKit kernel code execution due to lack of bounds checking in IGAccelGLContext::BindQueryBufferMultiple
CCProjectZeroMembers
|
|
|
|
329 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
OS X IOKit kernel code execution due to lack of bounds checking in IGAccelVideoContextMedia::process_token_JPEGDecode
CCProjectZeroMembers
|
|
|
|
331 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
OS X IOKit kernel code execution due to lack of bounds checking in IGAccelVideoContextMain::process_token_JPEGBLF
CCProjectZeroMembers
|
|
|
|
332 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
OS X IOKit kernel code execution due to lack of bounds checking in IGAccelVideoContextMain::process_token_AllPostProcGVA
CCProjectZeroMembers
|
|
|
|
333 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
OS X IOKit kernel code execution due to lack of bounds checking in IGAccelVideoContextMain::process_token_AllPostProcGVA and patch_vphal_ssh_instance
CCProjectZeroMembers
|
|
|
|
334 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
OS X IOKit kernel code execution due to use of IOAccelSurface2::convertGLIndexToBufferIndex error code return value as buffer index
CCProjectZeroMembers
|
|
|
|
341 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
OS X IOKit kernel code execution due to insufficient bounds checking in nvidia GeForce command buffer processing
CCProjectZeroMembers
|
|
|
|
496 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
OS X kernel panic due to bad patch for CVE-2015-3712 in GeForce.kext
CCProjectZeroMembers
|
|
|
|
511 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
Integer Overflow in IOHDIXControllerUserClient::convertClientBuffer leading to undersized kalloc allocation passed to DMA code
CCProjectZeroMembers
|
|
|
|
512 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
Failure to check return value of OSMetaClassBase::safeMetaCast in IOAccelContext2::connectClient leads to kernel address space layout leak and exploitable NULL dereference
CCProjectZeroMembers
|
|
|
|
562 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
Opening userclient type 12 of IOSCSIPeripheralDeviceType00 leads to an exploitable kernel NULL dereference
CCProjectZeroMembers
|
|
|
|
569 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
Lack of bounds checking in IOBluetoothHCIUserClient external method dispatching allows arbitrary kernel code execution
CCProjectZeroMembers
|
|
|
|
572 |
----
|
Duplicate
|
----
|
----
|
ianbeer@google.com
|
Spoofed no-more-senders notifications with IOBluetoothHCIPacketLogUserClient leads to unsafe parallel OSArray manipulation
CCProjectZeroMembers
|
|
|
|
580 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
OS X Kernel UaF in hypervisor driver
CCProjectZeroMembers
|
|
|
|
595 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
Exploitable kernel NULL dereference in IntelAccelerator::gstqConfigure
CCProjectZeroMembers
|
|
|
|
596 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
Lack of bounds checking in gst_configure leads to kernel buffer overflow due to toctou (plus kernel memory disclosure)
CCProjectZeroMembers
|
|
|
|
708 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
OS X Kernel use-after-free and double delete due to incorrect locking in Intel GPU Driver
CCProjectZeroMembers
|
|
|
|
709 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
OS X Kernel unchecked array index used to read object pointer then call virtual method in nvdia geforce driver
CCProjectZeroMembers
|
|
|
|
710 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
OS X Kernel use-after-free in AppleKeyStore
CCProjectZeroMembers
|
|
|
|
724 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
OS X kernel stack buffer overflow in GeForce gpu driver
CCProjectZeroMembers
|
|
|
|
728 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
OS X Kernel code execution due to lack of bounds checking in AppleUSBPipe::Abort
CCProjectZeroMembers
|
|
|
|
730 |
----
|
Duplicate
|
----
|
----
|
ianbeer@google.com
|
OS X/iOS kernel UAF due to lack of locking in IOHDIXControllerUserClient::testNetBootMethod
CCProjectZeroMembers
|
|
|
|
732 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
OS X/iOS kernel UAF racing getProperty on IOHDIXController and testNetBootMethod on IOHDIXControllerUserClient
CCProjectZeroMembers
|
|
|
|
832 |
----
|
Duplicate
|
----
|
----
|
ianbeer@google.com
|
OS X/iOS kernel use-after-free in IOHDIXController
CCProjectZeroMembers
|
|
|
|
833 |
----
|
Duplicate
|
----
|
----
|
ianbeer@google.com
|
OS X kernel use-after-free in CoreStorage
CCProjectZeroMembers
|
|
|
|
834 |
----
|
Duplicate
|
----
|
----
|
ianbeer@google.com
|
OS X kernel use-after-free in IOThunderboltFamily
CCProjectZeroMembers
|
|