New issue
Advanced search Search tips
ListGrid
Loading...
  ID Type  Status  Priority  Milestone  Owner  Summary + Labels ...
  12 ---- Fixed ---- ---- cevans@google.com launchd heap corruption due to integer overflow in launch_data_unpack  
  13 ---- Fixed ---- ---- cevans@google.com launchd heap corruption due to incorrect rounding in launch_data_unpack  
  14 ---- Fixed ---- ---- cevans@google.com launchd heap overflow in log_forward  
  15 ---- Fixed ---- ---- cevans@google.com Lack of bounds checking in notifyd CCProjectZeroMembers  
  16 ---- Fixed ---- ---- cevans@google.com launchd heap corruption due to unchecked strcpy in init_session MIG ipc  
  17 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to lack of bounds checking in IOAccel2DContext2::blit  
  18 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel memory disclosure due to lack of bounds checking in AGPMClient::getPstatesOccupancy  
  19 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to unchecked pointer parameter in IGAccelCLContext::unmap_user_memory  
  20 ---- Fixed ---- ---- cevans@google.com OS X IOKit Multiple exploitable kernel NULL dereferences (x4)  
  21 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel memory disclosure due to lack of bounds checking in IOUSBControllerUserClient::ReadRegister  
  22 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to incorrect bounds checking in Intel GPU driver ( x2 )  
  23 ---- Fixed ---- ---- cevans@google.com OS X kASLR defeat using sgdt  
  24 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to NULL pointer dereference in IOThunderboltFamily  
  28 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to lack of bounds checking in GPU command buffers  
  29 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to off-by-one error in IGAccelGLContext::processSidebandToken  
  30 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel multiple exploitable memory safety issues in token parsing in IGAccelVideoContextMedia (x5)  
  31 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to NULL pointer dereference in IOAccelContext2::clientMemoryForType  
  32 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to lack of bounds checking in IGAccelVideoContextMain::process_token_ColorSpaceConversion  
  33 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to lack of bounds checking in IOAccelDisplayPipeTransaction2::set_plane_gamma_table  
  34 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to multiple bounds checking issues in IGAccelGLContext token parsing (x3)  
  35 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to controlled kmem_free size in IOSharedDataQueue  
  36 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to lack of bounds checking in AppleMultitouchIODataQueue  
  37 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to bad free in IOBluetoothFamily  
  38 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to integer overflow in IOBluetoothDataQueue (root only)  
  39 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to integer overflow in IODataQueue::enqueue  
  40 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to heap overflow in IOHIKeyboardMapper::parseKeyMapping  
  41 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to NULL pointer dereference in IOHIKeyboardMapper::stickyKeysfree  
  42 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel memory disclosure due to lack of bounds checking in IOHIKeyboardMapper::modifierSwapFilterKey  
  80 ---- Fixed ---- ---- cevans@google.com OS X coresymbolicationd multiple user to root privilege escalations due to XPC type confusion CCProjectZeroMembers  
  92 ---- Fixed ---- ---- cevans@google.com OS X sandbox escape due to XPC type confusion in networkd CCProjectZeroMembers  
  121 ---- Fixed ---- ---- cevans@google.com OS X privilege escalation due to XPC type confusion in sysmond (with exploit) CCProjectZeroMembers  
  126 ---- Invalid ---- ---- cevans@google.com OS X kASLR defeat due to kernel pointers in IOKit registry CCProjectZeroMembers  
  130 ---- Fixed ---- ---- cevans@google.com OS X networkd "effective_audit_token" XPC type confusion sandbox escape (with exploit) CCProjectZeroMembers  
  181 ---- Fixed ---- ---- cevans@google.com OS X IOKit EoP due to lack of bounds checking in Intel GPU driver CCProjectZeroMembers  
  182 ---- Fixed ---- ---- cevans@google.com OS X IOKit EoP due to lack of bounds checking in Intel GPU driver (IOAccelResource2::dirtyLevel) CCProjectZeroMembers  
  191 ---- Fixed ---- ---- cevans@google.com Exploitable Kernel NULL dereference in IGAccelCLContext::map_user_memory CCProjectZeroMembers  
  394 ---- Fixed ---- ---- ianbeer@google.com OS X HFS_EXTEND_FS sysctl discloses uninitialized kernel stack memory to userspace CCProjectZeroMembers  
  428 ---- Fixed ---- ---- ianbeer@google.com Stack buffer overflow in OS X regex engine (TRE) CCProjectZeroMembers  
  429 ---- Fixed ---- ---- ianbeer@google.com Integer signedness and overflow issues in OS X regex engine (TRE) CCProjectZeroMembers  
  430 ---- Fixed ---- ---- ianbeer@google.com Bad alloca in OS X regex engine (TRE) CCProjectZeroMembers  
  477 ---- Fixed ---- ---- ianbeer@google.com OS X Install.framework suid root binary allows arbitrary mkdir, unlink and chown (to admin group) due to unexpected interactions with distributed objects CCProjectZeroMembers  
  478 ---- Fixed ---- ---- ianbeer@google.com OS X Install.framework suid root runner binary priv-esc due to not accounting for implicitly parallel nature of Distributed Objects CCProjectZeroMembers  
  542 ---- Fixed ---- ---- ianbeer@google.com iOS and OS X kernel code execution via double-delete in IOHIDEventQueue::start due to incorrect error handling CCProjectZeroMembers  
  543 ---- Fixed ---- ---- ianbeer@google.com iOS and OS X kernel code execution due to integer overflow in NECP system control socket packet parsing CCProjectZeroMembers  
  553 ---- Fixed ---- ---- ianbeer@google.com OS X and iOS unsandboxable kernel use-after-free in mach vouchers CCProjectZeroMembers  
  561 ---- Duplicate ---- ---- ianbeer@google.com IOKit doesn't correctly handle spoofed no-more-senders notifications leading to many bugs (OS X and iOS) CCProjectZeroMembers  
  565 ---- Duplicate ---- ---- ianbeer@google.com OS X Kernel UaF with IOAccelDisplayPipeUserClient2 with spoofed no more senders notifications CCProjectZeroMembers  
  566 ---- Duplicate ---- ---- ianbeer@google.com Kernel UaF with IOAccelMemoryInfoUserClient with spoofed no more senders notifications CCProjectZeroMembers  
  567 ---- Duplicate ---- ---- ianbeer@google.com OS X Kernel UaF due to audit session port failing to correctly account for spoofed no-more-senders notifications CCProjectZeroMembers  
  597 ---- Fixed ---- ---- ianbeer@google.com io_service_close leads to potentially dangerous IOKit methods being called without locks CCProjectZeroMembers  
  598 ---- Fixed ---- ---- ianbeer@google.com OS X and iOS kernel double free due to lack of locking in iokit registry iterator manipulation CCProjectZeroMembers  
  599 ---- Fixed ---- ---- ianbeer@google.com OS X and iOS kernel UaF/double free due to lack of locking in IOHDIXControllUserClient::clientClose CCProjectZeroMembers  
  618 ---- Fixed ---- ---- ianbeer@google.com Multiple iOS/OS X kernel uninitialized variable bugs leading to code execution CCProjectZeroMembers  
  620 ---- Duplicate ---- ---- ianbeer@google.com iOS/OS X unsandboxable kernel code exection due to iokit double release in IOKit (with RIP control PoC) CCProjectZeroMembers  
  676 ---- Fixed ---- ---- ianbeer@google.com Logic error when exec-ing suid binaries allows code execution as root on OS X/iOS CCProjectZeroMembers  
  772 ---- Fixed ---- ---- ianbeer@google.com OS X kernel use-after-free due to bad locking in IOAcceleratorFamily2 CCProjectZeroMembers  
  774 ---- Fixed ---- ---- ianbeer@google.com OS X kernel OOB read of object pointer due to insufficient checks in raw cast to enum type CCProjectZeroMembers  
  776 ---- Fixed ---- ---- ianbeer@google.com OS X exploitable kernel NULL pointer dereference in IOAudioEngine CCProjectZeroMembers  
  777 ---- Fixed ---- ---- ianbeer@google.com OS X exploitable kernel NULL dereference in CoreCaptureResponder due to unchecked return value CCProjectZeroMembers  
  778 ---- Fixed ---- ---- ianbeer@google.com OS X exploitable kernel NULL dereference in IOAccelSharedUserClient2::page_off_resource CCProjectZeroMembers  
  782 ---- Fixed ---- ---- ianbeer@google.com OS X exploitable kernel NULL pointer dereference in AppleGraphicsDeviceControl CCProjectZeroMembers  
  783 ---- Fixed ---- ---- ianbeer@google.com OS X exploitable kernel NULL pointer dereference in AppleMuxControl.kext CCProjectZeroMembers  
  784 ---- Fixed ---- ---- ianbeer@google.com OS X exploitable kernel NULL pointer dereference in nvCommandQueue::GetHandleIndex in GeForce.kext CCProjectZeroMembers  
  830 ---- Fixed ---- ---- ianbeer@google.com OS X kernel use-after-free in IOBluetoothFamily.kext CCProjectZeroMembers  
  831 ---- Fixed ---- ---- ianbeer@google.com OS X/iOS kernel use-after-free in IOSurface CCProjectZeroMembers  
  837 ---- Fixed ---- ---- ianbeer@google.com task_t considered harmful - many XNU EoPs CCProjectZeroMembers  
  882 ---- Fixed ---- ---- ianbeer@google.com OS X/iOS multiple memory safety issues in mach_ports_register CCProjectZeroMembers  
  893 ---- Fixed ---- ---- ianbeer@google.com Logic issue in launchd message requeuing allows arbitrary mach message control CCProjectZeroMembers  
  896 ---- Duplicate ---- ---- ianbeer@google.com Controlled vm_deallocate size can lead to UaF in launchd CCProjectZeroMembers  
  926 ---- Fixed ---- ---- ianbeer@google.com ipc_port_t reference count leak with nested MIG methods leads to OS X/iOS kernel UaF CCProjectZeroMembers  
  930 ---- Duplicate ---- ---- ianbeer@google.com ipc_port_t reference count leak due to incorrect externalMethod overrides leads to OS X/iOS kernel UaF CCProjectZeroMembers  
  941 ---- Fixed ---- ---- ianbeer@google.com Lack of error checking leads to reference count leak and OS X/iOS kernel UaF in _kernelrpc_mach_port_insert_right_trap CCProjectZeroMembers  
  954 ---- Fixed ---- ---- ianbeer@google.com double vm_deallocate in userspace MIG code can lead to UaF in mach services CCProjectZeroMembers  
  959 ---- Fixed ---- ---- ianbeer@google.com Broken kernel mach port name uref handling on iOS/MacOS can lead to privileged port name replacement in other processes CCProjectZeroMembers  
  965 ---- Fixed ---- ---- ianbeer@google.com XNU kernel UaF due to lack of locking in set_dp_control_port CCProjectZeroMembers  
  1040 ---- Fixed ---- ---- lokihardt@google.com macOS: HelpViewer XSS leads to arbitrary file execution and arbitrary file read. CCProjectZeroMembers