| |
ID ▼ |
Type ▼ |
Status ▼ |
Priority ▼ |
Milestone ▼ |
Owner ▼ |
Summary + Labels ▼ |
... |
|---|
|
|
17 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel code execution due to lack of bounds checking in IOAccel2DContext2::blit
|
|
|
|
18 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel memory disclosure due to lack of bounds checking in AGPMClient::getPstatesOccupancy
|
|
|
|
19 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel code execution due to unchecked pointer parameter in IGAccelCLContext::unmap_user_memory
|
|
|
|
20 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit Multiple exploitable kernel NULL dereferences (x4)
|
|
|
|
21 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel memory disclosure due to lack of bounds checking in IOUSBControllerUserClient::ReadRegister
|
|
|
|
22 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel code execution due to incorrect bounds checking in Intel GPU driver ( x2 )
|
|
|
|
23 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X kASLR defeat using sgdt
|
|
|
|
24 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel code execution due to NULL pointer dereference in IOThunderboltFamily
|
|
|
|
28 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel code execution due to lack of bounds checking in GPU command buffers
|
|
|
|
29 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel code execution due to off-by-one error in IGAccelGLContext::processSidebandToken
|
|
|
|
30 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel multiple exploitable memory safety issues in token parsing in IGAccelVideoContextMedia (x5)
|
|
|
|
31 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel code execution due to NULL pointer dereference in IOAccelContext2::clientMemoryForType
|
|
|
|
32 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel code execution due to lack of bounds checking in IGAccelVideoContextMain::process_token_ColorSpaceConversion
|
|
|
|
33 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel code execution due to lack of bounds checking in IOAccelDisplayPipeTransaction2::set_plane_gamma_table
|
|
|
|
34 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel code execution due to multiple bounds checking issues in IGAccelGLContext token parsing (x3)
|
|
|
|
35 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel code execution due to controlled kmem_free size in IOSharedDataQueue
|
|
|
|
36 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel code execution due to lack of bounds checking in AppleMultitouchIODataQueue
|
|
|
|
37 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel code execution due to bad free in IOBluetoothFamily
|
|
|
|
38 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel code execution due to integer overflow in IOBluetoothDataQueue (root only)
|
|
|
|
39 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel code execution due to integer overflow in IODataQueue::enqueue
|
|
|
|
40 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel code execution due to heap overflow in IOHIKeyboardMapper::parseKeyMapping
|
|
|
|
41 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel code execution due to NULL pointer dereference in IOHIKeyboardMapper::stickyKeysfree
|
|
|
|
42 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit kernel memory disclosure due to lack of bounds checking in IOHIKeyboardMapper::modifierSwapFilterKey
|
|
|
|
181 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit EoP due to lack of bounds checking in Intel GPU driver
CCProjectZeroMembers
|
|
|
|
182 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
OS X IOKit EoP due to lack of bounds checking in Intel GPU driver (IOAccelResource2::dirtyLevel)
CCProjectZeroMembers
|
|
|
|
191 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Exploitable Kernel NULL dereference in IGAccelCLContext::map_user_memory
CCProjectZeroMembers
|
|
|
|
394 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
OS X HFS_EXTEND_FS sysctl discloses uninitialized kernel stack memory to userspace
CCProjectZeroMembers
|
|
|
|
542 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
iOS and OS X kernel code execution via double-delete in IOHIDEventQueue::start due to incorrect error handling
CCProjectZeroMembers
|
|
|
|
543 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
iOS and OS X kernel code execution due to integer overflow in NECP system control socket packet parsing
CCProjectZeroMembers
|
|
|
|
553 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
OS X and iOS unsandboxable kernel use-after-free in mach vouchers
CCProjectZeroMembers
|
|
|
|
561 |
----
|
Duplicate
|
----
|
----
|
ianbeer@google.com
|
IOKit doesn't correctly handle spoofed no-more-senders notifications leading to many bugs (OS X and iOS)
CCProjectZeroMembers
|
|
|
|
565 |
----
|
Duplicate
|
----
|
----
|
ianbeer@google.com
|
OS X Kernel UaF with IOAccelDisplayPipeUserClient2 with spoofed no more senders notifications
CCProjectZeroMembers
|
|
|
|
566 |
----
|
Duplicate
|
----
|
----
|
ianbeer@google.com
|
Kernel UaF with IOAccelMemoryInfoUserClient with spoofed no more senders notifications
CCProjectZeroMembers
|
|
|
|
567 |
----
|
Duplicate
|
----
|
----
|
ianbeer@google.com
|
OS X Kernel UaF due to audit session port failing to correctly account for spoofed no-more-senders notifications
CCProjectZeroMembers
|
|
|
|
618 |
----
|
Fixed
|
----
|
----
|
ianbeer@google.com
|
Multiple iOS/OS X kernel uninitialized variable bugs leading to code execution
CCProjectZeroMembers
|
|
|
|
620 |
----
|
Duplicate
|
----
|
----
|
ianbeer@google.com
|
iOS/OS X unsandboxable kernel code exection due to iokit double release in IOKit (with RIP control PoC)
CCProjectZeroMembers
|
|