New issue
Advanced search Search tips
ListGrid
Loading...
  ID Type  Status  Priority  Milestone  Owner  Summary + Labels ...
  15 ---- Fixed ---- ---- cevans@google.com Lack of bounds checking in notifyd CCProjectZeroMembers  
  36 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to lack of bounds checking in AppleMultitouchIODataQueue  
  39 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to integer overflow in IODataQueue::enqueue  
  40 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to heap overflow in IOHIKeyboardMapper::parseKeyMapping  
  41 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to NULL pointer dereference in IOHIKeyboardMapper::stickyKeysfree  
  42 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel memory disclosure due to lack of bounds checking in IOHIKeyboardMapper::modifierSwapFilterKey  
  428 ---- Fixed ---- ---- ianbeer@google.com Stack buffer overflow in OS X regex engine (TRE) CCProjectZeroMembers  
  429 ---- Fixed ---- ---- ianbeer@google.com Integer signedness and overflow issues in OS X regex engine (TRE) CCProjectZeroMembers  
  430 ---- Fixed ---- ---- ianbeer@google.com Bad alloca in OS X regex engine (TRE) CCProjectZeroMembers  
  542 ---- Fixed ---- ---- ianbeer@google.com iOS and OS X kernel code execution via double-delete in IOHIDEventQueue::start due to incorrect error handling CCProjectZeroMembers  
  543 ---- Fixed ---- ---- ianbeer@google.com iOS and OS X kernel code execution due to integer overflow in NECP system control socket packet parsing CCProjectZeroMembers  
  553 ---- Fixed ---- ---- ianbeer@google.com OS X and iOS unsandboxable kernel use-after-free in mach vouchers CCProjectZeroMembers  
  561 ---- Duplicate ---- ---- ianbeer@google.com IOKit doesn't correctly handle spoofed no-more-senders notifications leading to many bugs (OS X and iOS) CCProjectZeroMembers  
  597 ---- Fixed ---- ---- ianbeer@google.com io_service_close leads to potentially dangerous IOKit methods being called without locks CCProjectZeroMembers  
  598 ---- Fixed ---- ---- ianbeer@google.com OS X and iOS kernel double free due to lack of locking in iokit registry iterator manipulation CCProjectZeroMembers  
  603 ---- Fixed ---- ---- ianbeer@google.com iOS kernel UaF in IOReportHub CCProjectZeroMembers  
  604 ---- Fixed ---- ---- ianbeer@google.com iOS kernel UaF in IOHIDEventService CCProjectZeroMembers  
  605 ---- Fixed ---- ---- ianbeer@google.com iOS kernel UaF in AppleOscarCMA CCProjectZeroMembers  
  606 ---- Fixed ---- ---- ianbeer@google.com iOS kernel UaF in AppleOscarCompass CCProjectZeroMembers  
  607 ---- Fixed ---- ---- ianbeer@google.com iOS kernel UaF in AppleOscarAccelerometer CCProjectZeroMembers  
  608 ---- Fixed ---- ---- ianbeer@google.com iOS kernel UaF in AppleOscarGyro CCProjectZeroMembers  
  618 ---- Fixed ---- ---- ianbeer@google.com Multiple iOS/OS X kernel uninitialized variable bugs leading to code execution CCProjectZeroMembers  
  620 ---- Duplicate ---- ---- ianbeer@google.com iOS/OS X unsandboxable kernel code exection due to iokit double release in IOKit (with RIP control PoC) CCProjectZeroMembers  
  774 ---- Fixed ---- ---- ianbeer@google.com OS X kernel OOB read of object pointer due to insufficient checks in raw cast to enum type CCProjectZeroMembers  
  893 ---- Fixed ---- ---- ianbeer@google.com Logic issue in launchd message requeuing allows arbitrary mach message control CCProjectZeroMembers  
  896 ---- Duplicate ---- ---- ianbeer@google.com Controlled vm_deallocate size can lead to UaF in launchd CCProjectZeroMembers  
  926 ---- Fixed ---- ---- ianbeer@google.com ipc_port_t reference count leak with nested MIG methods leads to OS X/iOS kernel UaF CCProjectZeroMembers  
  930 ---- Duplicate ---- ---- ianbeer@google.com ipc_port_t reference count leak due to incorrect externalMethod overrides leads to OS X/iOS kernel UaF CCProjectZeroMembers  
  941 ---- Fixed ---- ---- ianbeer@google.com Lack of error checking leads to reference count leak and OS X/iOS kernel UaF in _kernelrpc_mach_port_insert_right_trap CCProjectZeroMembers  
  954 ---- Fixed ---- ---- ianbeer@google.com double vm_deallocate in userspace MIG code can lead to UaF in mach services CCProjectZeroMembers  
  959 ---- Fixed ---- ---- ianbeer@google.com Broken kernel mach port name uref handling on iOS/MacOS can lead to privileged port name replacement in other processes CCProjectZeroMembers  
  965 ---- Fixed ---- ---- ianbeer@google.com XNU kernel UaF due to lack of locking in set_dp_control_port CCProjectZeroMembers  
  973 ---- Fixed ---- ---- ianbeer@google.com MacOS/iOS kernel use after free due to failure to take reference in IOService::matchPassive CCProjectZeroMembers  
  976 ---- Fixed ---- ---- ianbeer@google.com MacOS/iOS arbitrary port replacement in powerd CCProjectZeroMembers  
  977 ---- Fixed ---- ---- ianbeer@google.com MacOS/iOS arbitrary port replacement in syslogd CCProjectZeroMembers  
  1004 ---- Fixed ---- ---- ianbeer@google.com iOS/MacOS kernel memory corruption due to userspace pointer being used as a length CCProjectZeroMembers  
  1034 ---- Fixed ---- ---- ianbeer@google.com iOS/MacOS kernel UaF due to lack of locking in host_self_trap CCProjectZeroMembers  
  1108 ---- Fixed ---- ---- ianbeer@google.com MacOS/iOS kernel memory corruption due to bad bounds checking in SIOCSIFORDER socket ioctl CCProjectZeroMembers  
  1111 ---- Fixed ---- ---- ianbeer@google.com MacOS/iOS kernel memory corruption due to off-by-one in SIOCGIFORDER socket ioctl CCProjectZeroMembers  
  1115 ---- Duplicate ---- ---- ianbeer@google.com MacOS/iOS kernel memory corruption due to bad bounds checking in necp_client_copy_interface CCProjectZeroMembers  
  1116 ---- Fixed ---- ---- ianbeer@google.com MacOS/iOS kernel uaf due to bad locking in necp_open CCProjectZeroMembers  
  1123 ---- Fixed ---- ---- ianbeer@google.com iOS/MacOS kernel uaf due to bad locking in unix domain socket file descriptor externalization CCProjectZeroMembers  
  1125 ---- Fixed ---- ---- ianbeer@google.com MacOS/iOS kernel heap overflow in bpf CCProjectZeroMembers  
  1129 ---- Fixed ---- ---- ianbeer@google.com MacOS/iOS kernel double free due to bad locking in fsevents device CCProjectZeroMembers  
  1140 ---- Fixed ---- ---- ianbeer@google.com iOS/MacOS kernel memory disclosure due to lack of bounds checking in netagent socket option handling CCProjectZeroMembers  
  1168 ---- Fixed ---- ---- ianbeer@google.com iOS/MacOS memory corruption due to bad bounds checking in NSCharacterSet coding for NSKeyedUnarchiver CCProjectZeroMembers  
  1172 ---- Fixed ---- ---- ianbeer@google.com iOS/MacOS NSKeyedArchiver heap corruption due to rounding error in TIKeyboardLayout initWithCoder: CCProjectZeroMembers  
  1223 ---- Fixed ---- ---- ianbeer@google.com MacOS/iOS userspace entitlement checking is racy CCProjectZeroMembers  
  1247 ---- Fixed ---- ---- ianbeer@google.com Many iOS/MacOS sandbox escapes/privescs due to unexpected shared memory-backed xpc_data objects CCProjectZeroMembers  
  1372 ---- Fixed ---- ---- ianbeer@google.com XNU kernel memory disclosure due to bug in kernel API for detecting disclosures of userspace pointers CCProjectZeroMembers  
  1373 ---- Fixed ---- ---- ianbeer@google.com MacOS/iOS kernel double free due to incorrect API usage in flow divert socket option handling CCProjectZeroMembers  
  1377 ---- Fixed ---- ---- ianbeer@google.com MacOS/iOS multiple kernel UAFs due to incorrect IOKit object lifetime management in IOTimeSyncClockManagerUserClient CCProjectZeroMembers  
  1417 ---- Fixed ---- ---- ianbeer@google.com iOS/MacOS kernel double free due to IOSurfaceRootUserClient not respecting MIG ownership rules CCProjectZeroMembers