When the dongle wishes to notify the host OS of an event, it does so by encoding a special 'packet' and transmitting it to the host. These packets have an ether type of 0x886C (referred to as ETHER_TYPE_BRCM), and do not contain actual packet data, but rather encapsulate information about events which must be handled by the driver. When the event code 'WLC_E_PFN_SWC' is received, the gscan handler function calls 'dhd_handle_swc_evt' in order to process the event's data, but fails to check the size of the allocated memory, leading to a buffer overflow vulnerability.
Broadcom Wi-Fi HardMAC SoCs are used to handle the PHY and MAC layer processing in both mobile devices and Wi-Fi routers. The chips are capable of handling many Wi-Fi related events without delegating to the host OS. One of the events handled by the BCM firmware is the processing of TDLS connections (802.11z). In order to verify the integrity of TDLS messages, each message exchanged between the TDLS peers includes a message integrity code (MIC). When a TDLS Setup Request frame is sent by either one of the peers in an established TDLS connection, the receiving client must verify the MIC before processing the request. However, the Broadcom Wi-Fi HardMAC SoCs firmware does not properly verify the MIC for TDLS Setup Request and TDLS Setup Confirm frames, allowing an attacker to bypass the MIC verification and establish a TDLS connection with the vulnerable device.
There is a double free vulnerability in the fsevents ioctl handler due to bad locking. This can lead to an exploitable kernel use after free if two threads see the same value for devices_not_to_watch at (a), assign that to tmp then free it at (d). The lock/unlock at (b) and (c) don't protect this.
The constructJSReadableStreamDefaultReader() function in Webkit does not check whether the getReader() function is callable or not. This can be exploited by setting the getReader() function to an arbitrary value and then calling the constructor of the reader object with the ReadableStream object as an argument. This can lead to type confusion and arbitrary code execution.
When an element is removed from a document, the function |disconnectSubframes| is called to detach its subframes(iframe tag, object tag, etc.). The bug is that it doesn't consider |root|'s shadowroot. So any subframes in the shadowroot will be never detached.
The frame is not detached from an unloaded window, allowing access to the new document's named properties. A proof-of-concept exploit is provided which creates an iframe, and then uses the Function constructor to access the new document's named properties. An attacker can then use this to inject a malicious script into the new document.
A vulnerability in the JSCallbackData::invokeCallback method of WebKit, as used in Apple Safari before 11.1.2, allows remote attackers to execute arbitrary code in a different origin by providing a crafted web site that provides a window with a different origin and invoking JSCallbackData::invokeCallback with it. This is due to the fact that the ExecState object is obtained from the callback object, which can be from a different origin.
The Frame::setDocument() function in Safari does not properly detach the frame from the cached document. This can be exploited to execute arbitrary code in the context of the cached document by creating an element with a malicious href attribute and clicking it.
audit_pipe_open is the special file open handler for the auditpipe device (major number 10). There's an off-by-one in the minor number bounds check (u < 0 || u > MAX_AUDIT_PIPES) should be (u < 0 || u >= MAX_AUDIT_PIPES). By setting a small ap_qlimit via the AUDITPIPE_SET_QLIMIT ioctl, the struct audit_pipe* can be read out-of-bounds.
An out-of-bounds read vulnerability exists in the AppleIntelCapriController::getDisplayPipeCapability() function in the MacOS kernel due to lack of bounds checking. An attacker can control a dword from the input buffer which is used to index an array of pointers with no bounds checking. This can be exploited to read kernel memory, allowing an attacker to defeat kernel address space layout randomization (KASLR).
Services By CQR