You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There might be an exploitable condition after the probe if the length is fetched from somewhere else on a subsequent read / write operation on the probed buffer.
Errr, yeah. I might not have been clear, sorry for that. I was asking for a feature request to add another vuln to the driver (just a dedicated ioctl would be enough) that would trigger a bug by leveraging a ProbeForRead or ProbeForWrite bypass.
Exactly as the other current issues (which AFAIK are feature requests rather than proper "issues").
ProbeForRead and ProbeForWrite can be bypassed when the
Length
argument is zero.There might be an exploitable condition after the probe if the length is fetched from somewhere else on a subsequent read / write operation on the probed buffer.
Some examples:
I've also seen it in some AV's drivers.
Cheers, and thanks for the driver & sources! o/
P.S: do you accept pull requests if I want to implement this 'feature'?
The text was updated successfully, but these errors were encountered: