Mastodawn

endrift 🏳️‍⚧️Mar 25

Still pissed at Broadcom for not issuing a security advisory for that kernel vulnerability I found a decade ago that affected the Raspberry Pi. They silently refactored the code instead.

The offending code is still in FreeBSD, even after I told them to update it, since I never got around to providing a PoC. I should write that PoC I guess, since afaik FreeBSD (and possibly NetBSD) on Raspberry Pi is still vulnerable.

endrift 🏳️‍⚧️

It is "out of bounds memory write from userspace" level bad fwiw. Though control of where it's written to is basically nil.

endrift 🏳️‍⚧️Apr 2

Current "fuck you, Broadcom" status: I've managed to wedge a Pi 1 running FreeBSD so hard I had to pull the cable out to get it to reboot. Still not a panic.

endrift 🏳️‍⚧️Apr 2

kernel panic from userspace obtained

endrift 🏳️‍⚧️Apr 2

you need permissions to a specific dev node which are restricted to root by default though

endrift 🏳️‍⚧️Apr 2

Looks like the entire Linux side was cleaned up a decade ago...possibly by someone RPi-affiliated, not BCM-affiliated.

RPi also silently swept another kernel vulnerability I discovered under the rug around the same time. Anyway here's the patch for that userspace-triggerable OOB memory write that I reported that never got an advisory: https://github.com/raspberrypi/linux/commit/fef324cd632a3421140205754b8089b102b03f8f

fbmem: Ensure that parameters are properly checked within fb_copyarea… · raspberrypi/linux@fef324c

…_user

GitHub

endrift 🏳️‍⚧️Apr 2

and I reported the still-present-in-FreeBSD vulnerability to the secteam with an actual PoC this time.

endrift 🏳️‍⚧️Apr 2

Literally just replied to a 6-year old email where I gave them more details that they'd asked for and then they never followed up further :|

endrift 🏳️‍⚧️Apr 3

anyway e8275dd9e24f05428d4dc955d98f59b165cdf89469bfebe9aa976dbaa35c7641

endrift 🏳️‍⚧️5d ago

No reply from secteam yet. Hey @dexter what do I do if secteam never replies? I'd rather not just drop the PoC (which this is the hash for) publicly.

endrift 🏳️‍⚧️5d ago

@dexter it's only been 5 days since my last email, but uh, my previous email on the matter (which never got a reply) was 6 years ago.

@endrift :-( that sucks @dexter

𝙹𝚘𝚎𝚕 𝙲𝚊𝚛𝚗𝚊𝚝 ♑ 🤪4d ago

@dch they’re probably waiting for a report from Claude…

Cc: @endrift @dexter

Michael Dexter 4d ago

@endrift I was going to say, let’s see what @dch has to say but they chimed in. Thank you for pursuing this.

stephen-fox 2d ago

@endrift Did you receive a reply regarding your report?

endrift 🏳️‍⚧️2d ago

@stephen0x2dfox yes

verifiedlesbian

Alice Averlong🏳️‍⚧️Apr 3

@endrift for a second I thought this was a keysmash

Lunaphied Apr 2

@endrift oh fuck people are still using fb

endrift 🏳️‍⚧️Apr 2

@Lunaphied idk but this has been patched for nearly a decade so I wouldn't worry about this one.

the vessel of morganna Apr 2

@endrift any amount of control of the address, or is it just random or fixed? that's one hell of a bug to get swept under the rug

endrift 🏳️‍⚧️Apr 2

@astraleureka I actually found that you might be able to read out arbitrary kernel memory if you have access to the dev node while investigating this, but I haven't looked hard enough at the patched version yet. I'm too busy emailing the FreeBSD secteam