endrift 🏳️‍⚧️Mar 25

Still pissed at Broadcom for not issuing a security advisory for that kernel vulnerability I found a decade ago that affected the Raspberry Pi. They silently refactored the code instead.

The offending code is still in FreeBSD, even after I told them to update it, since I never got around to providing a PoC. I should write that PoC I guess, since afaik FreeBSD (and possibly NetBSD) on Raspberry Pi is still vulnerable.

Show threadendrift 🏳️‍⚧️Mar 25
It is "out of bounds memory write from userspace" level bad fwiw. Though control of where it's written to is basically nil.
Show threadthe vessel of morgannaApr 2
@endrift any amount of control of the address, or is it just random or fixed? that's one hell of a bug to get swept under the rug
Show threadendrift 🏳️‍⚧️
@astraleureka I actually found that you might be able to read out arbitrary kernel memory if you have access to the dev node while investigating this, but I haven't looked hard enough at the patched version yet. I'm too busy emailing the FreeBSD secteam
Apr 2 at 6:59amWeb