A use after free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13.2.1, iOS 16.3.1 and iPadOS 16.3.1. An app may be able to execute arbitrary code with kernel privileges..

This document describes the security content of iOS 16.3.1 and iPadOS 16.3.1.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**iOS 16.3.1 and iPadOS 16.3.1**

Released February 13, 2023

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2023-23514: Xinru Chi of Pangu Lab, Ned Williamson of Google Project Zero

**Security**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Processing a maliciously crafted certificate may lead to a denial-of-service

Description: A denial-of-service issue was addressed with improved input validation.

CVE-2023-23524: David Benjamin of Google Chrome

Entry added February 20, 2023

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A type confusion issue was addressed with improved checks.

WebKit Bugzilla: 251944  
CVE-2023-23529: an anonymous researcher

**Additional recognition**

We would like to acknowledge The Citizen Lab at The University of Toronto’s Munk School for their assistance.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: February 20, 2023

CVE-2023-23514: About the security content of iOS 16.3.1 and iPadOS 16.3.1

The issue was addressed with improved UI handling. This issue is fixed in Safari 15.6, iOS 15.6 and iPadOS 15.6. Visiting a maliciously crafted website may leak sensitive data.

Released July 20, 2022

**Safari Extensions**

Available for: macOS Big Sur and macOS Catalina

Impact: Visiting a maliciously crafted website may leak sensitive data

Description: The issue was addressed with improved UI handling.

CVE-2022-32784: Young Min Kim of CompSec Lab at Seoul National University

**WebKit**

Available for: macOS Big Sur and macOS Catalina

Impact: A user may be tracked through their IP address

Description: A logic issue was addressed with improved state management.

CVE-2022-32861: Matthias Keller (m-keller.com)

Entry added September 16, 2022

**WebKit**

Available for: macOS Big Sur and macOS Catalina

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-32863: P1umer, afang5472, xmzyshypnc

Entry added September 16, 2022

**WebKit**

Available for: macOS Big Sur and macOS Catalina

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

WebKit Bugzilla: 240720  
CVE-2022-32792: Manfred Paul (@\_manfp) working with Trend Micro Zero Day Initiative

**WebRTC**

Available for: macOS Big Sur and macOS Catalina

Impact: Processing maliciously crafted web content may lead to arbitrary code execution.

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 242339  
CVE-2022-2294: Jan Vojtesek of Avast Threat Intelligence team

CVE-2022-32784: About the security content of Safari 15.6

The issue was addressed with improved handling of caches. This issue is fixed in macOS Ventura 13.2, tvOS 16.3, iOS 16.3 and iPadOS 16.3, watchOS 9.3. Visiting a website may lead to an app denial-of-service.

Released January 23, 2023

**AppleMobileFileIntegrity**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed by enabling hardened runtime.

CVE-2023-23499: Wojciech Reguła (@\_r3ggi) of SecuRing (wojciechregula.blog)

**Crash Reporter**

Available for: macOS Ventura

Impact: A user may be able to read arbitrary files as root

Description: A race condition was addressed with additional validation.

CVE-2023-23520: Cees Elzinga

Entry added February 20, 2023

**curl**

Available for: macOS Ventura

Impact: Multiple issues in curl

Description: Multiple issues were addressed by updating to curl version 7.86.0.

CVE-2022-42915

CVE-2022-42916

CVE-2022-32221

CVE-2022-35260

**dcerpc**

Available for: macOS Ventura

Impact: Mounting a maliciously crafted Samba network share may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2023-23513: Dimitrios Tatsis and Aleksandar Nikolic of Cisco Talos

**DiskArbitration**

Available for: macOS Ventura

Impact: An encrypted volume may be unmounted and remounted by a different user without prompting for the password

Description: A logic issue was addressed with improved state management.

CVE-2023-23493: Oliver Norpoth (@norpoth) of KLIXX GmbH (klixx.com)

**Foundation**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-23530: Austin Emmitt, Senior Security Researcher at Trellix ARC

Entry added February 20, 2023

**Foundation**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-23531: Austin Emmitt, Senior Security Researcher at Trellix ARC

Entry added February 20, 2023

**ImageIO**

Available for: macOS Ventura

Impact: Processing an image may lead to a denial-of-service

Description: A memory corruption issue was addressed with improved state management.

CVE-2023-23519: Yiğit Can YILMAZ (@yilmazcanyigit)

**Intel Graphics Driver**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved bounds checks.

CVE-2023-23507: an anonymous researcher

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to leak sensitive kernel state

Description: The issue was addressed with improved memory handling.

CVE-2023-23500: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to determine kernel memory layout

Description: An information disclosure issue was addressed by removing the vulnerable code.

CVE-2023-23502: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-23504: Adam Doupé of ASU SEFCOM

**libxpc**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: A permissions issue was addressed with improved validation.

CVE-2023-23506: Guilherme Rambo of Best Buddy Apps (rambo.codes)

**Mail Drafts**

Available for: macOS Ventura

Impact: The quoted original message may be selected from the wrong email when forwarding an email from an Exchange account

Description: A logic issue was addressed with improved state management.

CVE-2023-23498: an anonymous researcher

**Maps**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2023-23503: an anonymous researcher

**PackageKit**

Available for: macOS Ventura

Impact: An app may be able to gain root privileges

Description: A logic issue was addressed with improved state management.

CVE-2023-23497: Mickey Jin (@patch1t)

**Safari**

Available for: macOS Ventura

Impact: An app may be able to access a user’s Safari history

Description: A permissions issue was addressed with improved validation.

CVE-2023-23510: Guilherme Rambo of Best Buddy Apps (rambo.codes)

**Safari**

Available for: macOS Ventura

Impact: Visiting a website may lead to an app denial-of-service

Description: The issue was addressed with improved handling of caches.

CVE-2023-23512: Adriatik Raci

**Screen Time**

Available for: macOS Ventura

Impact: An app may be able to access information about a user’s contacts

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-23505: Wojciech Reguła of SecuRing (wojciechregula.blog)

**Vim**

Available for: macOS Ventura

Impact: Multiple issues in Vim

Description: A use after free issue was addressed with improved memory management.

CVE-2022-3705

**Weather**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: The issue was addressed with improved memory handling.

CVE-2023-23511: Wojciech Regula of SecuRing (wojciechregula.blog), an anonymous researcher

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 245464  
CVE-2023-23496: ChengGang Wu, Yan Kang, YuHao Hu, Yue Sun, Jiming Wang, JiKai Ren and Hang Shu of Institute of Computing Technology, Chinese Academy of Sciences

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 248268  
CVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park (@tree\_segment), SeOk JEON (@\_seokjeon), YoungSung Ahn (@\_ZeroSung), JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE

WebKit Bugzilla: 248268  
CVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park (@tree\_segment), SeOk JEON (@\_seokjeon), YoungSung Ahn (@\_ZeroSung), JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE

**Wi-Fi**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory.

Description: The issue was addressed with improved memory handling

CVE-2023-23501: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Windows Installer**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences.

Description: The issue was addressed with improved memory handling.

CVE-2023-23508: Mickey Jin (@patch1t)

CVE-2023-23512: About the security content of macOS Ventura 13.2

A logic issue was addressed with improved state management. This issue is fixed in iOS 15.6 and iPadOS 15.6. A user may be able to view restricted content from the lock screen.

Released July 20, 2022

**APFS**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32832: Tommy Muir (@Muirey03)

**AppleAVD**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote user may be able to cause kernel code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2022-32788: Natalie Silvanovich of Google Project Zero

**AppleAVD**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32824: Antonio Zekic (@antoniozekic) and John Aakerblom (@jaakerblom)

**AppleMobileFileIntegrity**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to gain root privileges

Description: An authorization issue was addressed with improved state management.

CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro

**Apple Neural Engine**

Available for devices with Apple Neural Engine: iPhone 8 and later, iPad Pro (3rd generation) and later, iPad Air (3rd generation) and later, and iPad mini (5th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An integer overflow was addressed with improved input validation.

CVE-2022-42805: Mohamed Ghannam (@\_simo36)

Entry added November 9, 2022

**Apple Neural Engine**

Available for devices with Apple Neural Engine: iPhone 8 and later, iPad Pro (3rd generation) and later, iPad Air (3rd generation) and later, and iPad mini (5th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2022-32948: Mohamed Ghannam (@\_simo36)

Entry added November 9, 2022

**Apple Neural Engine**

Available for devices with Apple Neural Engine: iPhone 8 and later, iPad Pro (3rd generation) and later, iPad Air (3rd generation) and later, and iPad mini (5th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2022-32845: Mohamed Ghannam (@\_simo36)

Entry updated November 9, 2022

**Apple Neural Engine**

Available for devices with Apple Neural Engine: iPhone 8 and later, iPad Pro (3rd generation) and later, iPad Air (3rd generation) and later, and iPad mini (5th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: This issue was addressed with improved checks.

CVE-2022-32840: Mohamed Ghannam (@\_simo36)

CVE-2022-32829: Tingting Yin of Tsinghua University, and Min Zheng of Ant Group

Entry updated September 16, 2022

**Apple Neural Engine**

Available for devices with Apple Neural Engine: iPhone 8 and later, iPad Pro (3rd generation) and later, iPad Air (3rd generation) and later, and iPad mini (5th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32810: Mohamed Ghannam (@\_simo36)

**Audio**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-32820: an anonymous researcher

**Audio**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32825: John Aakerblom (@jaakerblom)

**CoreMedia**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32828: Antonio Zekic (@antoniozekic) and John Aakerblom (@jaakerblom)

**CoreText**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote user may cause an unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved bounds checks.

CVE-2022-32839: STAR Labs (@starlabs\_sg)

**File System Events**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to gain root privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-32819: Joshua Mason of Mandiant

**GPU Drivers**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to disclose kernel memory

Description: Multiple out-of-bounds write issues were addressed with improved bounds checking.

CVE-2022-32793: an anonymous researcher

**GPU Drivers**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-32821: John Aakerblom (@jaakerblom)

**Home**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A user may be able to view restricted content from the lock screen

Description: A logic issue was addressed with improved state management.

CVE-2022-32855: Zitong Wu(吴梓桐) from Zhuhai No.1 Middle School(珠海市第一中学)

Entry updated September 16, 2022

**iCloud Photo Library**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to access sensitive user information

Description: An information disclosure issue was addressed by removing the vulnerable code.

CVE-2022-32849: Joshua Jones

**ICU**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.

**ImageIO**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32841: hjy79425575

**ImageIO**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a maliciously crafted file may lead to arbitrary code execution

Description: A logic issue was addressed with improved checks.

CVE-2022-32802: Ivan Fratric of Google Project Zero, Mickey Jin (@patch1t)

**ImageIO**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a maliciously crafted image may lead to disclosure of user information

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-32830: Ye Zhang (@co0py\_Cat) of Baidu Security

**ImageIO**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing an image may lead to a denial-of-service

Description: A null pointer dereference was addressed with improved validation.

CVE-2022-32785: Yiğit Can YILMAZ (@yilmazcanyigit)

**IOMobileFrameBuffer**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-26768: an anonymous researcher

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32813: Xinru Chi of Pangu Lab

CVE-2022-32815: Xinru Chi of Pangu Lab

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-32817: Xinru Chi of Pangu Lab

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app with arbitrary kernel read and write capability may be able to bypass Pointer Authentication

Description: A logic issue was addressed with improved state management.

CVE-2022-32844: Sreejith Krishnan R (@skr0x1c0)

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app with arbitrary kernel read and write capability may be able to bypass Pointer Authentication

Description: A race condition was addressed with improved state handling.

CVE-2022-32844: Sreejith Krishnan R (@skr0x1c0)

**Liblouis**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2022-26981: Hexhive (hexhive.epfl.ch), NCNIPC of China (nipc.org.cn)

**libxml2**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to leak sensitive user information

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2022-32823

**Multi-Touch**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved state handling.

CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

**PluginKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to read arbitrary files

Description: A logic issue was addressed with improved state management.

CVE-2022-32838: Mickey Jin (@patch1t) of Trend Micro

**Safari Extensions**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Visiting a maliciously crafted website may leak sensitive data

Description: The issue was addressed with improved UI handling.

CVE-2022-32784: Young Min Kim of CompSec Lab at Seoul National University

**Software Update**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A user in a privileged network position can track a user’s activity

Description: This issue was addressed by using HTTPS when sending information over the network.

CVE-2022-32857: Jeffrey Paul (sneak.berlin)

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: The issue was addressed with improved UI handling.

WebKit Bugzilla: 239316  
CVE-2022-32816: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

WebKit Bugzilla: 240720  
CVE-2022-32792: Manfred Paul (@\_manfp) working with Trend Micro Zero Day Initiative

**WebRTC**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 242339  
CVE-2022-2294: Jan Vojtesek of Avast Threat Intelligence team

**Wi-Fi**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write was addressed with improved input validation.

CVE-2022-32860: Wang Yu of Cyberserval

Entry added November 9, 2022

**Wi-Fi**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: This issue was addressed with improved checks.

CVE-2022-32837: Wang Yu of Cyberserval

**Wi-Fi**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote user may be able to cause unexpected system termination or corrupt kernel memory

Description: This issue was addressed with improved checks.

CVE-2022-32847: Wang Yu of Cyberserval

CVE-2022-32855: About the security content of iOS 15.6 and iPadOS 15.6

The issue was addressed with improved memory handling. This issue is fixed in tvOS 15.6, watchOS 8.7, iOS 15.6 and iPadOS 15.6. An app may be able to disclose kernel memory.

Released July 20, 2022

**APFS**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32832: Tommy Muir (@Muirey03)

**AppleAVD**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A remote user may be able to cause kernel code execution

Description: A buffer overflow issue was addressed with improved bounds checking.

CVE-2022-32788: Natalie Silvanovich of Google Project Zero

**AppleAVD**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32824: Antonio Zekic (@antoniozekic) and John Aakerblom (@jaakerblom)

**AppleMobileFileIntegrity**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app may be able to gain root privileges

Description: An authorization issue was addressed with improved state management.

CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro

**Audio**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-32820: an anonymous researcher

**Audio**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32825: John Aakerblom (@jaakerblom)

**CoreMedia**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32828: Antonio Zekic (@antoniozekic) and John Aakerblom (@jaakerblom)

**CoreText**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A remote user may cause an unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved bounds checks.

CVE-2022-32839: STAR Labs (@starlabs\_sg)

**File System Events**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app may be able to gain root privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-32819: Joshua Mason of Mandiant

**GPU Drivers**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app may be able to disclose kernel memory

Description: Multiple out-of-bounds write issues were addressed with improved bounds checking.

CVE-2022-32793: an anonymous researcher

**GPU Drivers**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-32821: John Aakerblom (@jaakerblom)

**iCloud Photo Library**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app may be able to access sensitive user information

Description: An information disclosure issue was addressed by removing the vulnerable code.

CVE-2022-32849: Joshua Jones

**ICU**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.

**ImageIO**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32841: hjy79425575

**ImageIO**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: Processing a maliciously crafted file may lead to arbitrary code execution

Description: A logic issue was addressed with improved checks.

CVE-2022-32802: Ivan Fratric of Google Project Zero, Mickey Jin (@patch1t)

**ImageIO**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: Processing a maliciously crafted image may lead to disclosure of user information

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-32830: Ye Zhang (@co0py\_Cat) of Baidu Security

**Kernel**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32813: Xinru Chi of Pangu Lab

CVE-2022-32815: Xinru Chi of Pangu Lab

**Kernel**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-32817: Xinru Chi of Pangu Lab

**Kernel**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app with arbitrary kernel read and write capability may be able to bypass Pointer Authentication

Description: A logic issue was addressed with improved state management.

CVE-2022-32844: Sreejith Krishnan R (@skr0x1c0)

**Liblouis**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app may cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2022-26981: Hexhive (hexhive.epfl.ch), NCNIPC of China (nipc.org.cn)

**libxml2**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app may be able to leak sensitive user information

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2022-32823

**Multi-Touch**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved checks.

CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

**Software Update**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A user in a privileged network position can track a user’s activity

Description: This issue was addressed by using HTTPS when sending information over the network.

CVE-2022-32857: Jeffrey Paul (sneak.berlin)

**WebKit**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: The issue was addressed with improved UI handling.

WebKit Bugzilla: 239316  
CVE-2022-32816: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.

**WebKit**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

WebKit Bugzilla: 240720  
CVE-2022-32792: Manfred Paul (@\_manfp) working with Trend Micro Zero Day Initiative

**Wi-Fi**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: This issue was addressed with improved checks.

CVE-2022-32837: Wang Yu of Cyberserval

**Wi-Fi**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A remote user may be able to cause unexpected system termination or corrupt kernel memory

Description: This issue was addressed with improved checks.

CVE-2022-32847: Wang Yu of Cyberserval

CVE-2022-32824: About the security content of tvOS 15.6

There is a data processing error vulnerability in Leia-B29 2.0.0.49(M03). Successful exploitation could bypass lock screen authentication.

A Huawei band has a data processing error vulnerability. Successful exploitation could bypass lock screen authentication.(Vulnerability ID:HWPSIRT-2022-11965) This vulnerability has been assigned a (CVE)ID:CVE-2022-48254

Affected Product

Affected Version

Repair Version

Leia-B29

Leia-B29 2.0.0.49(M03)

Leia-B19 2.0.0.56(M04)

HWPSIRT-2022-11965:

Successful exploitation could bypass lock screen authentication.

  

Vulnerabilities are scored base on the CVSS v3.1 scoring system. For details please refer to: http://www.first.org/cvss/specification-document.

HWPSIRT-2022-11965

Base Score: 6.2

Temporary Score: 5.8

Environmental Score: NA

CVSS v3.1 Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C

  

HWPSIRT-2022-11965:

This vulnerability can be exploited only when the following conditions are present:

The attacker needs to perform operations on the affected device.

Technical details:

The lock screen function of a Huawei band has a data processing error vulnerability. This vulnerability is caused by improper implementation in certain lock screen scenarios. An attacker can exploit this vulnerability by following specific operations. Successful exploitation may bypass screen lock authentication.

  

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.  

HWPSIRT-2022-11965:

This vulnerability was discovered by Huawei internal tester.

2023-01-18 V1.0 Initial Release

  

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-48254: Security Advisory - Data Processing Error Vulnerability in a Huawei Band

The second part of our password manager series looks at business-grade tech to handle API tokens, login credentials, and more

The second part of our password manager series looks at business-grade tech to handle API tokens, login credentials, and more

Modern enterprises run dozens (and sometimes hundreds) of servers, services, applications, APIs, containers, and other technologies.

To secure these resources, enterprises need tools to manage secrets, including passwords, encryption keys, SSH (secure shell) keys, API tokens, certificates, and more.

The problem is that these resources are often spread across many platforms, including on-premise (on-prem) servers, cloud\-based services, serverless applications, and container orchestration tools, making it very difficult to manage secrets in an efficient way.

Liked this article? Sign up to our new newsletter – Daily Swig Deserialized

Not infrequently, this leads to employees using ad hoc and insecure methods to manage authorization, such as storing secrets in plaintext files, hardcoding tokens in source code files uploaded to GitHub repositories, and storing encryption keys in unprotected S3 buckets.

This results in ‘secrets sprawl’ – logins and other credentials stored in many places – a practice that is often a contributory factor in data breaches.

One way to avoid secrets sprawl is to use a ‘secrets manager’, a tool that securely stores and manages secrets throughout their lifecycle. Secret managers can store all sorts of secrets (passwords, API tokens, certificates, etc.) and control how humans, devices, and services access them.

There are a few key features to look for in secrets managers:

*   Support for various IT configurations: A good secrets manager should equally support cloud, multi-cloud, on-prem, and hybrid IT systems.
*   Support for range of authentication protocols: Aside from passwords, the solution must support certificates, encryption keys, API tokens, and other kinds of authentication systems that constitute the security backbone of your IT system.
*   Support for various authentication organizations: The technology should enable you to adjust your secrets access policy based on your organizational structure using roles, groups, etc.
*   Support for different types of users: Many IT systems must regulate not only human access but also how machines and services access digital resources.
*   Integration: Any product or service must provide various tools such as plugins, APIs, and CLIs to automate the storage and retrieval of secrets.
*   Centralized management: A secrets management installation should provide real-time visibility and control on how users, services, and devices access secrets across the enterprise.

Here is a quick evaluation of a few popular secrets management products.

**HashiCorp Vault**

HashiCorp Vault is a popular enterprise solution for managing and securing passwords, tokens, encryption keys, certificates, API keys, and various other secrets.

Vault integrates with your main identity provider, such as Active Directory, LDAP, or your chosen cloud platform. The technology can manage secrets for more than 100 different systems, including public and private clouds, databases, messaging queues, and SSH endpoints.

Among the strengths of Hashicorp Vault is support for dynamically generated secrets. The product also provides granular control over access to different resources and a facility for administrators to revoke permissions as soon as something goes wrong.

Vault has a strong API that is easily integrated into applications to retrieve secrets, which discourages developers from relying on hardcoded passwords and tokens.

However, the benefits of Hashicorp Vault do not come without tradeoffs. The user interface is far from intuitive and has a steep learning curve. Most functionality is controlled through a CLI interface, which is good for automation but awkward for manual use.

HashiCorp Vault is open source, giving you the option to host it yourself. Alternatively, you can use a cloud-hosted instance of the secrets manager at $0.03/hour.

*   Pros: Large support for different cloud and on-prem technology stacks, dynamic secret generation, strong API support, open source
*   Cons: Steep learning curve, poor UI

Secrets managers securely store and manage secrets throughout their lifecycle

**CyberArk Conjur**

CyberArk Conjur is a secrets management solution for centralized identity and access management across an enterprise.

Conjur supports various secret types, including passwords, service account tokens, and API tokens. It also supports integration with popular cloud infrastructures including GCP (Google Cloud Platform), AWS, and Azure, as well as a range of database types, CI/CD platforms, and container orchestration tools.

Like HashiCorp, Conjur supports integration with existing authentication solutions, including OAuth, LDAP, and other identity providers.

Conjur has a centralized management system where administrators can define their resources and the users, roles, devices, scripts, services, and other entities that want to access secrets. They can also define the enterprise’s secrets along with rules such as password rotation and auditing.

Application managers and developers use plugins and APIs to integrate Conjur into their CI/CD, cloud applications, or other resources that want to grant access the secrets store.

Conjur is open source and you can self-host the application. Like HashiCorp, one of the downsides of Conjur is the difficulty of both initial set-up and ongoing management.

*   Pros: Versatile support for various applications, cloud providers, container orchestration tools, etc; plugins and APIs for different types of integrations.
*   Cons: Complex setup and administration

Password manager security: Which is the right option for me?

  
**Enterprise password managers**

While secrets managers are useful tools, they might be overkill for smaller organizations or other entities that operate without a complex digital footprint. Given the high technical barrier of entry for secrets managers, companies without a dedicated IT team might not be equipped to use them.

For these businesses, a password manager might be a better option. Password managers only serve to securely store, access, and share passwords. They lack the integration, programming, and automation features of secrets managers, but can be great tools for securing credentials across an organization.

The Daily Swig reviewed personal and family-focused password managers in a previous article. In addition to the features of a personal password manager, a business password manager should provide the following:

*   Centralized management: The administrator should be able to obtain reports on employee password health, usage, sharing, etc.
*   Integration with identity providers: Businesses should be able to use their current identity provider (AD, Azure, Okta, etc) to log into their password manager.

Here are two popular business-focused password managers that are worth considering.

**1Password**

1Password is a popular password manager supported across all major platforms, including macOS, Windows, Linux, Android, and iOS. 1Password also has a Chrome extension for auto-filling login information on websites and storing new credentials in their vault.

1Password users can create multiple vaults to store passwords, credit card information, API tokens, crypto wallet recovery seeds, and other sensitive documents or data. 1Password also allows you share to secrets with other users and can limit password-sharing through expiry dates, limited views, and specific email addresses that can access a shared link.

A Watchtower feature monitors for reused passwords, vulnerable passwords, and potentially compromised accounts.

The business edition provides administrators with a zoomed-out view of password security across an organization. It also provides granular-access features, enabling administrators to configure permissions, groups, roles, and vault access at scale.

Previously, 1Password did not support single sign-on (SSO). But it has recently added beta support for SSO login through Okta, with Azure and Duo to be added soon. The vendor is also adding integration with Azure AD, Google Workspace, Okta, OneLogin, and Slack.

1Password Business costs $7.99 per user per month. As a bonus, each 1Password Business user gets a free Families account, which they can share with five family members.

*   Pros: Flexible password sharing, admin dashboard for organization-wide health report, mass assignment, bonus Family plan
*   Cons: SSO currently only available as beta preview

**NordPass**

NordPass is an easy-to-use service that includes the basic features you would expect from a password manager, including cross-platform support, auto-fill, and the storage of different types of credentials.

NordPass also has a breach monitoring feature that scans the web for security incidents that involve the credentials of your organization.

NordPass Business provides a security dashboard that enables you to get company-wide reports on password health and activity logs. Users can share passwords and credit card data among team members.

The technology also provides centralized administration tools, including the ability to set company-wide multi-factor authentication (MFA) and password policies, and granting or revoking employees’ access to password vaults.

NordPass Business costs $3.59 per user per month. An Enterprise plan (price not listed) supports SSO with Okta, Azure AD, and Microsoft AD as well as user provisioning via AD (Active Directory).

*   Pros: Centralized administration, company-wide policies, centralized granting and revoking of employee access
*   Cons: Basic Business plan does not support SSO

YOU MAY ALSO LIKE ‘Most web API flaws are missed by standard security tests’ – Corey J Ball on securing a neglected attack vector

Password managers: A rough guide to enterprise secret platforms

A new ChromeLoader malware campaign has been observed being distributed via virtual hard disk (VHD) files, marking a deviation from the ISO optical disc image format.
"These VHD files are being distributed with filenames that make them appear like either hacks or cracks for Nintendo and Steam games," AhnLab Security Emergency response Center (ASEC) said in a report last week.
ChromeLoader (aka

Browser Security / Malware

A new ChromeLoader malware campaign has been observed being distributed via virtual hard disk (VHD) files, marking a deviation from the ISO optical disc image format.

"These VHD files are being distributed with filenames that make them appear like either hacks or cracks for Nintendo and Steam games," AhnLab Security Emergency response Center (ASEC) said in a report last week.

ChromeLoader (aka Choziosi Loader or ChromeBack) originally surfaced in January 2022 as a browser-hijacking credential stealer but has since evolved into a more potent, multifaceted threat capable of stealing sensitive data, deploying ransomware, and even dropping decompression bombs.

The primary goal of the malware is to compromise web browsers like Google Chrome, and modify the browser settings to intercept and direct traffic to dubious advertising websites. What's more, ChromeLoader has emerged as a conduit to carry out click fraud by leveraging a browser extension to monetize clicks.

Since arriving on the scene, the malware has gone through multiple versions, many of them equipped with capabilities to break into both Windows and macOS systems. The shift to VHD files is yet another sign that the campaign has gone through many changes over the past few months.

The infection chain indicates that users looking for pirated software and video game cheats are the main targets, leading to the download of VHD files from fraudulent websites appearing on search results pages.

Some of the game titles and popular software used are Elden Ring, Dark Souls III, Red Dead Redemption 2, Need for Speed, Call of Duty, The Legend of Zelda: Breath of the Wild, Mario Kart 8 Deluxe, Super Mario Odyssey, Microsoft Office, and Adobe Photoshop.

"When a VHD file is downloaded through this process, the user can easily mistake the malicious VHD file for a game-related program," ASEC researchers said. "Disguising malware as game hacks and crack programs is a method employed by many threat actors."

To mitigate such risks, it's recommended that users refrain from following suspicious links and download software only from official sources.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

ChromeLoader Malware Targeting Gamers via Fake Nintendo and Steam Game Hacks

Categories: News
The most interesting security related news from the week of February 20 to 26.



(Read more...)




The post A week in security (February 20 - 26) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

VPN Connection

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (February 20 - 26)

In the Linux kernel 6.0.8, there is an out-of-bounds read in ntfs_attr_find in fs/ntfs/attrib.c.

Hello,  
I found the following issue using syzkaller on:  
HEAD commit : e60276b8c11ab4a8be23807bc67b04  
8cfb937dfa (v6.0.8)  
git tree: stable

C Reproducer : https://gist.github.com/oswalpalash/cb298c137f3dbfb95a609671a61103fb  
Kernel .config :  
https://gist.github.com/oswalpalash/0962c70d774e5ec736a047bba917cecb

I found a related discussion in the past about a similar bug here :  
https://groups.google.com/g/syzkaller-bugs/c/BFLa1ZwXyG0/m/UIh6Pl2GBAAJ

Console log :

loop3: detected capacity change from 0 to 4096  
\==================================================================  
BUG: KASAN: slab-out-of-bounds in ntfs\_attr\_find+0xb87/0xce0  
Read of size 2 at addr ffff888106fc30ab by task syz-executor.3/11599

CPU: 0 PID: 11599 Comm: syz-executor.3 Not tainted 6.0.8-pasta #2  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
1.13.0-1ubuntu1.1 04/01/2014  
Call Trace:  
<TASK>  
dump\_stack\_lvl+0xcd/0x134  
print\_report.cold+0xe5/0x63a  
kasan\_report+0x8a/0x1b0  
ntfs\_attr\_find+0xb87/0xce0  
ntfs\_attr\_lookup+0x1051/0x2040  
ntfs\_read\_locked\_inode+0xb0c/0x5ab0  
ntfs\_iget+0x12d/0x180  
ntfs\_fill\_super+0x1ed0/0x8590  
mount\_bdev+0x34d/0x410  
legacy\_get\_tree+0x105/0x220  
vfs\_get\_tree+0x89/0x2f0  
path\_mount+0x121b/0x1cb0  
do\_mount+0xf3/0x110  
\_\_x64\_sys\_mount+0x18f/0x230  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x7f0e85e9146e  
Code: 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f  
84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007f0e849fda08 EFLAGS: 00000206 ORIG\_RAX: 00000000000000a5  
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007f0e85e9146e  
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f0e849fda60  
RBP: 00007f0e849fdaa0 R08: 00007f0e849fdaa0 R09: 0000000020000000  
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000020000000  
R13: 0000000020000100 R14: 00007f0e849fda60 R15: 0000000020000040  
</TASK>

Allocated by task 1:  
kasan\_save\_stack+0x1e/0x40  
\_\_kasan\_slab\_alloc+0x85/0xb0  
kmem\_cache\_alloc+0x204/0xcc0  
\_\_kernfs\_new\_node+0xd4/0x8b0  
kernfs\_new\_node+0x93/0x120  
\_\_kernfs\_create\_file+0x51/0x350  
sysfs\_add\_file\_mode\_ns+0x20f/0x3f0  
internal\_create\_group+0x314/0xba0  
internal\_create\_groups.part.0+0x90/0x140  
sysfs\_create\_groups+0x25/0x50  
kobject\_add\_internal+0x318/0x8f0  
kobject\_init\_and\_add+0x101/0x160  
netdev\_queue\_update\_kobjects+0x1fe/0x4e0  
netdev\_register\_kobject+0x333/0x400  
register\_netdevice+0xbe9/0x1390  
bond\_create+0xb4/0x120  
bonding\_init+0x9f/0x114  
do\_one\_initcall+0xfe/0x650  
kernel\_init\_freeable+0x6c3/0x74c  
kernel\_init+0x1a/0x1d0  
ret\_from\_fork+0x1f/0x30

The buggy address belongs to the object at ffff888106fc3000  
which belongs to the cache kernfs\_node\_cache of size 168  
The buggy address is located 3 bytes to the right of  
168-byte region \[ffff888106fc3000, ffff888106fc30a8)

The buggy address belongs to the physical page:  
page:ffffea00041bf0c0 refcount:1 mapcount:0 mapping:0000000000000000  
index:0x0 pfn:0x106fc3  
flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff)  
raw: 057ff00000000200 ffffea00041bc848 ffffea00041a9fc8 ffff88810006f200  
raw: 0000000000000000 ffff888106fc3000 0000000100000011 0000000000000000  
page dumped because: kasan: bad access detected  
page\_owner tracks the page as allocated  
page last allocated via order 0, migratetype Unmovable, gfp\_mask  
0x2420c0(\_\_GFP\_IO|\_\_GFP\_FS|\_\_GFP\_NOWARN|\_\_GFP\_COMP|\_\_GFP\_THISNODE),  
pid 1, tgid 1 (swapper/0), ts 8385653965, free\_ts 0  
prep\_new\_page+0x2c6/0x350  
get\_page\_from\_freelist+0xae9/0x3a80  
\_\_alloc\_pages+0x321/0x710  
cache\_grow\_begin+0x75/0x360  
kmem\_cache\_alloc+0xb69/0xcc0  
\_\_kernfs\_new\_node+0xd4/0x8b0  
kernfs\_new\_node+0x93/0x120  
kernfs\_create\_dir\_ns+0x48/0x150  
sysfs\_create\_dir\_ns+0x127/0x290  
kobject\_add\_internal+0x2c9/0x8f0  
kobject\_init\_and\_add+0x101/0x160  
net\_rx\_queue\_update\_kobjects+0x264/0x510  
netdev\_register\_kobject+0x278/0x400  
register\_netdevice+0xbe9/0x1390  
bond\_create+0xb4/0x120  
bonding\_init+0x9f/0x114  
page\_owner free stack trace missing

Memory state around the buggy address:  
ffff888106fc2f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
ffff888106fc3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\>ffff888106fc3080: 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00  
^  
ffff888106fc3100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
ffff888106fc3180: 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 00 00  
\==================================================================

Tag

#ios