-
```
The field at IntelAccelerator+0xe60 is a pointer to a GSTContextKernel
allocated in the ::gstqCreateInfoMethod.
In the ::start method this field is initialized to NULL. The IGAccelDevice
extern…
-
```
The OS* data types (OSArray etc) are explicity not thread safe; they rely on
their callers to implement the required locking
to serialize all accesses and manipulations of them. By sending two sp…
-
On OSX El Capitan.
```
~/dev/cli
*** Testing stage2... ***
Publishing E2E for DNXCore,Version=v5.0/osx.10.10-x64
Compiling Microsoft.Extensions.DependencyModel for DNXCore,Version=v5.0
Unhandled Ex…
-
```
Opening userclient type 12 of IOSCSIPeripheralDeviceType00 leads to an
exploitable kernel NULL dereference.
Tested on OS X 10.11 ElCapitan (15a284) on MacBookAir5,2
```
Original issue reported …
-
```
The hv_space lock group gets an extra ref dropped when you kill a process with
an AppleHV userclient;
one via IOService::terminateWorker calling the AppleHVClient::free method
(which calls lck_r…
-
```
Opening userclient type 12 of IOSCSIPeripheralDeviceType00 leads to an
exploitable kernel NULL dereference.
Tested on OS X 10.11 ElCapitan (15a284) on MacBookAir5,2
```
Original issue reported …
-
```
Kernel UaF due to audit session port failing to correctly account for spoofed
no-more-senders notifications
Tested on ElCapitan 10.11 (15a284) on MacBookAir 5,2
```
Original issue reported on c…
-
```
Kernel UaF with IOAccelMemoryInfoUserClient with spoofed no more senders
notifications
repro: while true; do ./iospoof_ig_7; done
Tested on ElCapitan 10.11 (15a284) on MacBookAir 5,2
```
Origi…
-
```
Kernel UaF due to audit session port failing to correctly account for spoofed
no-more-senders notifications
Tested on ElCapitan 10.11 (15a284) on MacBookAir 5,2
```
Original issue reported on c…
-
```
Opening userclient type 12 of IOSCSIPeripheralDeviceType00 leads to an
exploitable kernel NULL dereference.
Tested on OS X 10.11 ElCapitan (15a284) on MacBookAir5,2
```
Original issue reported …