Joshua J. Drake jduck

## fread-intof.typescript.no-ansi
Script started on Mon 16 Mar 2015 10:42:04 PM CDT
duoct:0:~$ cd work
duoct:0:~/work$ ls -l fread-intof.c
-rw------- 1 jdrake jdrake 500 Jun 13  2013 fread-intof.c
duoct:0:~/work$ cat fread-intof.c
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

int

## sample.json
{
  "lang": "en",
  "retweeted": false,
  "favorited": false,
  "entities": {
    "urls": [],
    "user_mentions": [
      {
        "indices": [
          0,

## crackaddr-mods.diff
--- crackaddr-bad.c.1	2011-08-25 14:37:47.000000000 -0500
+++ crackaddr-bad.c	2015-03-27 22:42:59.956804489 -0500
@@ -85,8 +85,11 @@
 #include <string.h>
 #include <ctype.h>

+#include <unistd.h>
+#include <fcntl.h>
+
 /* ccured needs this */

## ip_hdrincl-introduced-8f0ec1f9369b4199654a6dc5fd1b06268bdf0c15.patch
commit 8f0ec1f9369b4199654a6dc5fd1b06268bdf0c15
Author: Linus Torvalds <torvalds@linuxfoundation.org>
Date:   Fri Nov 23 15:10:12 2007 -0500

    Import 1.3.22

diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 0339895..c9999f1 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c

## 0001-Prevent-integer-truncation-in-tx3g-processing.patch
From e746bacbf150fad31628357a4be27167d1060bcc Mon Sep 17 00:00:00 2001
From: "Joshua J. Drake" <android-open-source@qoop.org>
Date: Thu, 13 Aug 2015 18:20:45 -0500
Subject: [PATCH] Prevent integer truncation in 'tx3g' processing

Whenever the length of an atom in an MPEG4 file is set to 1, a 64-bit length is
read from the atom's data and stored in the variable 'chunk_size'. A value
larger than SIZE_MAX could satisfy the check added in the previous patch and,
because the new[] operator only accepts 32-bit lengths on 32-bit platforms,
integer truncation can occurr in the resulting allocation. Reject chunk_size

## sf3-006_0001-Prevent-integer-issues-in-ID3-Iterator-findFrame.patch
From 8f95773c9bcae728e3f753d99e2abebd41ae7060 Mon Sep 17 00:00:00 2001
From: "Joshua J. Drake" <android-open-source@qoop.org>
Date: Sat, 15 Aug 2015 08:17:03 -0500
Subject: [PATCH] Prevent integer issues in ID3::Iterator::findFrame

Integer overflows could occur a few places within findFrame. These can lead to
out-of-bounds reads and potentially infinite loops. Ensure that arithmetic does
not wrap around to prevent these behaviors.

Change-Id: I72a61df7d5719d1d3f2bd0b37fba86f0f4bbedee

## sf3-005_0001-Prevent-multiple-memory-corruption-issues.patch
From bb08d535f724f35849627f4a9f9f03f9143af2f0 Mon Sep 17 00:00:00 2001
From: "Joshua J. Drake" <android-open-source@qoop.org>
Date: Sat, 15 Aug 2015 08:01:58 -0500
Subject: [PATCH] Prevent multiple memory corruption issues

Bounds checking within the ID3::removeUnsynchronizedV2_4 function was
erroneous. Several cases resulted in integer underflow or overflow. Prevent
these issues by ensuring key values are correct.

Change-Id: I83e6fcca905e901929aee528bf000f22de70f197

## 0001-Enable-KGDB-support-for-hammerhead.patch
From cfd6ecdccd84f7a6da447f2873130038c0fddeee Mon Sep 17 00:00:00 2001
From: "Joshua J. Drake" <github.jdrake@qoop.org>
Date: Tue, 27 Oct 2015 12:50:12 -0500
Subject: [PATCH] Enable KGDB support for hammerhead

1. Add RETRY support per kgdb-android repo
2. Implement poll support for ttyHSL driver
3. Add modified kernel config for KGDB
---
 arch/arm/configs/hammerhead_kgdb_defconfig | 614 +++++++++++++++++++++++++++++

## superuser_findings.txt
Background
==========
In order to deal with the changes in Android 4.3, Koush modified his Superuser
application to use a daemon similar to Chainfire's SuperSU. In addition to being
part of the CyanogenMod Android distribution, Superuser is also available as an
App for other modern Android devices.

The Superuser daemon exposes a UNIX socket in /dev as:

/dev/com.koushikdutta.superuser.daemon/server

## nexus-ota-updates-2016-01-01.md

      
        
          
            
              
              1 file
            
          
          
            
              
              2 forks
            
          
          
            
              
              0 comments
            
          
          
            
              
              6 stars
            
          
        
        
          
              
          
          
            
                jduck
                / nexus-ota-updates-2016-01-01.md
            
            
              Last active
              September 28, 2023 12:26
            
              
                January 2016 Nexus OTA Updates - Security Level 2016-01-01
              
          
        
      
        
  
      
    LICENSE/DISCLAIMER - This information is provided as is and without warranty. Permission to repost this information is granted so long as it is properly attributed to "droidsec.org" and/or "jduck". Thank you for your consideration.
Nexus 6P MMB29P from MMB29M

Nexus 6P MMB29P from MMB29N

Nexus 5X MMB29P from MMB29K

Nexus 6 MMB29S from MMB29K

Nexus Player [MMB29T from MMB29M](https://android.googleapis.c
	Script started on Mon 16 Mar 2015 10:42:04 PM CDT
	duoct:0:~$ cd work
	duoct:0:~/work$ ls -l fread-intof.c
	-rw------- 1 jdrake jdrake 500 Jun 13 2013 fread-intof.c
	duoct:0:~/work$ cat fread-intof.c
	#include <stdio.h>
	#include <unistd.h>
	#include <stdlib.h>

	int
	{
	"lang": "en",
	"retweeted": false,
	"favorited": false,
	"entities": {
	"urls": [],
	"user_mentions": [
	{
	"indices": [
	0,
	--- crackaddr-bad.c.1 2011-08-25 14:37:47.000000000 -0500
	+++ crackaddr-bad.c 2015-03-27 22:42:59.956804489 -0500
	@@ -85,8 +85,11 @@
	#include <string.h>
	#include <ctype.h>

	+#include <unistd.h>
	+#include <fcntl.h>
	+
	/* ccured needs this */
	commit 8f0ec1f9369b4199654a6dc5fd1b06268bdf0c15
	Author: Linus Torvalds <torvalds@linuxfoundation.org>
	Date: Fri Nov 23 15:10:12 2007 -0500

	Import 1.3.22

	diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
	index 0339895..c9999f1 100644
	--- a/net/ipv4/raw.c
	+++ b/net/ipv4/raw.c
	From e746bacbf150fad31628357a4be27167d1060bcc Mon Sep 17 00:00:00 2001
	From: "Joshua J. Drake" <android-open-source@qoop.org>
	Date: Thu, 13 Aug 2015 18:20:45 -0500
	Subject: [PATCH] Prevent integer truncation in 'tx3g' processing

	Whenever the length of an atom in an MPEG4 file is set to 1, a 64-bit length is
	read from the atom's data and stored in the variable 'chunk_size'. A value
	larger than SIZE_MAX could satisfy the check added in the previous patch and,
	because the new[] operator only accepts 32-bit lengths on 32-bit platforms,
	integer truncation can occurr in the resulting allocation. Reject chunk_size
	From 8f95773c9bcae728e3f753d99e2abebd41ae7060 Mon Sep 17 00:00:00 2001
	From: "Joshua J. Drake" <android-open-source@qoop.org>
	Date: Sat, 15 Aug 2015 08:17:03 -0500
	Subject: [PATCH] Prevent integer issues in ID3::Iterator::findFrame

	Integer overflows could occur a few places within findFrame. These can lead to
	out-of-bounds reads and potentially infinite loops. Ensure that arithmetic does
	not wrap around to prevent these behaviors.

	Change-Id: I72a61df7d5719d1d3f2bd0b37fba86f0f4bbedee
	From bb08d535f724f35849627f4a9f9f03f9143af2f0 Mon Sep 17 00:00:00 2001
	From: "Joshua J. Drake" <android-open-source@qoop.org>
	Date: Sat, 15 Aug 2015 08:01:58 -0500
	Subject: [PATCH] Prevent multiple memory corruption issues

	Bounds checking within the ID3::removeUnsynchronizedV2_4 function was
	erroneous. Several cases resulted in integer underflow or overflow. Prevent
	these issues by ensuring key values are correct.

	Change-Id: I83e6fcca905e901929aee528bf000f22de70f197
	From cfd6ecdccd84f7a6da447f2873130038c0fddeee Mon Sep 17 00:00:00 2001
	From: "Joshua J. Drake" <github.jdrake@qoop.org>
	Date: Tue, 27 Oct 2015 12:50:12 -0500
	Subject: [PATCH] Enable KGDB support for hammerhead

	1. Add RETRY support per kgdb-android repo
	2. Implement poll support for ttyHSL driver
	3. Add modified kernel config for KGDB
	---
	arch/arm/configs/hammerhead_kgdb_defconfig \| 614 +++++++++++++++++++++++++++++
	Background
	==========
	In order to deal with the changes in Android 4.3, Koush modified his Superuser
	application to use a daemon similar to Chainfire's SuperSU. In addition to being
	part of the CyanogenMod Android distribution, Superuser is also available as an
	App for other modern Android devices.

	The Superuser daemon exposes a UNIX socket in /dev as:

	/dev/com.koushikdutta.superuser.daemon/server