Chai Yichen

More frontier model vulnerability research news.

Advanced LLMs have really made plenty of fools look smart. Emphasis on "look smart", it's not too hard to see through it

To those interested, I mainly focus on the memory corruption side of vulnerability research / exploit dev, but after this Samsung stuff I also have a bit of experience with Android (i.e. Java, JNI, binder etc.)

From the looks of it, cloud gaming (i.e. games running on the cloud, streamed to your phone) may be coming in future for Samsung phones 👀. Idk what it's like now, but more stuff is being added

Credit where credit is due. https://t.co/LxsRs8qtUY and https://t.co/8BbcDSV7oQ look much more interesting

*free and pointer discarding. The dangling pointer exists for a fleeting moment during packet processing before it's gone. You'd think that's a memory leak then, but the ptr if not freed then is freed somewhere else, iirc. mbufs are kinda cool and my memory's hazy

Revising this UAF I found a while back in FreeBSD's pf firewall: https://t.co/3LzOQPc86m . Unlike some who find bugs in components nobody has touched for years with Claude and parade them around like they've found the bug of the century, we find bugs in code people actually use

Sadly, this one's probably unexploitable; couldn't find a way to extend the gap between free and realloc, and FreeBSD's UMA allocator is not a fan of zone crossing, which means we most likely can only replaced the dangling mbuf ptr with another mbuf

*Revisiting dammit iOS

Did I mention I still have a remote kernel panic against all FreeBSD Wi-Fi users (again probably quite little). You're connected to Wi-Fi, receive my wireless frame, bam, panic. Marked duplicate (the previous guy barely had a PoC), not fixed

I know these stuff are old news, but I just recalled some of the minor bugs I found in FreeBSD in the past. If I had a PR team, each of these could be an "impressive find in a highly secure OS"