AN-Master / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Windows kernel: use-after-free with UserCommitDesktopMemory #335

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

I reproduced the blue screen immediately in my Win 7 32-bit VM.

---
Freed memory is accessed after switching between two desktops of which one is 
closed. The testcase crashes with and without special pool enabled. The 
attached crash output is with special enabled on win32k.sys and ntoskrnl.sys.

---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 17 Apr 2015 at 6:32

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by cev...@google.com on 17 Apr 2015 at 6:32

GoogleCodeExporter commented 8 years ago

Original comment by cev...@google.com on 23 Apr 2015 at 2:38

GoogleCodeExporter commented 8 years ago

Original comment by cev...@google.com on 24 Apr 2015 at 12:18

GoogleCodeExporter commented 8 years ago

Original comment by haw...@google.com on 17 Jul 2015 at 7:27

GoogleCodeExporter commented 8 years ago
Fixed in MS15-073

Original comment by haw...@google.com on 17 Jul 2015 at 7:28

GoogleCodeExporter commented 8 years ago

Original comment by haw...@google.com on 21 Sep 2015 at 9:49