Windows kernel: use-after-free with cursor object

[GoogleCodeExporter]

Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

I confirm the apparent vulnerability on Win 7 32-bit, with special pool 
enabled. I run the .exe just once from the command prompt and immediately my VM 
dies, but in a strange way: it looks like it's about to do a blue screen and 
there is a video mode change but it hangs at a black screen.

Nils did get a debug dump, attached.

---
The attached testcase crashes Win 7 with Special Pool enabled while accessing 
the freed global cursor object (_gpqCursor​). See poc.cpp for instructions on 
how to compile and run.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

---

Original issue reported on code.google.com by cev...@google.com on 22 Jun 2015 at 9:48

Attachments:

• poc457.cpp
• special_pool457.txt

[GoogleCodeExporter]

Original comment by cev...@google.com on 22 Jun 2015 at 10:00

• Added labels: Product-Windows-Kernel, Vendor-Microsoft
• Removed labels: Product-Kernel, Vendor-Windows

[GoogleCodeExporter]

MSRC Case 30496 TRK:0001801

Original comment by cev...@google.com on 22 Jun 2015 at 11:42

• Added labels: Id-30496

[GoogleCodeExporter]

Original comment by haw...@google.com on 21 Aug 2015 at 6:59

[GoogleCodeExporter]

Original comment by haw...@google.com on 10 Sep 2015 at 4:26

• Changed state: Fixed
• Added labels: CVE-2015-2517

[GoogleCodeExporter]

Fixed in September bulletin MS15-097.

Original comment by haw...@google.com on 21 Sep 2015 at 9:38

• Removed labels: Restrict-View-Commit