atmfd NamedEscape(0x2514) buffer-underflow vulnerability

[GoogleCodeExporter]

A buffer-underflow vulnerability exists when using NamedEscape(0x2514) in atmfd.

kd> kv
Child-SP          RetAddr           : Args to Child                             
                              : Call Site
fffff880`059e8458 fffff800`02ac4e69 : 00000000`0000003b 00000000`c0000005 
fffff960`00197fac fffff880`059e8d20 : nt!KeBugCheckEx
fffff880`059e8460 fffff800`02ac47bc : fffff880`059e94c8 fffff880`059e8d20 
00000000`00000000 fffff800`02af1630 : nt!KiBugCheckDispatch+0x69
fffff880`059e85a0 fffff800`02af113d : fffff800`02ceb248 fffff800`02c23514 
fffff800`02a51000 fffff880`059e94c8 : nt!KiSystemServiceHandler+0x7c
fffff880`059e85e0 fffff800`02aeff15 : fffff800`02c1931c fffff880`059e8658 
fffff880`059e94c8 fffff800`02a51000 : nt!RtlpExecuteHandlerForException+0xd
fffff880`059e8610 fffff800`02b00e81 : fffff880`059e94c8 fffff880`059e8d20 
fffff880`00000000 00000000`00000001 : nt!RtlDispatchException+0x415
fffff880`059e8cf0 fffff800`02ac4f42 : fffff880`059e94c8 00000000`00000000 
fffff880`059e9570 fffff900`c3f81000 : nt!KiDispatchException+0x135
fffff880`059e9390 fffff800`02ac3aba : 00000000`00000000 00000000`00000008 
00000000`00000400 00000000`00000000 : nt!KiExceptionDispatch+0xc2
fffff880`059e9570 fffff960`00197fac : 00000000`00000001 fffff900`c3f81000 
00000000`00000001 42424242`41414141 : nt!KiPageFault+0x23a (TrapFrame @ 
fffff880`059e9570)
fffff880`059e9700 fffff960`001a0411 : 00000000`00000000 00000000`00000001 
fffff900`c3f81000 fffff900`00000000 : win32k!SURFACE::bDeleteSurface+0x264
fffff880`059e9850 fffff960`00197940 : 00000000`00000bac 00000000`00000000 
fffff900`c1e05330 fffff900`00000000 : win32k!NtGdiCloseProcess+0x2c9
fffff880`059e98b0 fffff960`00197087 : 00000000`00000000 00000000`00000001 
fffffa80`074d7b50 00000000`00000001 : win32k!GdiProcessCallout+0x200
fffff880`059e9930 fffff800`02d990cd : 00000000`00000000 00000000`00000000 
00000000`00000000 fffffa80`074d7b00 : win32k!W32pProcessCallout+0x6b
fffff880`059e9960 fffff800`02d7d2b0 : 00000000`00000000 00000000`00000001 
fffffa80`06f42600 00000000`00000000 : nt!PspExitThread+0x4d1
fffff880`059e9a60 fffff800`02ac4b53 : fffffa80`06f426e0 fffff880`00000000 
fffffa80`074d7b50 00000000`00000000 : nt!NtTerminateProcess+0x138
fffff880`059e9ae0 00000000`76f5de7a : 00000000`00000000 00000000`00000000 
00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame 
@ fffff880`059e9ae0)
00000000`0008e318 00000000`00000000 : 00000000`00000000 00000000`00000000 
00000000`00000000 00000000`00000000 : 0x76f5de7a

This bug is subject to a 7 day disclosure deadline, as the issue is being 
exploited in the wild. If 7 days elapse without a broadly available patch, then 
the bug report will automatically become visible to the public.

A small testcase is attached.

Original issue reported on code.google.com by tav...@google.com on 2 Jul 2015 at 1:33

Attachments:

• test.c
• fontdata.h

[GoogleCodeExporter]

Deadline exceeded -- automatically derestricting

The 7-day deadline for actively exploited issues has expired.

In this specific instance, there's not much new information revealed because a 
full exploit has already been published elsewhere on the internet.

Original comment by cev...@google.com on 9 Jul 2015 at 12:20

• Added labels: Deadline-7, Deadline-Exceeded, Severity-High
• Removed labels: Deadline-90, Restrict-View-Commit, Severity-critical

[GoogleCodeExporter]

Fixed in MS15-077

Original comment by haw...@google.com on 14 Aug 2015 at 4:59

• Changed state: Fixed