Windows kernel use-after-free with device contexts and NtGdiSelectBitmap

GoogleCodeExporter commented 8 years ago

Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

---
The attached testcase triggers a use-after-free condition in win32k. The 
attached debugger output was triggered on Windows 7 with Special Pool enabled 
on win32k.sys. 

---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 17 Aug 2015 at 7:45

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by haw...@google.com on 7 Oct 2015 at 12:44

Added labels: MSRC-30922

GoogleCodeExporter commented 8 years ago

Fixed in MS15-115

Original comment by haw...@google.com on 20 Nov 2015 at 7:29

Changed state: Fixed
Added labels: CVE-2015-6100
Removed labels: Restrict-View-Commit

bingghost / google-security-research

Windows kernel use-after-free with device contexts and NtGdiSelectBitmap #505