search

bingghost / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Windows Cursor object potential memory leak #510

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

---
The attached poc crashes 32-bit Windows 7 with a screen resolution of 1024x768 
and 32bit color depth. The crash occurs during a memmove opperation while 
copying the cursor content from unmapped memory. This could potentially be used 
by an attacker to leak kernel memory.

When reproducing this issue in VMWare, it is necessary to remove VMWare tools. 
In QEMU the issue reproduces reliably.

---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 27 Aug 2015 at 6:08

Attachments:

GoogleCodeExporter commented 8 years ago 
Fixed in MS15-115

Original comment by haw...@google.com on 20 Nov 2015 at 7:29