Windows kernel: pool buffer overflows in NtGdiStretchBlt

GoogleCodeExporter commented 8 years ago

Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

---
Tested on Win 7 32-bit with Special Pool enabled. 

Multiple pool buffer overflows can be triggered through the NtGdiStretchBlt 
system call. The attached PoC demonstrates a write overflow and another read 
over flow issue which is likely to be usable for memory leaks (enabled by 
uncommenting the first NtGdiStretchBlt call).

---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 29 May 2015 at 8:23

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by cev...@google.com on 29 May 2015 at 9:22

Added labels: Id-30336

GoogleCodeExporter commented 8 years ago

10 day grace period extension. Patch targeted for 09/08 (September Patch 
Tuesday).

Original comment by cev...@google.com on 30 Jul 2015 at 5:34

Added labels: Deadline-Exceeded, Deadline-Grace

GoogleCodeExporter commented 8 years ago

Original comment by haw...@google.com on 21 Aug 2015 at 6:58

GoogleCodeExporter commented 8 years ago

Fixed in September bulletin MS15-097.

Original comment by haw...@google.com on 21 Sep 2015 at 8:39

Changed state: Fixed
Added labels: CVE-2015-2512

GoogleCodeExporter commented 8 years ago

Original comment by haw...@google.com on 21 Sep 2015 at 9:36

Removed labels: Restrict-View-Commit

lovekurdt / google-security-research

Windows kernel: pool buffer overflows in NtGdiStretchBlt #415