Windows kernel: buffer overflow in NtGdiBitBlt

lovekurdt / google-security-research

Automatically exported from code.google.com/p/google-security-research

0 stars 0 forks source link

Windows kernel: buffer overflow in NtGdiBitBlt #474

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

---
The attached PoC triggers a buffer overflow in the NtGdiBitBlt system call. 
It reproduces reliable on Win 7 32-bit with Special Pool enabled on win32k.sys

---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 6 Jul 2015 at 6:56

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 6 Jul 2015 at 8:23

Added labels: Id-30597

GoogleCodeExporter commented 9 years ago

Original comment by haw...@google.com on 21 Aug 2015 at 6:58

GoogleCodeExporter commented 9 years ago

Fixed in September bulletin MS15-097

Original comment by haw...@google.com on 21 Sep 2015 at 8:42

Changed state: Fixed
Added labels: CVE-2015-2511

GoogleCodeExporter commented 9 years ago

Accounting mixup - this is not CVE-2015-2511

Original comment by haw...@google.com on 21 Sep 2015 at 8:45

Changed state: New
Removed labels: CVE-2015-2511

GoogleCodeExporter commented 9 years ago

Fixed in September bulletin

From MSRC: "This was fixed on 9/8 as part of hardening work we did when we 
fixed CVE-2015-2512"

Original comment by haw...@google.com on 23 Sep 2015 at 8:11

Changed state: Fixed
Removed labels: Restrict-View-Commit