search

sportsboy / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Windows kernel NtUserScrollDC memory corruption #508

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

---
The attached testcases crashes Windows 7 x86 with Special Pool enabled on 
win32k. The crash occurs while accessing unmapped memory. The bogus address is 
returned by a call to _FastWindowFromDC​. This is likely to be a freed window 
object.

---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 21 Aug 2015 at 1:15

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by haw...@google.com on 21 Aug 2015 at 6:10

GoogleCodeExporter commented 8 years ago 
From Microsoft: "Our investigations indicate that this is not an exploitable 
UAF and hits the bar for a next version fix. We have opened a bug in the next 
version of the product for the core team to evaluate."

Original comment by haw...@google.com on 20 Nov 2015 at 7:29