Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

Platform: Win7 32-bit.
trigger.cpp should fire the issue, with a caveat
- PoC might NOT work if compiled as a debug build.

windbg.txt is a sample crash log.

Analysis from Nils:

---
please find attached a C trigger, windbg output and the minimised testcase of a null pointer issue (exploitable on Win 7 32-bit). The trigger also demonstrates that the null page can be mapped in user mode and accessed from kernel mode.

Quick analysis:

The trigger creates a new window station which is freed during the process clean up. Through the clipboard operations the window's last reference is hold by the clipboard which is freed during the clean up of the window station object. This will also result in destroying the window object at a time where _gptiCurrent​ (threadinfo) is already set to null. This is used in xxxDestroyWindow in multiple locations. Depending on the window type it is potentially possible to trigger different kinds of crashes, this one demonstrates a write to a chosen memory location:

win32k!HMChangeOwnerThread+0x40:
96979765 ff412c          inc     dword ptr [ecx+2Ch]  ds:0023:bebebeea=????????
---


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 

trigger (1).cpp 2.0 KB Download

windbg.txt 8.0 KB View Download