New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 313
Starred by 2 users
Status: Fixed
Owner:
cevans@google.com
Email to this user bounced
Closed: Jun 2015
Cc:
nils.som...@gmail.com
project-...@google.com



Sign in to add a comment
 Windows kernel: buffer overflow in win32k!vSolidFillRect
Reported by cevans@google.com, Mar 31 2015 Back to list 
Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

I confirmed this myself in a Win7 32-bit VM (2048MB RAM).

---
The PoC triggers a pool buffer overflow in win32k!vSolidFillRect. ​When using Special Pool we get the crash immediately on the overwrite. Without Special Pool we often get a crash in the same function, but sometimes it crashes in a different function (similar to another issue, however with a different offset). This might be a result of the memory corruption or an out-of-memory condition before the overflow is triggered. Debugger output for all three different crashes attached.
---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
no_special_pool313.txt
8.1 KB View Download
bug313.cpp
2.1 KB Download
different_crash313.txt
493 bytes View Download
special_pool_crash313.txt
8.5 KB View Download
Comment 1 by cevans@google.com, Mar 31 2015
Labels: Id-21829
Comment 2 by cevans@google.com, Jun 4 2015
Labels: CVE-2015-1725
Same root cause as https://code.google.com/p/google-security-research/issues/detail?id=312, according to Microsoft. CVE shared.
Project Member Comment 4 by hawkes@google.com, Sep 21 2015
Labels: -Restrict-View-Commit
Sign in to add a comment