New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Owner:
Email to this user bounced
Closed: Jul 2015
Cc:



Sign in to add a comment
Windows kernel: use-after-free with UserCommitDesktopMemory
Reported by cevans@google.com, Apr 17 2015 Back to list
Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

I reproduced the blue screen immediately in my Win 7 32-bit VM.

---
Freed memory is accessed after switching between two desktops of which one is closed. The testcase crashes with and without special pool enabled. The attached crash output is with special enabled on win32k.sys and ntoskrnl.sys.
---


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
bug335.cpp
1.1 KB Download
specialpool335.txt
7.2 KB View Download
Comment 1 by cevans@google.com, Apr 17 2015
Cc: nils.som...@gmail.com
Comment 2 by cevans@google.com, Apr 23 2015
Labels: -Reported-2015-Apr-17 Reported-2015-Apr-22
Comment 3 by cevans@google.com, Apr 24 2015
Labels: Id-30053
Project Member Comment 4 by hawkes@google.com, Jul 17 2015
Labels: CVE-2015-2365
Status: Fixed
Project Member Comment 5 by hawkes@google.com, Jul 17 2015
Fixed in MS15-073
Project Member Comment 6 by hawkes@google.com, Sep 21 2015
Labels: -Restrict-View-Commit
Sign in to add a comment