335 - Windows kernel: use-after-free with UserCommitDesktopMemory - project-zero

Starred by 2 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Jul 2015
Cc:	█ nils.som...@gmail.com project-...@google.com
Finder-nils Deadline-90 Reported-2015-Apr-22 Product-Windows-Kernel CCProjectZeroMembers Id-30053 Severity-High CVE-2015-2365 Vendor-Microsoft

Windows kernel: use-after-free with UserCommitDesktopMemory

Reported by cevans@google.com, Apr 17 2015

Back to list

Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

I reproduced the blue screen immediately in my Win 7 32-bit VM.

---
Freed memory is accessed after switching between two desktops of which one is closed. The testcase crashes with and without special pool enabled. The attached crash output is with special enabled on win32k.sys and ntoskrnl.sys.
---


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

bug335.cpp
1.1 KB Download

specialpool335.txt
7.2 KB View Download

Comment 1 by cevans@google.com, Apr 17 2015

Cc: nils.som...@gmail.com

Comment 2 by cevans@google.com, Apr 23 2015

Labels: -Reported-2015-Apr-17 Reported-2015-Apr-22

Comment 3 by cevans@google.com, Apr 24 2015

Labels: Id-30053

Project Member Comment 4 by hawkes@google.com, Jul 17 2015

Labels: CVE-2015-2365
Status: Fixed

Project Member Comment 5 by hawkes@google.com, Jul 17 2015

Fixed in MS15-073

Project Member Comment 6 by hawkes@google.com, Sep 21 2015

Labels: -Restrict-View-Commit

► Sign in to add a comment