New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 339
Starred by 2 users
Status: Fixed
Owner:
cevans@google.com
Email to this user bounced
Closed: Jul 2015
Cc:
nils.som...@gmail.com
project-...@google.com



Sign in to add a comment
 Windows kernel: DeferWindowPos use-after-free
Reported by cevans@google.com, Apr 23 2015 Back to list 
Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

I reproduced the blue screen immediately in my Win 7 32-bit VM.

---
The attached PoC demonstrate a use-after-free condition that occurs when operating on a DeferWindowPos object from multiple threads. The DeferWindowPos() call will trigger and block on the execution of a window procedure in a separate thread from which we call EndDeferWindowPos on the same handle. specialpool.txt contains the debugger output with Session Pool enabled, crash.txt the debugger output without Session Pool.
---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
crash339.txt
1.9 KB View Download
bug339.cpp
4.2 KB Download
specialpool339.txt
9.4 KB View Download
Project Member Comment 1 by hawkes@google.com, Jul 17 2015
Labels: CVE-2015-2366
Status: Fixed
Project Member Comment 2 by hawkes@google.com, Jul 17 2015 
Fixed in MS15-073
Project Member Comment 3 by hawkes@google.com, Sep 21 2015
Labels: -Restrict-View-Commit
Sign in to add a comment