New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users
Status: Fixed
Owner:
Closed: Sep 2015
Cc:



Sign in to add a comment
Windows kernel: pool buffer overflows in NtGdiStretchBlt
Reported by cevans@google.com, May 29 2015 Back to list
Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

---
Tested on Win 7 32-bit with Special Pool enabled. 

Multiple pool buffer overflows can be triggered through the NtGdiStretchBlt system call. The attached PoC demonstrates a write overflow and another read over flow issue which is likely to be usable for memory leaks (enabled by uncommenting the first NtGdiStretchBlt call).
---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
bug415.cpp
942 bytes Download
windbg_read_overflow.txt
6.4 KB View Download
windbg_write_overflow.txt
7.1 KB View Download
Comment 1 by cevans@google.com, May 29 2015
Labels: Id-30336
Comment 2 by cevans@google.com, Jul 30 2015
Labels: Deadline-Exceeded Deadline-Grace
10 day grace period extension. Patch targeted for 09/08 (September Patch Tuesday).
Project Member Comment 3 by hawkes@google.com, Aug 21 2015
Owner: hawkes@google.com
Project Member Comment 4 by hawkes@google.com, Sep 21 2015
Labels: CVE-2015-2512
Status: Fixed
Fixed in September bulletin MS15-097.
Project Member Comment 5 by hawkes@google.com, Sep 21 2015
Labels: -Restrict-View-Commit
Sign in to add a comment