New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 5 users
Status: Fixed
Owner:
Email to this user bounced
Closed: Aug 2015
Cc:



Sign in to add a comment
atmfd NamedEscape(0x2514) buffer-underflow vulnerability
Project Member Reported by taviso@google.com, Jul 2 2015 Back to list

A buffer-underflow vulnerability exists when using NamedEscape(0x2514) in atmfd.

kd> kv
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`059e8458 fffff800`02ac4e69 : 00000000`0000003b 00000000`c0000005 fffff960`00197fac fffff880`059e8d20 : nt!KeBugCheckEx
fffff880`059e8460 fffff800`02ac47bc : fffff880`059e94c8 fffff880`059e8d20 00000000`00000000 fffff800`02af1630 : nt!KiBugCheckDispatch+0x69
fffff880`059e85a0 fffff800`02af113d : fffff800`02ceb248 fffff800`02c23514 fffff800`02a51000 fffff880`059e94c8 : nt!KiSystemServiceHandler+0x7c
fffff880`059e85e0 fffff800`02aeff15 : fffff800`02c1931c fffff880`059e8658 fffff880`059e94c8 fffff800`02a51000 : nt!RtlpExecuteHandlerForException+0xd
fffff880`059e8610 fffff800`02b00e81 : fffff880`059e94c8 fffff880`059e8d20 fffff880`00000000 00000000`00000001 : nt!RtlDispatchException+0x415
fffff880`059e8cf0 fffff800`02ac4f42 : fffff880`059e94c8 00000000`00000000 fffff880`059e9570 fffff900`c3f81000 : nt!KiDispatchException+0x135
fffff880`059e9390 fffff800`02ac3aba : 00000000`00000000 00000000`00000008 00000000`00000400 00000000`00000000 : nt!KiExceptionDispatch+0xc2
fffff880`059e9570 fffff960`00197fac : 00000000`00000001 fffff900`c3f81000 00000000`00000001 42424242`41414141 : nt!KiPageFault+0x23a (TrapFrame @ fffff880`059e9570)
fffff880`059e9700 fffff960`001a0411 : 00000000`00000000 00000000`00000001 fffff900`c3f81000 fffff900`00000000 : win32k!SURFACE::bDeleteSurface+0x264
fffff880`059e9850 fffff960`00197940 : 00000000`00000bac 00000000`00000000 fffff900`c1e05330 fffff900`00000000 : win32k!NtGdiCloseProcess+0x2c9
fffff880`059e98b0 fffff960`00197087 : 00000000`00000000 00000000`00000001 fffffa80`074d7b50 00000000`00000001 : win32k!GdiProcessCallout+0x200
fffff880`059e9930 fffff800`02d990cd : 00000000`00000000 00000000`00000000 00000000`00000000 fffffa80`074d7b00 : win32k!W32pProcessCallout+0x6b
fffff880`059e9960 fffff800`02d7d2b0 : 00000000`00000000 00000000`00000001 fffffa80`06f42600 00000000`00000000 : nt!PspExitThread+0x4d1
fffff880`059e9a60 fffff800`02ac4b53 : fffffa80`06f426e0 fffff880`00000000 fffffa80`074d7b50 00000000`00000000 : nt!NtTerminateProcess+0x138
fffff880`059e9ae0 00000000`76f5de7a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`059e9ae0)
00000000`0008e318 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x76f5de7a


This bug is subject to a 7 day disclosure deadline, as the issue is being exploited in the wild. If 7 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

A small testcase is attached.
 
test.c
6.5 KB Download
fontdata.h
3.6 MB Download
Comment 1 by cevans@google.com, Jul 9 2015
Labels: -Restrict-View-Commit -Severity-critical -Deadline-90 Deadline-Exceeded Severity-High Deadline-7
Deadline exceeded -- automatically derestricting

The 7-day deadline for actively exploited issues has expired.

In this specific instance, there's not much new information revealed because a full exploit has already been published elsewhere on the internet.
Project Member Comment 2 by hawkes@google.com, Aug 14 2015
Status: Fixed
Fixed in MS15-077
Sign in to add a comment