New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 474
Starred by 2 users
Status: Fixed
Owner:
hawkes@google.com
Closed: Sep 2015
Cc:
nils.som...@gmail.com
project-...@google.com



Sign in to add a comment
 Windows kernel: buffer overflow in NtGdiBitBlt
Reported by cevans@google.com, Jul 6 2015 Back to list 
Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

---
The attached PoC triggers a buffer overflow in the NtGdiBitBlt​ system call. It reproduces reliable on Win 7 32-bit with Special Pool enabled on win32k.sys
---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
bug474.cpp
1.9 KB Download
special_pool474.txt
6.1 KB View Download
Comment 1 by cevans@google.com, Jul 6 2015
Labels: Id-30597
Project Member Comment 2 by hawkes@google.com, Aug 21 2015
Owner: hawkes@google.com
Project Member Comment 3 by hawkes@google.com, Sep 21 2015
Labels: CVE-2015-2511
Status: Fixed
Fixed in September bulletin MS15-097
Project Member Comment 4 by hawkes@google.com, Sep 21 2015
Labels: -CVE-2015-2511
Status: New
Accounting mixup - this is not CVE-2015-2511
Project Member Comment 5 by hawkes@google.com, Sep 23 2015
Labels: -Restrict-View-Commit
Status: Fixed
Fixed in September bulletin

From MSRC: "This was fixed on 9/8 as part of hardening work we did when we fixed CVE-2015-2512"
Sign in to add a comment