685 - Windows kernel: NtGdiGetTextExtentExW out-of-bounds memory read - project-zero

Starred by 1 user

Status:	Fixed
Owner:	hawkes@google.com
Closed:	Mar 2016
Cc:	█ nils.som...@gmail.com project-...@google.com
Finder-nils Deadline-90 Reported-2015-Dec-22 Product-Windows CCProjectZeroMembers Severity-High Vendor-Microsoft CVE-2016-0093

Windows kernel: NtGdiGetTextExtentExW out-of-bounds memory read

Project Member Reported by hawkes@google.com, Dec 23 2015

Back to list

Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

---
The attached Proof-of-Concept crashes Windows 7 with special pool enabled on win32k.sys. The crash is due accessing memory past the end of a buffer.
---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

special_pool.txt
7.5 KB View Download

poc_p3_02.cpp
5.3 KB Download

Project Member Comment 1 by hawkes@google.com, Dec 23 2015

Cc: nils.som...@gmail.com

Project Member Comment 2 by hawkes@google.com, Mar 31 2016

Labels: -Restrict-View-Commit -Finder-Nils Finder-nils CVE-2016-0093
Status: Fixed

► Sign in to add a comment