New issue
Advanced search Search tips
Starred by 2 users
Status: Fixed
Owner:
Closed: Apr 2016
Cc:



Sign in to add a comment
Hyper-V vmswitch.sys VmsPtpIpsecTranslateAddv2toAddv2Ex OOBR Guest to Host BugCheck
Project Member Reported by kost...@google.com, Jan 4 2016 Back to list
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

This function is reachable by sending a RNDIS Set request with OID 0xFC030202 (OID_TCP_TASK_IPSEC_OFFLOAD_V2_ADD_SA) from the Guest to the Host.

The associated structure IPSEC_OFFLOAD_V2_ADD_SA is defined here: https://msdn.microsoft.com/en-us/library/windows/hardware/ff556977(v=vs.85).aspx

Issue #3:

As the function name hints, it translates a V2 ADD structure to a V2 ADD EX one. While the function properly allocates memory based on the KeyLength member, it fails to check that it falls within the bounds of the source buffer.

.text:0000000000062C62 mov ecx, [rdi+0A4h] ; IPSEC_OFFLOAD_V2_ADD_SA.KeyLength
.text:0000000000062C68 mov dword ptr [rbx+0A0h], 0B0h
.text:0000000000062C72 lea rdx, [rdi+0A8h] ; Src
.text:0000000000062C79 mov [rbx+9Ch], ecx
.text:0000000000062C7F mov r8d, [rdi+0A4h] ; Size
.text:0000000000062C86 lea rcx, [rbx+0B0h] ; Dst
.text:0000000000062C8D call memmove

This results in a R0 OOBR that leads to a BugCheck within vmswitch.sys on the Host.

Please note that this issue has been silently fixed in Windows Server 2016 TP4 (and maybe prior).


 
Project Member Comment 1 by kost...@google.com, Jan 4 2016
Summary: Hyper-V vmswitch.sys VmsPtpIpsecTranslateAddv2toAddv2Ex OOBR Guest to Host BugCheck (was: VmsPtpIpsecTranslateAddv2toAddv2Ex OOBR Guest to Host BugCheck)
Project Member Comment 2 by kost...@google.com, Apr 5 2016
Labels: Deadline-Grace
Project Member Comment 3 by kost...@google.com, Apr 19 2016
Labels: -Restrict-View-Commit
Project Member Comment 4 by kost...@google.com, Apr 19 2016
Status: Fixed
Sign in to add a comment