NVIDIA: Unchecked input/output lengths in UVMLiteController ioctl handling
Reported by email@example.com, Jul 26 2016
The \\.\UVMLiteController device is created by the nvlddmkm.sys driver, and can be opened by any user. The driver handles various control codes for this device, but there is no validation for the input/output buffer and their sizes. In addition to potential overreads on the input, the driver writes output directly to Irp->UserBuffer, which is the output pointer passed to DeviceIoControl() by the user. The IO control codes handled specify METHOD_BUFFERED, but the kernel does no validation that the output pointer is accessible by the user process if the user passes an output buffer size of 0. This means that a user mode program can cause a write of (at least) the 32-bit values 0 or 31, or the 8-bit value 0 to any address given to the driver. A PoC is attached that causes a bsod when the kernel tries to write to 0x4141414141414141. This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
Jul 26 2016,
(Minor correction, the PoC writes to 0x4141414141414141+0x30). This is tested on Windows 10 x64 with 368.81 (latest at time of writing).
Jul 28 2016,
Sep 29 2016,
Oct 6 2016,
simple local privesc exploit.
Oct 27 2016,
NVIDIA expects to release details of fix tomorrow.
Oct 28 2016,
Fixed. Bulletin: http://nvidia.custhelp.com/app/answers/detail/a_id/4247
Sign in to add a comment