New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Closed: Oct 2016

Sign in to add a comment

Issue 880: NVIDIA: Unchecked input/output lengths in UVMLiteController ioctl handling

Reported by, Jul 26 2016

Issue description

The \\.\UVMLiteController device is created by the nvlddmkm.sys driver, and can be opened by any user. The driver handles various control codes for this device, but there is no validation for the input/output buffer and their sizes.

In addition to potential overreads on the input, the driver writes output directly to Irp->UserBuffer, which is the output pointer passed to DeviceIoControl() by the user. The IO control codes handled specify METHOD_BUFFERED, but the kernel does no validation that the output pointer is accessible by the user process if the user passes an output buffer size of 0.

This means that a user mode program can cause a write of (at least) the 32-bit values 0 or 31, or the 8-bit value 0 to any address given to the driver.

A PoC is attached that causes a bsod when the kernel tries to write to 0x4141414141414141.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
680 bytes View Download

Comment 1 by, Jul 26 2016

(Minor correction, the PoC writes to 0x4141414141414141+0x30). This is tested on Windows 10 x64 with 368.81 (latest at time of writing).

Comment 2 by, Jul 28 2016

Labels: -Reported-2016-July-26 Reported-2016-Jul-26

Comment 3 by, Sep 29 2016

Labels: -Severity-High CVE-2016-7384 Severity-HIgh

Comment 4 by, Oct 6 2016

simple local privesc exploit.
8.1 KB View Download

Comment 5 by, Oct 27 2016

Labels: Deadline-Grace
NVIDIA expects to release details of fix tomorrow.

Comment 6 by, Oct 28 2016

Labels: -Restrict-View-Commit
Status: Fixed (was: New)
Fixed. Bulletin:

Sign in to add a comment