Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 880 NVIDIA: Unchecked input/output lengths in UVMLiteController ioctl handling
Starred by 1 user Project Member Reported by ochang@google.com, Jul 26 2016 Back to list
Status: Fixed
Owner:
Closed: Oct 28
Cc:



Sign in to add a comment
The \\.\UVMLiteController device is created by the nvlddmkm.sys driver, and can be opened by any user. The driver handles various control codes for this device, but there is no validation for the input/output buffer and their sizes.

In addition to potential overreads on the input, the driver writes output directly to Irp->UserBuffer, which is the output pointer passed to DeviceIoControl() by the user. The IO control codes handled specify METHOD_BUFFERED, but the kernel does no validation that the output pointer is accessible by the user process if the user passes an output buffer size of 0.

This means that a user mode program can cause a write of (at least) the 32-bit values 0 or 31, or the 8-bit value 0 to any address given to the driver.

A PoC is attached that causes a bsod when the kernel tries to write to 0x4141414141414141.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
poc.cpp
680 bytes View Download
Project Member Comment 1 by ochang@google.com, Jul 26 2016
(Minor correction, the PoC writes to 0x4141414141414141+0x30). This is tested on Windows 10 x64 with 368.81 (latest at time of writing).
Project Member Comment 2 by scvitti@google.com, Jul 28 2016
Labels: -Reported-2016-July-26 Reported-2016-Jul-26
Project Member Comment 3 by ochang@google.com, Sep 29
Labels: -Severity-High CVE-2016-7384 Severity-HIgh
Project Member Comment 4 by ochang@google.com, Oct 6
simple local privesc exploit.
exploit.cpp
8.1 KB View Download
Project Member Comment 5 by ochang@google.com, Oct 27
Labels: Deadline-Grace
NVIDIA expects to release details of fix tomorrow.
Project Member Comment 6 by ochang@google.com, Oct 28
Labels: -Restrict-View-Commit
Status: Fixed
Fixed. Bulletin: http://nvidia.custhelp.com/app/answers/detail/a_id/4247
Sign in to add a comment