New issue
Advanced search Search tips
Starred by 2 users
Status: Fixed
Closed: Oct 2016

Sign in to add a comment
NVIDIA: Unchecked input/output lengths in UVMLiteController ioctl handling
Reported by, Jul 26 2016 Back to list
The \\.\UVMLiteController device is created by the nvlddmkm.sys driver, and can be opened by any user. The driver handles various control codes for this device, but there is no validation for the input/output buffer and their sizes.

In addition to potential overreads on the input, the driver writes output directly to Irp->UserBuffer, which is the output pointer passed to DeviceIoControl() by the user. The IO control codes handled specify METHOD_BUFFERED, but the kernel does no validation that the output pointer is accessible by the user process if the user passes an output buffer size of 0.

This means that a user mode program can cause a write of (at least) the 32-bit values 0 or 31, or the 8-bit value 0 to any address given to the driver.

A PoC is attached that causes a bsod when the kernel tries to write to 0x4141414141414141.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

680 bytes View Download
Comment 1 by, Jul 26 2016
(Minor correction, the PoC writes to 0x4141414141414141+0x30). This is tested on Windows 10 x64 with 368.81 (latest at time of writing).
Comment 2 by, Jul 28 2016
Labels: -Reported-2016-July-26 Reported-2016-Jul-26
Comment 3 by, Sep 29 2016
Labels: -Severity-High CVE-2016-7384 Severity-HIgh
Comment 4 by, Oct 6 2016
simple local privesc exploit.
8.1 KB View Download
Comment 5 by, Oct 27 2016
Labels: Deadline-Grace
NVIDIA expects to release details of fix tomorrow.
Comment 6 by, Oct 28 2016
Labels: -Restrict-View-Commit
Status: Fixed
Fixed. Bulletin:
Sign in to add a comment