55 lines
No EOL
1.5 KiB
Text
55 lines
No EOL
1.5 KiB
Text
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=944
|
|
|
|
The DxgkDdiEscape handler for 0x70000d5 lacks bounds checks:
|
|
|
|
...
|
|
|
|
if ( g_saved_size )
|
|
{
|
|
escape->size = g_saved_size;
|
|
if ( (unsigned int)g_saved_size > 0 )
|
|
{
|
|
do
|
|
{
|
|
v5 = v2++;
|
|
escape->data[v5] = global_array[v5 + 77];
|
|
}
|
|
while ( v2 < g_saved_size );
|
|
}
|
|
return;
|
|
}
|
|
data = 0i64;
|
|
|
|
|
|
...
|
|
if ( escape->size > 0 )
|
|
{
|
|
do
|
|
{
|
|
ii = i++;
|
|
global_array[ii + 77] = escape->data[ii];
|
|
}
|
|
while ( i < escape->size );
|
|
|
|
...
|
|
g_saved_size = escape->size;
|
|
|
|
This handler copies data to/from a global array, but lacks any form of bounds checking, as
|
|
|escape->size| is controlled by the user. This leads to overflow of the global buffer, and pool overflows
|
|
when it's copied back into the escape data.
|
|
|
|
A PoC is attached that should cause a crash (Win 10 x64, 372.54):
|
|
|
|
KERNEL_SECURITY_CHECK_FAILURE (139)
|
|
A kernel component has corrupted a critical data structure. The corruption
|
|
could potentially allow a malicious user to gain control of this machine.
|
|
Arguments:
|
|
Arg1: 0000000000000002, Stack cookie instrumentation code detected a stack-based
|
|
buffer overrun.
|
|
Arg2: ffffd00022de52c0, Address of the trap frame for the exception that caused the bugcheck
|
|
Arg3: ffffd00022de5218, Address of the exception record for the exception that caused the bugcheck
|
|
Arg4: 0000000000000000, Reserved
|
|
|
|
|
|
Proof of Concept:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40666.zip |