Search...

NVIDIA Driver - Stack Buffer Overflow in Escape 0x10000e9

2016-10-31T00:00:00
ID EXPLOITPACK:8550605532FB180AE16532D443985038
Type exploitpack
Reporter Google Security Research
Modified 2016-10-31T00:00:00

Description

NVIDIA Driver - Stack Buffer Overflow in Escape 0x10000e9

                                        
                                            Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=947

The escape handler for 0x10000e9 lacks bounds checks, and passes a user
specified size as the size to memcpy, resulting in a stack buffer overflow:

bool escape_10000e9(NvMiniportDeviceContext *a1, Escape10000e9 *escape) {
  ...
  LOBYTE(a9) = escape_->unknown_5[1] != 0;
  LOBYTE(a8) = escape_->unknown_5[0] != 0;
  if ( !sub_DC57C(
          *(_QWORD *)(*(_QWORD *)(v4 + 104) + 1000i64),
          escape_->unknown_1,
          escape_->unknown_2,
          escape_->unknown_3,
          escape_->unknown_4,
          escape_->data,
          escape_->size,
          a8,
          a9,
          &escape_->unknown_5[2]) )
    return 0;
  escape_->header.result = 1;
  return 1;
}

char sub_DC57C(...) {
  ...
  // escape_buf is escape_->data from previous function
  // buf_size is escape->size
  memcpy(&stack_buf, escape_buf, (unsigned int)buf_size);
  ...

Crashing context (Win 10 x64, 372.54):

DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer.  This overrun could potentially
allow a malicious user to gain control of this machine.
...

STACK_TEXT:  
ffffd000`263bc188 fffff803`9d1deaf2 : 9d919d43`2d3cc8a7 00000000`000000f7 ffffd000`263bc2f0 fffff803`9d03c848 : nt!DbgBreakPointWithStatus
ffffd000`263bc190 fffff803`9d1de4c3 : 00000000`00000003 ffffd000`263bc2f0 fffff803`9d16c600 00000000`000000f7 : nt!KiBugCheckDebugBreak+0x12
ffffd000`263bc1f0 fffff803`9d15fa44 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffc000`494d4764 : nt!KeBugCheck2+0x893
ffffd000`263bc900 fffff800`ad8c2bc6 : 00000000`000000f7 9d919d43`2d3cc8a7 0000f6ec`74dc94fc ffff0913`8b236b03 : nt!KeBugCheckEx+0x104
ffffd000`263bc940 fffff800`ad7fc6f7 : c0004492`55400400 ffff8000`00000000 ffffc000`44925540 00000000`00000000 : nvlddmkm+0x192bc6
ffffd000`263bc980 ffffc000`585e78a0 : 00000000`000005d4 00430043`00310030 4666744e`03610107 00000000`00000000 : nvlddmkm+0xcc6f7
ffffd000`263bce70 00000000`000005d4 : 00430043`00310030 4666744e`03610107 00000000`00000000 00000c48`01380702 : 0xffffc000`585e78a0
ffffd000`263bce78 00430043`00310030 : 4666744e`03610107 00000000`00000000 00000c48`01380702 00010000`000166c2 : 0x5d4
ffffd000`263bce80 4666744e`03610107 : 00000000`00000000 00000c48`01380702 00010000`000166c2 00000000`00000000 : 0x00430043`00310030
ffffd000`263bce88 00000000`00000000 : 00000c48`01380702 00010000`000166c2 00000000`00000000 00000000`00000000 : 0x4666744e`03610107


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/40668.zip
JSON Vulners Source
Initial Source


All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to content@vulners.com Vulners, 2018
Protected by