NVIDIA Driver - Stack Buffer Overflow in Escape 0x10000e9

EDB-ID:

40668




Platform:

Windows

Date:

2016-10-31


Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=947

The escape handler for 0x10000e9 lacks bounds checks, and passes a user
specified size as the size to memcpy, resulting in a stack buffer overflow:

bool escape_10000e9(NvMiniportDeviceContext *a1, Escape10000e9 *escape) {
  ...
  LOBYTE(a9) = escape_->unknown_5[1] != 0;
  LOBYTE(a8) = escape_->unknown_5[0] != 0;
  if ( !sub_DC57C(
          *(_QWORD *)(*(_QWORD *)(v4 + 104) + 1000i64),
          escape_->unknown_1,
          escape_->unknown_2,
          escape_->unknown_3,
          escape_->unknown_4,
          escape_->data,
          escape_->size,
          a8,
          a9,
          &escape_->unknown_5[2]) )
    return 0;
  escape_->header.result = 1;
  return 1;
}

char sub_DC57C(...) {
  ...
  // escape_buf is escape_->data from previous function
  // buf_size is escape->size
  memcpy(&stack_buf, escape_buf, (unsigned int)buf_size);
  ...

Crashing context (Win 10 x64, 372.54):

DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer.  This overrun could potentially
allow a malicious user to gain control of this machine.
...

STACK_TEXT:  
ffffd000`263bc188 fffff803`9d1deaf2 : 9d919d43`2d3cc8a7 00000000`000000f7 ffffd000`263bc2f0 fffff803`9d03c848 : nt!DbgBreakPointWithStatus
ffffd000`263bc190 fffff803`9d1de4c3 : 00000000`00000003 ffffd000`263bc2f0 fffff803`9d16c600 00000000`000000f7 : nt!KiBugCheckDebugBreak+0x12
ffffd000`263bc1f0 fffff803`9d15fa44 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffc000`494d4764 : nt!KeBugCheck2+0x893
ffffd000`263bc900 fffff800`ad8c2bc6 : 00000000`000000f7 9d919d43`2d3cc8a7 0000f6ec`74dc94fc ffff0913`8b236b03 : nt!KeBugCheckEx+0x104
ffffd000`263bc940 fffff800`ad7fc6f7 : c0004492`55400400 ffff8000`00000000 ffffc000`44925540 00000000`00000000 : nvlddmkm+0x192bc6
ffffd000`263bc980 ffffc000`585e78a0 : 00000000`000005d4 00430043`00310030 4666744e`03610107 00000000`00000000 : nvlddmkm+0xcc6f7
ffffd000`263bce70 00000000`000005d4 : 00430043`00310030 4666744e`03610107 00000000`00000000 00000c48`01380702 : 0xffffc000`585e78a0
ffffd000`263bce78 00430043`00310030 : 4666744e`03610107 00000000`00000000 00000c48`01380702 00010000`000166c2 : 0x5d4
ffffd000`263bce80 4666744e`03610107 : 00000000`00000000 00000c48`01380702 00010000`000166c2 00000000`00000000 : 0x00430043`00310030
ffffd000`263bce88 00000000`00000000 : 00000c48`01380702 00010000`000166c2 00000000`00000000 00000000`00000000 : 0x4666744e`03610107


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40668.zip