DxgkDdiEscape handler for escape 0x100009a lacks proper bounds checks

vendor:

N/A

by:

Project Zero

7,8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2017

DxgkDdiEscape handler for escape 0x100009a lacks proper bounds checks

The DxgkDdiEscape handler for escape 0x100009a lacks proper bounds checks, leading to a buffer overflow on the allocated pool buffer. There is a check that total_size > 0x10, which calls some kind of a debug/logging function (do_debug_thingo in my pseudocode), but it does not actually stop processing of the escape. There is also a potential integer overflow in the calculation of |total_size|.

Mitigation:

Ensure that proper bounds checks are in place for the DxgkDdiEscape handler for escape 0x100009a.

Source

DxgkDdiEscape handler for escape 0x100009a lacks proper bounds checks

Mitigation:

Exploit-DB raw data: