Cisco ASA WebVPN CIFS handling buffer overflow conditions have been discovered.
5f13058e5f06f00a4c9e17b0e2cff240e100c10816e9044cab1647b9e216332fNVIDIA suffers from a buffer overflow vulnerability in the command buffer submission.
49c0af04b53317ce1aac2bffdd6715784a5cd58b2d348367b7939d07168f6210NVIDIA suffers from an out-of-bounds read / write vulnerability in escape 0x100008b.
507ca94d45510845667200565a23331966631f9d216cf86a4eca35a7423a8e5bThe escape handler for 0x10000e9 lacks bounds checks, and passes a user specified size as the size to memcpy, resulting in a stack buffer overflow.
e764018c50128a89c728c3202c374cd2eee6b13beea7305fa6c32f6c0bab6212There is a missing bounds check in inner loop of the escape handler for 0x7000014 that leads to a stack buffer overflow.
6154ad3c9f831583ddc42198a12cfa12363713dc40cd3172b448eda799e5eae1The DxgkDdiEscape handler for 0x70000d5 lacks bounds checks.
217f80d673facc15accb636f625922543219ec6b5feb5df98734f4a373cb88c7The DxgkDdiEscape handler for 0x7000170 lacks proper bounds checks for the variable size input escape data, and relies on a user provided size as the upper bound for writing output.
7290a345ac11921d719fab843f9ee44533b83cdd39e09fc45d06819460973000The DxgkDdiEscape handler for escape 0x100009a lacks proper bounds checks.
b14a13d1b77ffa3d060b707004362638f3c5ff6e048afd8cf77611c8cdde2d1aThe NvStreamKms.sys driver calls PsSetCreateProcessNotifyRoutineEx to set up a process creation notification routine. wcscpy_s is used incorrectly here, as the second argument is not the size of |Dst|, but rather the calculated size of the filename. |Dst| is a stack buffer that is at least 255 characters long. The the maximum component paths of most filesystems on Windows have a limit that is <= 255 though, so this shouldn't be an issue on normal filesystems. However, one can pass UNC paths to CreateProcessW containing forward slashes as the path delimiter, which means that the extracted filename here can be "a/b/c/...", leading to a buffer overflow. Additionally, this function has no stack cookie.
d534aa5dbfaaf39a96770f8f3d77175a1058baafc21fe140187d747f2c80d76aThe DxgkDdiEscape handler for 0x5000027 accepts a user provided pointer, but does no checks on it before using it.
ad8c4174f1e08e6564d58aa2d42e1e83d8e014e6a4e5db8020415f6aba4ec946NVIDIA suffers from a missing bounds check in escape 0x100010b.
0ac6c7ff8137b4f4210690565bb24e9090b98312b19fb5b9f81228ab56b1211cThe DxgkDdiEscape handler for 0x70001b2 doesn't do proper bounds checks for its variable size input.
3f0707279202aa000fc87188c9423545af5ea5238e8a0a0747d912d04badb09dThe DxgkDdiEscape handler for 0x700010d accepts a user provided pointer as the destination for a memcpy call, without doing any checks on said pointer.
00028040fc1696111b53b38186779858df513b4aa81a7ab2a7c1d708f6b717c5The DxgkDdiEscape handler for 0x600000D passes an unchecked user provided pointer as the destination for a memcpy call. This leads to kernel memory corruption.
88df8868b62f20e6af812714d8f4fbc7c341957f6633b3258e0389967bc4db8eNVIDIA escape code leaks uninitialized ExAllocatePoolWithTag memory to userspace.
f708d6be27d7323b5b92bfefe4673bcc69a708dc90f8c96a6211dd65b7f7b009NVIDIA's UVMLiteController ioctl handling in nvlddmkm.sys failed to provide proper length checking.
35df092ce423d70fd6bbcf76399d366b6e2c33dd7474e617edb4a4aae54093e8The DxgkDdiEscape handler for 0x7000194 doesn't do bounds checking with the user provided lengths it receives. When these lengths are passed to memcpy, overreads and memory corruption can occur.
fe4199c90270a4da962ed45b45ddf04bfdf0f113751182e41c3f39b735a8f2c9
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed