>> ARCHIVE: 2016-10

NVIDIA escape code leaks uninitialized ExAllocatePoolWithTag memory to userspace.

The DxgkDdiEscape handler for 0x600000D passes an unchecked user provided pointer as the destination for a memcpy call. This leads to kernel memory corruption.

The DxgkDdiEscape handler for 0x700010d accepts a user provided pointer as the destination for a memcpy call, without doing any checks on said pointer.

The DxgkDdiEscape handler for 0x70001b2 doesn’t do proper bounds checks for its variable size input.

NVIDIA suffers from a missing bounds check in escape 0x100010b.

The NvStreamKms.sys driver calls PsSetCreateProcessNotifyRoutineEx to set up a process creation notification routine. wcscpy_s is used incorrectly here, as the second argument is not the size of |Dst|, but rather…

The DxgkDdiEscape handler for 0x5000027 accepts a user provided pointer, but does no checks on it before using it.

The DxgkDdiEscape handler for escape 0x100009a lacks proper bounds checks.

The DxgkDdiEscape handler for 0x7000170 lacks proper bounds checks for the variable size input escape data, and relies on a user provided size as the upper bound for writing output.

The DxgkDdiEscape handler for 0x70000d5 lacks bounds checks.