Perhaps this is an unfair oversimplification, but a humorous (to me)
summary of the SDL might be "security is solved because old code is
irrelevant and new code is perfect". For this reason, I can't help
finding it amusing that both old and new Microsoft code keeps failing
so spectacularly.
I mentioned some ancient code that fails yesterday, here's a fun
example of brand new code failing. There is a new Windows 8+ only
feature I've been looking at, the Touch Injection API:
http://msdn.microsoft.com/en-us/library/windows/desktop/hh802898(v=vs.85).aspx
The feature is backed by two new system calls,
win32k!NtUserInitializeTouchInjection and
win32k!NtUserInjectTouchInput. When you initialize touch injection,
you specify the maximum number of simultaneous contacts you want to
support, up to MAX_TOUCH_CONTACTS. This allocates enough space for the
appropriate structures.
Unfortunately, win32k!InitializeTouchInjectionWithQDCData doesn't
handle allocation failure correctly. This can be exploited by
allocating all available pool, and then increasing the number of
contacts requested.
I have a reliable test case for this issue, attached for reference or
at the URL below (only tested on x86, but I don't see why it wouldn't
work on x64).
https://gist.github.com/taviso/4cfc3035e99f2ea1377e
--
-------------------------------------
taviso () cmpxchg8b com | pgp encrypted mail preferred
-------------------------------------------------------