We have encountered a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file: --- DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6) N bytes of memory was allocated and more than N bytes are being referenced. This cannot be protected by try-except. When possible, the guilty driver's name (Unicode string) is printed on the bugcheck screen and saved in KiBugCheckDriver. Arguments: Arg1: fb6f5000, memory referenced Arg2: 00000001, value 0 = read operation, 1 = write operation Arg3: 99053e40, if non-zero, the address which referenced memory. Arg4: 00000000, (reserved) Debugging Details: ------------------ Could not read faulting driver name WRITE_ADDRESS: GetPointerFromAddress: unable to read from 827ae84c Unable to read MiSystemVaType memory at 8278d780 fb6f5000 FAULTING_IP: ATMFD+33e40 99053e40 890c82 mov dword ptr [edx+eax*4],ecx MM_INTERNAL_CODE: 0 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP BUGCHECK_STR: 0xD6 PROCESS_NAME: csrss.exe CURRENT_IRQL: 0 ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from 99054677 to 99053e40 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. b603ecb0 99054677 fb472880 fb6f438c 00000f5c ATMFD+0x33e40 b603ece4 99054776 fb6f4380 00000003 fb6f438c ATMFD+0x34677 b603ed0c 99049fb3 fb472800 fc5b60b8 990663ec ATMFD+0x34776 b603ed30 9904eaf5 fc704c70 990663ec 00000f5c ATMFD+0x29fb3 b603f444 9904f85f fc704c70 9905f028 b603f690 ATMFD+0x2eaf5 b603f500 9904286e fc704c70 9905f028 b603f690 ATMFD+0x2f85f b603f5ec 99042918 fc704c70 b603f690 b603f714 ATMFD+0x2286e b603f618 990333d2 fc704c70 9905f028 b603f690 ATMFD+0x22918 b603f77c 990337a9 00000000 b603f89c fb6bcc80 ATMFD+0x133d2 b603f7d0 990240ff 00000000 b603f89c 00000000 ATMFD+0x137a9 b603f824 9918de12 ff7a5010 fb562cf0 00000001 ATMFD+0x40ff b603f86c 9917687d ff7a5010 fb562cf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e b603f8e0 991a1653 ffa6a130 fb588b54 0000004c win32k!xInsertMetricsRFONTOBJ+0x9c b603f914 991a3735 00000020 b603f9fc b603fb8c win32k!RFONTOBJ::bGetGlyphMetrics+0x131 b603fbb8 991b6856 17010459 00000060 00000040 win32k!GreGetCharABCWidthsW+0x147 b603fc14 8267fa06 17010459 00000040 00000040 win32k!NtGdiGetCharABCWidthsW+0xf8 b603fc14 776771b4 17010459 00000040 00000040 nt!KiSystemServicePostCall 02dde7ac 00000000 00000000 00000000 00000000 0x776771b4 --- The crash always occurs while trying to write outside of a dynamically allocated destination buffer, leading to a pool-based buffer overflow, potentially allowing for remote code execution in the context of the Windows kernel. While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "CFF " table. The issue reproduces on Windows 7 and 8.1; other platforms were not tested. It is easiest to reproduce with Special Pools enabled for ATMFD.DLL (leading to an immediate crash when the bug is triggered), but it is also possible to observe a crash on a default Windows installation in ATMFD.DLL or another location in kernel space, as caused by the corrupted pool state. Attached is an archive with the proof-of-concept mutated OTF file, together with the original font used to generate it and a corresponding crash log from Windows 7 32-bit. More: https://code.google.com/p/google-security-research/issues/detail?id=683 # Iranian Exploit DataBase = http://IeDb.Ir [2016-03-16]