Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

38 uninits in win7 MessageBox #1133

Closed
derekbruening opened this issue Nov 28, 2014 · 7 comments
Closed

38 uninits in win7 MessageBox #1133

derekbruening opened this issue Nov 28, 2014 · 7 comments
Labels
Bug-FalsePositive Hotlist-Release Migrated OpSys-Win7 Priority-High Status-Fixed

Comments

@derekbruening
Copy link
Contributor

From [email protected] on February 19, 2013 20:16:12

I thought there were fewer in the past, but probably I'm thinking of xp64
and of -syscall_sentinels.

we need some GUI apps in the suite. we'll need to use mechanisms to close
them: xref DRi#111.

ERRORS FOUND:
0 unique, 0 total unaddressable access(es)
38 unique, 72 total uninitialized access(es)
0 unique, 0 total invalid heap argument(s)
0 unique, 0 total GDI usage error(s)
0 unique, 0 total warning(s)
1 unique, 1 total, 84 byte(s) of leak(s)
2 unique, 3 total, 72 byte(s) of possible leak(s)

here are some representative ones:

Error #1: UNINITIALIZED READ: reading register edx
#0 LPK.dll!FontHasWesternScript
#1 LPK.dll!LpkGetTextExtentExPoint
#2 GDI32.dll!GetTextExtentPointWInternal
#3 GDI32.dll!GetTextExtentPointW
#4 USER32.dll!SoftModalMessageBox
#5 USER32.dll!MessageBoxWorker
#6 USER32.dll!MessageBoxTimeoutW
#7 USER32.dll!MessageBoxTimeoutA
#8 USER32.dll!MessageBoxExA
#9 USER32.dll!MessageBoxA
#10 main [d:\derek\dr\test\gui-inject.c:102]
Note: @0:00:00.686 in thread 8168
Note: instruction: cmp %edx 0x755a73e0(,%eax,8)

Error #9: UNINITIALIZED READ: reading 0x002ef4fc-0x002ef4fe 2 byte(s) within 0x002ef4fc-0x002ef500
#0 USER32.dll!InternalCreateDialog
#1 USER32.dll!InternalDialogBox
#2 USER32.dll!SoftModalMessageBox
#3 USER32.dll!MessageBoxWorker
#4 USER32.dll!MessageBoxTimeoutW
#5 USER32.dll!MessageBoxTimeoutA
#6 USER32.dll!MessageBoxExA
#7 USER32.dll!MessageBoxA
#8 main [d:\derek\dr\test\gui-inject.c:102]
Note: @0:00:01.279 in thread 8168
Note: instruction: cmp 0x0c(%ebp) $0x00000000

Error #10: UNINITIALIZED READ: reading 0x002eecbc-0x002eecd0 20 byte(s) within 0x002eecbc-0x002eecd0
#0 system call NtAccessCheck parameter #4
#1 KERNELBASE.dll!CheckTokenMembership
#2 IMM32.dll!IsInteractiveUserLogon
#3 IMM32.dll!CtfImmTIMActivate
#4 USER32.dll!CtfLoadThreadLayout
#5 USER32.dll!ImeSystemHandler
#6 USER32.dll!ImeWndProcWorker
#7 USER32.dll!ImeWndProcW
#8 USER32.dll!InternalCallWinProc
#9 USER32.dll!UserCallWinProcCheckWow
#10 USER32.dll!DispatchClientMessage
#11 USER32.dll!__fnDWORD
Note: @0:00:01.700 in thread 8168

Error #17: UNINITIALIZED READ: reading register cx
#0 USER32.dll!ClassNameToVersion
#1 USER32.dll!GetClassInfoExW
#2 USER32.dll!GetClassInfoW
#3 USER32.dll!CreateIMEUI
#4 USER32.dll!ImeSetContextHandler
#5 USER32.dll!ImeWndProcWorker
#6 USER32.dll!ImeWndProcW
#7 USER32.dll!InternalCallWinProc
#8 USER32.dll!UserCallWinProcCheckWow
#9 USER32.dll!SendMessageWorker
#10 USER32.dll!RealDefWindowProcWorker
#11 USER32.dll!RealDefWindowProcW
Note: @0:00:02.558 in thread 8168
Note: instruction: data16 cmp %cx %bx

Error #27: UNINITIALIZED READ: reading register si
#0 USER32.dll!RtlInitLargeUnicodeString
#1 USER32.dll!_CreateWindowEx
#2 USER32.dll!CreateWindowExW
#3 USER32.dll!CreateIMEUI
#4 USER32.dll!ImeSetContextHandler
#5 USER32.dll!ImeWndProcWorker
#6 USER32.dll!ImeWndProcW
#7 USER32.dll!InternalCallWinProc
#8 USER32.dll!UserCallWinProcCheckWow
#9 USER32.dll!SendMessageWorker
#10 USER32.dll!RealDefWindowProcWorker
#11 USER32.dll!RealDefWindowProcW
Note: @0:00:02.574 in thread 8168
Note: instruction: data16 test %si %si

Error #35: UNINITIALIZED READ: reading register ebx
#0 GDI32.dll!SetViewportOrgEx
#1 USER32.dll!DrawStateW
#2 USER32.dll!xxxBNDrawText
#3 USER32.dll!xxxDrawButton
#4 USER32.dll!xxxBNPaint
#5 USER32.dll!ButtonWndProcWorker
#6 USER32.dll!ButtonWndProcW
#7 USER32.dll!InternalCallWinProc
#8 USER32.dll!UserCallWinProcCheckWow
#9 USER32.dll!DispatchClientMessage
#10 USER32.dll!__fnDWORD
#11 USER32.dll!UpdateWindow
Note: @0:00:02.776 in thread 8168
Note: instruction: cmp (%ecx) %ebx

Original issue: http://code.google.com/p/drmemory/issues/detail?id=1133
@derekbruening
Copy link
Contributor Author

From [email protected] on February 20, 2013 20:39:17

This is a regression. Running the 1.5.0 release on the same app:

Dr.M ERRORS FOUND:
Dr.M 0 unique, 0 total unaddressable access(es)
Dr.M 1 unique, 1 total uninitialized access(es)
Dr.M 0 unique, 0 total invalid heap argument(s)
Dr.M 0 unique, 0 total GDI usage error(s)
Dr.M 0 unique, 0 total warning(s)
Dr.M 0 unique, 0 total, 0 byte(s) of leak(s)
Dr.M 2 unique, 3 total, 72 byte(s) of possible leak(s)

Owner: [email protected]
Labels: -Priority-Medium Priority-High Hotlist-Release

@derekbruening
Copy link
Contributor Author

From [email protected] on February 21, 2013 06:55:08

*** TODO problem #1: I never set the drsys_options_t.is_byte_addressable, etc. functions!

that brings it down to:
Dr.M 14 unique, 15 total uninitialized access(es)

*** TODO problem #2: bool-returning syscalls weren't considered to fail before r1133 :
processing post system call #0x106a NtGdiGetWidthTable res=0x0
post considering arg 2 -3 41 0x00396590
post considering arg 4 -3 42 0x003967f8
start 0x003967f8, size 0x268
marking 0x3967f8-0x396a60 written parameter #4
post considering arg 5 16 2 0x003962f0
start 0x003962f0, size 0x10
marking 0x3962f0-0x396300 written parameter #5
post considering arg 6 4 2 0x00396300
start 0x00396300, size 0x4
marking 0x396300-0x396304 written parameter #6
post considering arg 0 0 0 0x850116a7

now:
system call 4202 NtGdiGetWidthTable failed with 0x00000000

hmmm. only called once, so not like a 1st call to get size.
reactos has as BOOL. so does another google search hit.

@derekbruening
Copy link
Contributor Author

From [email protected] on February 21, 2013 08:50:34

split NtGdiGetWidthTable as issue #1137

@derekbruening
Copy link
Contributor Author

From [email protected] on February 21, 2013 08:50:58

split NtGdiGetWidthTable as issue #1137

@derekbruening
Copy link
Contributor Author

From [email protected] on February 21, 2013 09:09:48

*** TODO problem #3: NtAccessCheck

4th param (PRIVILEGE_SET): before drstrace it was W. drstrace put in as
R b/c that's what Nebbett had: but Metasploit has W.

=>
Dr.M 0 unique, 0 total uninitialized access(es)

@derekbruening
Copy link
Contributor Author

From [email protected] on February 21, 2013 09:51:31

MessageBox is back to pre-drsyscall with zero uninits.
after issue #1138 and issue #1139 , calc is also back to 2 (real) uninits.

mspaint is also: r1133 :
Dr.M ERRORS FOUND:
Dr.M 2 unique, 2 total unaddressable access(es)
Dr.M 270 unique, 3127 total uninitialized access(es)
Dr.M 0 unique, 0 total invalid heap argument(s)
Dr.M 9 unique, 172 total GDI usage error(s)
Dr.M 0 unique, 0 total warning(s)
Dr.M 8 unique, 8 total, 11432 byte(s) of leak(s)
Dr.M 37 unique, 40 total, 34120 byte(s) of possible leak(s)

now (after all fixes above):
Dr.M ERRORS FOUND:
Dr.M 1 unique, 1 total unaddressable access(es)
Dr.M 270 unique, 2857 total uninitialized access(es)
Dr.M 0 unique, 0 total invalid heap argument(s)
Dr.M 8 unique, 216 total GDI usage error(s)
Dr.M 0 unique, 0 total warning(s)
Dr.M 8 unique, 9 total, 20136 byte(s) of leak(s)
Dr.M 31 unique, 32 total, 20864 byte(s) of possible leak(s) issue #878 covers these.

@derekbruening
Copy link
Contributor Author

From [email protected] on February 21, 2013 14:09:56

This issue was closed by revision r1194 .

Status: Fixed

This was referenced Nov 28, 2014
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug-FalsePositive Hotlist-Release Migrated OpSys-Win7 Priority-High Status-Fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@derekbruening