Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Uninit reads below SetupDiGetClassDevsW #503

Open
derekbruening opened this issue Nov 28, 2014 · 10 comments
Open

Uninit reads below SetupDiGetClassDevsW #503

derekbruening opened this issue Nov 28, 2014 · 10 comments

Comments

@derekbruening
Copy link
Contributor

From [email protected] on July 21, 2011 06:10:44

Repro taken from issue #499 :

#include <windows.h>
#include <dshow.h>

#include <stdio.h>

#pragma comment(lib, "ole32.lib")
#pragma comment(lib, "strmiids.lib")

class ScopedCOMInitializer {
public:
ScopedCOMInitializer() : hr_(CoInitialize(NULL)) { }

ScopedCOMInitializer::~ScopedCOMInitializer() {
  if (SUCCEEDED(hr_))
    CoUninitialize();
}

private:
HRESULT hr_;
};

int main() {
ScopedCOMInitializer sci;

ICreateDevEnum *dev_enum;
HRESULT hr = CoCreateInstance(CLSID_SystemDeviceEnum, NULL, CLSCTX_INPROC,
                              IID_ICreateDevEnum, (LPVOID*)&dev_enum);
if (!SUCCEEDED(hr)) {
    printf("FAIL\n");
    return 1;
}

IEnumMoniker *moniker;
hr = dev_enum->CreateClassEnumerator(CLSID_VideoInputDeviceCategory, &moniker, 0);
if (SUCCEEDED(hr)) {
    printf("PASS\n");
} else {
    printf("FAIL\n");
    return 1;
}
dev_enum->Release();

return 0;

}

[XP 32-bit with symbols]

Error #1: UNINITIALIZED READ: reading register eax
@0:00:05.626 in thread 4280
0x7792b4c6 <SETUPAPI.dll+0xb4c6> SETUPAPI.dll!SetupDiGetClassDevsExW
0x7792b604 <SETUPAPI.dll+0xb604> SETUPAPI.dll!SetupDiGetClassDevsW
0x75f49bf7 <DEVENUM.DLL+0x9bf7> DEVENUM.DLL!CEnumInterfaceClass::GetDevicePath
0x75f47588 <DEVENUM.DLL+0x7588> DEVENUM.DLL!CCreateSwEnum::CreateOnePnpMoniker
0x75f4769d <DEVENUM.DLL+0x769d> DEVENUM.DLL!CCreateSwEnum::CreatePnpMonikers
0x75f4837d <DEVENUM.DLL+0x837d> DEVENUM.DLL!CCreateSwEnum::CreateClassEnumerator
0x75f442c4 <DEVENUM.DLL+0x42c4> DEVENUM.DLL!CClassManagerBase::CreateClassEnumerator
0x75f48344 <DEVENUM.DLL+0x8344> DEVENUM.DLL!CCreateSwEnum::CreateClassEnumerator
0x75f46e0e <DEVENUM.DLL+0x6e0e> DEVENUM.DLL!CCreateSwEnum::CreateClassEnumerator
0x00401099 <test.exe+0x1099> test.exe!main
test.cpp:34

...

Error #3: UNINITIALIZED READ: reading 0x00185d82-0x00185d84 2 byte(s)
@0:00:05.673 in thread 4280
0x10038293 <drmemorylib.dll+0x38293> drmemorylib.dll!replace_wcslen
drmemory\replace.c:323
0x7792cfc7 <SETUPAPI.dll+0xcfc7> SETUPAPI.dll!OpenDeviceInterfaceSubKey
0x7792d19c <SETUPAPI.dll+0xd19c> SETUPAPI.dll!pSetupGetDevInstNameAndStatusForInterfaceDevice
0x7792d481 <SETUPAPI.dll+0xd481> SETUPAPI.dll!SetupDiGetClassDevsExW
0x7792b604 <SETUPAPI.dll+0xb604> SETUPAPI.dll!SetupDiGetClassDevsW
<same stack as #1 below>

[XP 32-bits w/o symbols]

Error #2: UNINITIALIZED READ: reading register eax
@0:00:04.035 in thread 5720
0x7792b4c6 <SETUPAPI.dll+0xb4c6> SETUPAPI.dll!SetupDiGetClassDevsExW
0x7792b604 <SETUPAPI.dll+0xb604> SETUPAPI.dll!SetupDiGetClassDevsW
0x75f49bf7 <DEVENUM.DLL+0x9bf7> DEVENUM.DLL!DllUnregisterServer
0x75f47588 <DEVENUM.DLL+0x7588> DEVENUM.DLL!DllUnregisterServer
0x75f4769d <DEVENUM.DLL+0x769d> DEVENUM.DLL!DllUnregisterServer
0x75f4837d <DEVENUM.DLL+0x837d> DEVENUM.DLL!DllUnregisterServer
0x75f442c4 <DEVENUM.DLL+0x42c4> DEVENUM.DLL!?
0x75f48344 <DEVENUM.DLL+0x8344> DEVENUM.DLL!DllUnregisterServer
0x75f46e0e <DEVENUM.DLL+0x6e0e> DEVENUM.DLL!DllUnregisterServer
0x00401099 <test.exe+0x1099> test.exe!main
test.cpp:34

...

Error #4: UNINITIALIZED READ: reading 0x00185d82-0x00185d84 2 byte(s)
@0:00:04.067 in thread 5720
0x10038293 <drmemorylib.dll+0x38293> drmemorylib.dll!replace_wcslen
drmemory\replace.c:323
0x7792cfc7 <SETUPAPI.dll+0xcfc7> SETUPAPI.dll!SetupDiEnumDeviceInterfaces
0x7792d19c <SETUPAPI.dll+0xd19c> SETUPAPI.dll!SetupDiEnumDeviceInterfaces
0x7792d481 <SETUPAPI.dll+0xd481> SETUPAPI.dll!SetupDiEnumDeviceInterfaces
0x7792b604 <SETUPAPI.dll+0xb604> SETUPAPI.dll!SetupDiGetClassDevsW
<same stack as Error #2 below>

Looks like some NtUser syscall doesn't initialize some of its OUT fields?

Original issue: http://code.google.com/p/drmemory/issues/detail?id=503

@derekbruening
Copy link
Contributor Author

From [email protected] on July 21, 2011 03:31:54

On Win7 the stack looks slightly different:
[with symbols]
Error #10: UNINITIALIZED READ: reading 0x0060b4fc-0x0060b4fe 2 byte(s)
@0:00:22.071 in thread 1464
0x75b525db <DEVOBJ.dll+0x25db> DEVOBJ.dll!DevObjGetClassDevs
0x761ca499 <SETUPAPI.dll+0xa499> SETUPAPI.dll!SetupDiGetClassDevsExW
0x761cb096 <SETUPAPI.dll+0xb096> SETUPAPI.dll!SetupDiGetClassDevsW
0x72f9a7dd <DEVENUM.DLL+0xa7dd> DEVENUM.DLL!CEnumInterfaceClass::GetDevicePath
0x72f9831f <DEVENUM.DLL+0x831f> DEVENUM.DLL!CCreateSwEnum::CreateOnePnpMoniker
0x72f98452 <DEVENUM.DLL+0x8452> DEVENUM.DLL!CCreateSwEnum::CreatePnpMonikers
0x72f992e4 <DEVENUM.DLL+0x92e4> DEVENUM.DLL!CCreateSwEnum::CreateClassEnumerator
0x72f94a2b <DEVENUM.DLL+0x4a2b> DEVENUM.DLL!CClassManagerBase::CreateClassEnumerator
0x72f992ab <DEVENUM.DLL+0x92ab> DEVENUM.DLL!CCreateSwEnum::CreateClassEnumerator
0x72f97a31 <DEVENUM.DLL+0x7a31> DEVENUM.DLL!CCreateSwEnum::CreateClassEnumerator
0x00401099 <test.exe+0x1099> test.exe!main
test.cpp:34

[w/o symbols]
Error #10: UNINITIALIZED READ: reading 0x005f8af4-0x005f8af6 2 byte(s)
@0:00:10.031 in thread 1692
0x75b525db <DEVOBJ.dll+0x25db> DEVOBJ.dll!DevObjGetClassDevs
0x761ca499 <SETUPAPI.dll+0xa499> SETUPAPI.dll!SetupDiGetClassDevsExW
0x761cb096 <SETUPAPI.dll+0xb096> SETUPAPI.dll!SetupDiGetClassDevsW
0x72f9a7dd <DEVENUM.DLL+0xa7dd> DEVENUM.DLL!DllRegisterServer
0x72f9831f <DEVENUM.DLL+0x831f> DEVENUM.DLL!DllRegisterServer
0x72f98452 <DEVENUM.DLL+0x8452> DEVENUM.DLL!DllRegisterServer
0x72f992e4 <DEVENUM.DLL+0x92e4> DEVENUM.DLL!DllRegisterServer
0x72f94a2b <DEVENUM.DLL+0x4a2b> DEVENUM.DLL!?
0x72f992ab <DEVENUM.DLL+0x92ab> DEVENUM.DLL!DllRegisterServer
0x72f97a31 <DEVENUM.DLL+0x7a31> DEVENUM.DLL!DllRegisterServer
0x00401099 <test.exe+0x1099> test.exe!main
test.cpp:34

@derekbruening
Copy link
Contributor Author

From [email protected] on July 21, 2011 09:52:49

you mention NtUser syscalls -- which ones do you see that you suspect? maybe you can investigate this one further.

Owner: [email protected]

@derekbruening
Copy link
Contributor Author

From [email protected] on July 21, 2011 12:02:46

I'll take it

Owner: [email protected]

@derekbruening
Copy link
Contributor Author

From [email protected] on July 21, 2011 14:03:57

what I see on win7 looks like issue #486 :

uninit arg value. it's argnum=3 == TokenInformationLength
arg 0 = 0x26c
arg 1 = 0x1
arg 2 = 0x8a1068
arg 3 = 0x24
arg 4 = 0x18ec0c
Error #3: UNINITIALIZED READ: reading 0x0018ebcc-0x0018ebd0 4 byte(s) within 0x0018ebcc-0x0018ebd0
@0:00:05.709 in thread 3120
system call NtQueryInformationToken
0x75bbd019 <SETUPAPI.dll+0xd019> SETUPAPI.dll!pSetupRestoreThreadPrivileges

0:000> dds @@(mc->esp)
0018ebbc 7593ba52 KERNELBASE!GetTokenInformation+0x1a
0018ebc0 0000026c
0018ebc4 00000001
0018ebc8 004f1068
0018ebcc 00000024
0018ebd0 0018ec0c
0018ebd4 0018ec30
0018ebd8 75bbd019 setupapi!pSetupRestoreThreadPrivileges+0xc8
0018ebdc 0000026c
0018ebe0 00000001
0018ebe4 004f1068
0018ebe8 00000024
0018ebec 0018ec0c

setupapi!pSetupRestoreThreadPrivileges+0x9b:
75bbcff4 e800c7ffff call setupapi!SpUtilsMalloc (75bb96f9)
75bbcff9 8bd8 mov ebx,eax
75bbcffb 895dd8 mov [ebp-0x28],ebx
75bbcffe 85db test ebx,ebx
75bbd000 0f8454840400 je setupapi!pSetupRestoreThreadPrivileges+0xa9 (75c0545a)
75bbd006 6a00 push 0x0
75bbd008 ffd7 call edi
75bbd00a 8d45dc lea eax,[ebp-0x24]
75bbd00d 50 push eax
75bbd00e ff75d4 push dword ptr [ebp-0x2c]
75bbd011 53 push ebx
75bbd012 6a01 push 0x1
75bbd014 ff7508 push dword ptr [ebp+0x8]
75bbd017 ffd6 call esi

preceded by:
Error #2: UNINITIALIZED READ: reading 0x0018ebdc-0x0018ebe0 4 byte(s)
@0:00:10.104 in thread 6264
0x776ee07a <ntdll.dll+0x2e07a> ntdll.dll!RtlAllocateHeap
0x75bb970f <SETUPAPI.dll+0x970f> SETUPAPI.dll!SpUtilsMalloc
0x75bbcff9 <SETUPAPI.dll+0xcff9> SETUPAPI.dll!pSetupRestoreThreadPrivileges
0x776ee07a f7 45 0c 61 0f 81 7d test 0x0c(%ebp) $0x7d810f61
so that's flags arg

and size arg (probably same 0x24)
Error #1: UNINITIALIZED READ: reading 0x0018ebe0-0x0018ebe4 4 byte(s)
@0:00:05.316 in thread 6264
0x776ee052 <ntdll.dll+0x2e052> ntdll.dll!RtlAllocateHeap
0x75bb970f <SETUPAPI.dll+0x970f> SETUPAPI.dll!SpUtilsMalloc
0x75bbcff9 <SETUPAPI.dll+0xcff9> SETUPAPI.dll!pSetupRestoreThreadPrivileges
0x776ee052 81 7d 10 ff ff ff 7f cmp 0x10(%ebp) $0x7fffffff

setupapi!pSetupRestoreThreadPrivileges+0x5e:
75bbcfb9 8d45dc lea eax,[ebp-0x24]
75bbcfbc 50 push eax
75bbcfbd 53 push ebx
75bbcfbe 53 push ebx
75bbcfbf 6a01 push 0x1
75bbcfc1 ff7508 push dword ptr [ebp+0x8]
75bbcfc4 8b35ac14bb75 mov esi,[setupapi!_imp__GetTokenInformation (75bb14ac)]
75bbcfca ffd6 call esi
75bbcfcc 85c0 test eax,eax
75bbcfce 0f8574840400 jne setupapi!pSetupRestoreThreadPrivileges+0x75 (75c05448)
75bbcfd4 e837f4ffff call setupapi!pSetupGetLastError (75bbc410)
75bbcfd9 8945e4 mov [ebp-0x1c],eax
75bbcfdc 85c0 test eax,eax
75bbcfde 0f846b840400 je setupapi!pSetupRestoreThreadPrivileges+0x85 (75c0544f)
75bbcfe4 83f87a cmp eax,0x7a
75bbcfe7 0f8592000000 jne setupapi!pSetupRestoreThreadPrivileges+0x137 (75bbd07f)
75bbcfed 8b45dc mov eax,[ebp-0x24]
75bbcff0 8945d4 mov [ebp-0x2c],eax
75bbcff3 50 push eax
75bbcff4 e800c7ffff call setupapi!SpUtilsMalloc (75bb96f9)

system call 30 NtQueryInformationToken failed with 0xc0000023
== STATUS_BUFFER_TOO_SMALL

/* FIXME issue #486: syscalls that return the capacity needed in an OUT param
 * will still write to it when returning STATUS_BUFFER_TOO_SMALL

@derekbruening
Copy link
Contributor Author

From [email protected] on July 21, 2011 19:20:07

this one looks like a real bug since the UNICODE_STRING Buffer should
include the NULL, though since no write of NULL earlier maybe it is relying
on nobody reading past MaximumLength:
arg 0 = 0x18fb20
arg 1 = 0x20019
arg 2 = 0x18fafc
pre considering arg 0 4 2
pre considering arg 2 24 5
UNICODE_STRING Buffer=0x0062395c Length=248 MaximumLength=248
Error #1: UNADDRESSABLE ACCESS: reading 0x00623a54-0x00623a56 2 byte(s) within 0x0062395c-0x00623a56
Note: next higher malloc: 0x00623a70-0x00623a94
Note: prev lower malloc: 0x00623958-0x00623a54
system call NtOpenKey UNICODE_STRING content
0x75e37be5 <ole32.dll+0xa7be5> ole32.dll!CComClassInfo::RefreshNeeded
0x75de580c <ole32.dll+0x5580c> ole32.dll!CComCatalog::CheckForRefresh

0:000> dt us
Local var @ 0x178d9c54 Type UNICODE_STRING
"\REGISTRY\USER\S-1-5-21-39260824-743453154-142223018-400740_CLASSES\Wow6432Node\CLSID{860BB310-5D01-11D0-BD3B-00A0C911CE86}"
+0x000 Length : 0xf8
+0x002 MaximumLength : 0xf8
+0x004 Buffer : 0x0062395c "\REGISTRY\USER\S-1-5-21-39260824-743453154-142223018-400740_CLASSES\Wow6432Node\CLSID{860BB310-5D01-11D0-BD3B-00A0C911CE86}"
0:000> dc @@(us.Buffer) L50
0062395c 0052005c 00470045 00530049 00520054 .R.E.G.I.S.T.R.
0062396c 005c0059 00530055 00520045 0053005c Y..U.S.E.R..S.
0062397c 0031002d 0035002d 0032002d 002d0031 -.1.-.5.-.2.1.-.
0062398c 00390033 00360032 00380030 00340032 3.9.2.6.0.8.2.4.
0062399c 0037002d 00330034 00350034 00310033 -.7.4.3.4.5.3.1.
006239ac 00340035 0031002d 00320034 00320032 5.4.-.1.4.2.2.2.
006239bc 00300033 00380031 0034002d 00300030 3.0.1.8.-.4.0.0.
006239cc 00340037 005f0030 004c0043 00530041 7.4.0.
.C.L.A.S.
006239dc 00450053 005c0053 006f0057 00360077 S.E.S..W.o.w.6.
006239ec 00330034 004e0032 0064006f 005c0065 4.3.2.N.o.d.e..
006239fc 004c0043 00490053 005c0044 0038007b C.L.S.I.D..{.8.
00623a0c 00300036 00420042 00310033 002d0030 6.0.B.B.3.1.0.-.
00623a1c 00440035 00310030 0031002d 00440031 5.D.0.1.-.1.1.D.
00623a2c 002d0030 00440042 00420033 0030002d 0.-.B.D.3.B.-.0.
00623a3c 00410030 00430030 00310039 00430031 0.A.0.C.9.1.1.C.
00623a4c 00380045 007d0036 00000000 00000000 E.8.6.}.........

ole32!CheckRefresh+0x5f:
75e75c8d 8b4510 mov eax,[ebp+0x10]
75e75c90 8d4804 lea ecx,[eax+0x4]
75e75c93 0fb700 movzx eax,word ptr [eax] <== size of Buffer
75e75c96 668945e0 mov [ebp-0x20],ax
75e75c9a 668945e2 mov [ebp-0x1e],ax
75e75c9e 8d45e0 lea eax,[ebp-0x20]
75e75ca1 8945d0 mov [ebp-0x30],eax <== UNICODE_STRING*
75e75ca4 8d45c8 lea eax,[ebp-0x38]
75e75ca7 50 push eax
75e75ca8 6819000200 push 0x20019
75e75cad 8d45ec lea eax,[ebp-0x14]
75e75cb0 50 push eax
75e75cb1 894de4 mov [ebp-0x1c],ecx <== Buffer
75e75cb4 c745c818000000 mov dword ptr [ebp-0x38],0x18
75e75cbb 895dcc mov [ebp-0x34],ebx
75e75cbe c745d440000000 mov dword ptr [ebp-0x2c],0x40
75e75cc5 895dd8 mov [ebp-0x28],ebx
75e75cc8 895ddc mov [ebp-0x24],ebx
75e75ccb ff15f011d975 call dword ptr [ole32!_imp__NtOpenKey (75d911f0)]
75e75cd1 3bc3 cmp eax,ebx
75e75cd3 7d34 jge ole32!CheckRefresh+0xdb (75e75d09)

ebp-0x1c == Buffer

ebp+0x10 == 3rd param to CheckRefresh

it's 00623958
which is a size followed by wchar_t array:
0:000> dd 00623958
00623958 000000f8 0052005c 00470045 00530049

00623958 is the start of the malloc

the question is, is this a bug, or should my UNICODE_STRING handler just
stop at MaximumLength even if equal to Length and/or haven't hit NULL yet?

**** UNINITs from NtAlpcSendWaitReceivePort?

the other uninits may be from NtAlpcSendWaitReceivePort which is part of issue #98

% grep -E '^Error|NtAlpc' ls -1td logs/D*|head -1/g*
Error #1: UNADDRESSABLE ACCESS: reading 0x00563a54-0x00563a56 2 byte(s) within 0x0056395c-0x00563a56
system call #0x71 NtAlpcConnectPort
processing post system call #0x71 NtAlpcConnectPort res=0x0
system call #0x82 NtAlpcSendWaitReceivePort
processing post system call #0x82 NtAlpcSendWaitReceivePort res=0x0
system call #0x82 NtAlpcSendWaitReceivePort
processing post system call #0x82 NtAlpcSendWaitReceivePort res=0x0
Error #2: UNINITIALIZED READ: reading 0x0018f5cc-0x0018f5d0 4 byte(s)
Error #3: UNINITIALIZED READ: reading register edi
system call #0x82 NtAlpcSendWaitReceivePort
processing post system call #0x82 NtAlpcSendWaitReceivePort res=0x0
Error #4: UNINITIALIZED READ: reading 0x0018f484-0x0018f488 4 byte(s)
Error #5: UNINITIALIZED READ: reading 0x0018f4c4-0x0018f4c8 4 byte(s)
...

on XP that syscall doesn't exist, but it looks like it's doing something
equivalent:
% grep -E 'NtDeviceIo|ioctl|^Error' ls -1td logs/D*|head -1/g*
system call #0x4 NtDeviceIoControlFile
WARNING: unknown ioctl 0x390008 => op 2
Error #1: UNINITIALIZED READ: reading 0x004b2197-0x004b21a7 16 byte(s) within 0x004b2190-0x004b2290
system call NtDeviceIoControlFile InputBuffer
processing post system call #0x4 NtDeviceIoControlFile res=0x0
system call #0x4 NtDeviceIoControlFile
WARNING: unknown ioctl 0x390008 => op 2
processing post system call #0x4 NtDeviceIoControlFile res=0x0
system call #0x4 NtDeviceIoControlFile
WARNING: unknown ioctl 0x390008 => op 2
processing post system call #0x4 NtDeviceIoControlFile res=0x0
system call #0x4 NtDeviceIoControlFile
WARNING: unknown ioctl 0x390008 => op 2
processing post system call #0x4 NtDeviceIoControlFile res=0x0
system call #0x4 NtDeviceIoControlFile
WARNING: unknown ioctl 0x390008 => op 2
processing post system call #0x4 NtDeviceIoControlFile res=0x0
system call #0x4 NtDeviceIoControlFile
WARNING: unknown ioctl 0x390008 => op 2
processing post system call #0x4 NtDeviceIoControlFile res=0x0
system call #0x4 NtDeviceIoControlFile
WARNING: unknown ioctl 0x390008 => op 2
processing post system call #0x4 NtDeviceIoControlFile res=0x0
Error #2: UNINITIALIZED READ: reading register ebx
Error #3: UNINITIALIZED READ: reading register ebx
...

@derekbruening
Copy link
Contributor Author

From [email protected] on July 22, 2011 08:21:29

Re: NtQueryInformationToken
see issue #380

@derekbruening
Copy link
Contributor Author

From [email protected] on August 02, 2011 11:51:07

I put in some fixes for issue #92 , issue #529 , and issue #486 that
removed most of the uninits on win7.

on win7 the only uninit I still see is split as issue #535 on xp64 I still see these on the issue #499 test app:

Error #1: UNINITIALIZED READ: reading register ebx
0x7da50098 <RPCRT4.dll+0x30098> RPCRT4.dll!rc4_key
0x7da4ffee <RPCRT4.dll+0x2ffee> RPCRT4.dll!GenerateRandomNumber
0x7da35505 <RPCRT4.dll+0x15505> RPCRT4.dll!UuidCreate
0x776aeab0 <ole32.dll+0x3eab0> ole32.dll!wCoCreateGuid
0x776aed41 <ole32.dll+0x3ed41> ole32.dll!CObjectContext::CreateObjectContext
0x776aea27 <ole32.dll+0x3ea27> ole32.dll!InitThreadCtx
0x776ae991 <ole32.dll+0x3e991> ole32.dll!wCoInitializeEx
0x776ae918 <ole32.dll+0x3e918> ole32.dll!CoInitializeEx
0x776a47ec <ole32.dll+0x347ec> ole32.dll!CoInitialize
0x0040119f < issue499 .exe+0x119f> issue499 .exe!?
0x0040105d < issue499 .exe+0x105d> issue499 .exe!?
0x00401955 < issue499 .exe+0x1955> issue499 .exe!?
0x7da50098 8a 04 33 mov (%ebx,%esi,1) -> %al
0x7da500ac 8a 04 33 mov (%ebx,%esi,1) -> %al
0x7da500c1 8a 04 33 mov (%ebx,%esi,1) -> %al
0x7da500d6 8a 04 33 mov (%ebx,%esi,1) -> %al

I thought the data might come from here:

WARNING: unknown ioctl 0x390008 => op 2
arg 0 = 0x3b4
arg 1 = 0x0
arg 2 = 0x0
arg 3 = 0x0
arg 4 = 0x12fb14
arg 5 = 0x390008
arg 6 = 0x4b2190
arg 7 = 0x100
arg 8 = 0x12fbd0
arg 9 = 0x100
pre considering arg 4 8 2
pre considering arg 8 -9 2
pre considering arg 0 0 0
WARNING: unknown ioctl 0x390008 => op 2
unknown system call #0x4
pre-unknown-syscall #0x4: param 4 == 0x0012fb14 1260 bytes
pre-unknown-syscall #0x4: param 5 == 0x00390008 2048 bytes
pre-unknown-syscall #0x4: param 6 == 0x004b2190 2048 bytes
pre-unknown-syscall #0x4: param 17 == 0x0012fb08 13 bytes
pre-unknown-syscall #0x4: param 20 == 0x7d4d89b4 2048 bytes
processing post system call #0x4 NtDeviceIoControlFile res=0x0
post considering arg 4 8 2 0x0012fb14
start 0x0012fb14, size 0x8
marking 0x12fb14-0x12fb1c written parameter #4
post considering arg 8 -9 2 0x0012fbd0
start 0x0012fbd0, size 0x100
marking 0x12fbd0-0x12fcd0 written parameter #8
post considering arg 0 0 0 0x000003b4
system call #0x4 NtDeviceIoControlFile
0x7d4d07fa <KERNEL32.dll+0x107fa> KERNEL32.dll!DeviceIoControl
fp=0x0012fb3c parent=0x0012fb98 0x0044e3fd <ADVAPI32.dll+0xe3fd> ADVAPI32.dll!GatherRandomKeyFastUserMode
fp=0x0012fb98 parent=0x0012fcd4 0x0044e482 <ADVAPI32.dll+0xe482> ADVAPI32.dll!RandomFillBuffer
fp=0x0012fcd4 parent=0x0012fcec 0x0044f119 <ADVAPI32.dll+0xf119> ADVAPI32.dll!GenRandom
fp=0x0012fcec parent=0x0012fd0c 0x0044f0dc <ADVAPI32.dll+0xf0dc> ADVAPI32.dll!NewGenRandomEx
fp=0x0012fd0c parent=0x0012fd38 0x0044f084 <ADVAPI32.dll+0xf084> ADVAPI32.dll!NewGenRandom
fp=0x0012fd38 parent=0x0012fd50 0x0044f047 <ADVAPI32.dll+0xf047> ADVAPI32.dll!SystemFunction036
fp=0x0012fd50 parent=0x0012fe74 0x7da4ffcd <RPCRT4.dll+0x2ffcd> RPCRT4.dll!GenerateRandomNumber
fp=0x0012fe74 parent=0x0012fe88 0x7da35505 <RPCRT4.dll+0x15505> RPCRT4.dll!UuidCreate

#define FILE_DEVICE_KSEC 0x00000039

kernel driver confirms that we're not missing any kernel write
here (i.e., there's nothing OUT in the IN buffer):
arg 0 = 0x7cc
arg 1 = 0x0
arg 2 = 0x0
arg 3 = 0x0
arg 4 = 0x12fb14
arg 5 = 0x390008
arg 6 = 0x77e46318
arg 7 = 0x100
arg 8 = 0x12fbd0
arg 9 = 0x100
driver info: syscall #0x42 write 0: 0x0012fbd0-0x0012fcd0
set range 0x0012fbd0-0x0012fcd0 => 0x0
processing post system call #0x42 NtDeviceIoControlFile res=0x0
post considering arg 4 8 1
start 0x0012fb14, size 0x8
marking 0x12fb14-0x12fb1c written
post considering arg 8 -9 1
start 0x0012fbd0, size 0x100
marking 0x12fbd0-0x12fcd0 written
post considering arg 0 0 0

manual inspection also shows random bytes written up to exactly 0x100

RPCRT4!rc4_key:
7da50035 53 push ebx
7da50036 b800010203 mov eax,0x3020100
7da5003b b910000000 mov ecx,0x10
7da50040 56 push esi
7da50041 8b74240c mov esi,[esp+0xc]
7da50045 57 push edi
7da50046 bf08080808 mov edi,0x8080808
7da5004b 8bd6 mov edx,esi
7da5004d 55 push ebp
7da5004e bd04050607 mov ebp,0x7060504
7da50053 8902 mov [edx],eax
7da50055 83c208 add edx,0x8
7da50058 03c7 add eax,edi
7da5005a 896afc mov [edx-0x4],ebp
7da5005d 03ef add ebp,edi
7da5005f 8902 mov [edx],eax
7da50061 83c208 add edx,0x8
7da50064 03c7 add eax,edi
7da50066 896afc mov [edx-0x4],ebp
7da50069 03ef add ebp,edi
7da5006b 49 dec ecx
7da5006c 75e5 jnz RPCRT4!rc4_key+0x1e (7da50053)
7da5006e 8b6c241c mov ebp,[esp+0x1c]
7da50072 33c0 xor eax,eax
7da50074 880a mov [edx],cl
7da50076 8a442418 mov al,[esp+0x18]
7da5007a 8d3c28 lea edi,[eax+ebp]
7da5007d 884a01 mov [edx+0x1],cl
7da50080 33db xor ebx,ebx <== zeroed here. this was prior bb.
7da50082 33d2 xor edx,edx
7da50084 33c9 xor ecx,ecx
7da50086 2403 and al,0x3
7da50088 0f85a2520000 jne RPCRT4!rc4_key+0xc3 (7da55330)
7da5008e 8a1431 mov dl,[ecx+esi]
7da50091 8a4500 mov al,[ebp]
7da50094 02d8 add bl,al
7da50096 02da add bl,dl
7da50098 8a0433 mov al,[ebx+esi]

+0x014 xbx : 0x76
+0x008 xsi : 0x2234fc
+0x00c ebp : 0x12fd70

0:000> dd @@(mc->ebp)
0012fd70 9133ae76 06eb62b6 371752dc f4a5c3da

native:
0012f63c 00000054
0012f640 00000000
0012f644 00000000
0012f648 00000000
0012f64c 0012f670
0012f650 00390008
0012f654 004b2190 ADVAPI32!ErrorSessionKey+0x30
0012f658 00000100
0012f65c 0012f72c
0012f660 00000100

0044f2fd 8b44241c mov eax,[esp+0x1c]
0044f301 2bc3 sub eax,ebx
0044f303 8938 mov [eax],edi <== written here
0:000> dd 0x12fd70-0x12fbd0 + 0012f72c
0012f8cc af7b0371 01c00608 7d68589c 01c00000

edi came from:
ADVAPI32!rc4+0x50:
0044f25a 8b7804 mov edi,[eax+0x4]
...
0044f280 33f8 xor edi,eax
...
0044f2fb 33f8 xor edi,eax

full:
ADVAPI32!rc4+0x50:
0044f25a 8b7804 mov edi,[eax+0x4]
0044f25d 41 inc ecx
0044f25e 33c0 xor eax,eax
0044f260 81e1ff000000 and ecx,0xff
0044f266 8a040e mov al,[esi+ecx]
0044f269 03d0 add edx,eax
0044f26b 81e2ff000000 and edx,0xff
0044f271 8a1c16 mov bl,[esi+edx]
0044f274 881c0e mov [esi+ecx],bl
0044f277 41 inc ecx
0044f278 880416 mov [esi+edx],al
0044f27b 02c3 add al,bl
0044f27d 8a0406 mov al,[esi+eax]
0044f280 33f8 xor edi,eax
0044f282 81e1ff000000 and ecx,0xff
0044f288 33c0 xor eax,eax
0044f28a 8a040e mov al,[esi+ecx]
0044f28d 03d0 add edx,eax
0044f28f 81e2ff000000 and edx,0xff
0044f295 8a1c16 mov bl,[esi+edx]
0044f298 881c0e mov [esi+ecx],bl
0044f29b 41 inc ecx
0044f29c 880416 mov [esi+edx],al
0044f29f 02c3 add al,bl
0044f2a1 8a0406 mov al,[esi+eax]
0044f2a4 c1e008 shl eax,0x8
0044f2a7 33f8 xor edi,eax
0044f2a9 81e1ff000000 and ecx,0xff
0044f2af 33c0 xor eax,eax
0044f2b1 8a040e mov al,[esi+ecx]
0044f2b4 03d0 add edx,eax
0044f2b6 81e2ff000000 and edx,0xff
0044f2bc 8a1c16 mov bl,[esi+edx]
0044f2bf 881c0e mov [esi+ecx],bl
0044f2c2 41 inc ecx
0044f2c3 880416 mov [esi+edx],al
0044f2c6 02c3 add al,bl
0044f2c8 8a0406 mov al,[esi+eax]
0044f2cb c1e010 shl eax,0x10
0044f2ce 33f8 xor edi,eax
0044f2d0 81e1ff000000 and ecx,0xff
0044f2d6 33c0 xor eax,eax
0044f2d8 8a040e mov al,[esi+ecx]
0044f2db 03d0 add edx,eax
0044f2dd 81e2ff000000 and edx,0xff
0044f2e3 8a1c16 mov bl,[esi+edx]
0044f2e6 881c0e m...

@derekbruening
Copy link
Contributor Author

From [email protected] on August 02, 2011 11:51:07

...ov [esi+ecx],bl
0044f2e9 880416 mov [esi+edx],al
0044f2ec 02c3 add al,bl
0044f2ee 8a0406 mov al,[esi+eax]
0044f2f1 c1e018 shl eax,0x18
0044f2f4 8d1cad00000000 lea ebx,[00000000+ebp*4]
0044f2fb 33f8 xor edi,eax
0044f2fd 8b44241c mov eax,[esp+0x1c]
0044f301 2bc3 sub eax,ebx
0044f303 8938 mov [eax],edi
0044f305 4d dec ebp
0044f306 0f854effffff jne ADVAPI32!rc4+0x50 (0044f25a)

looking more and more like bit manip: not clear yet whether would be fixed
by bit granularity or is more complex like issue #489 or issue #529

@derekbruening
Copy link
Contributor Author

From [email protected] on August 02, 2011 11:55:31

Error #1: UNINITIALIZED READ: reading register ebx
0x7da50098 <RPCRT4.dll+0x30098> RPCRT4.dll!rc4_key
0x7da4ffee <RPCRT4.dll+0x2ffee> RPCRT4.dll!GenerateRandomNumber
xref issue #18 , issue #511

@derekbruening
Copy link
Contributor Author

From [email protected] on August 02, 2011 12:50:15

rc4_key is issue #511 left here on xp64 are:

Error #1: UNINITIALIZED READ: reading 0x0022fe2c-0x0022fe2d 1 byte(s)
0x777b73b5 <CLBCatQ.DLL+0x73b5> CLBCatQ.DLL!GetCatalogObject2
0x777bafc8 <CLBCatQ.DLL+0xafc8> CLBCatQ.DLL!GetStgDatabase
0x777ba687 <CLBCatQ.DLL+0xa687> CLBCatQ.DLL!OpenComponentLibrarySharedEx
0x777ba604 <CLBCatQ.DLL+0xa604> CLBCatQ.DLL!OpenComponentLibrarySharedTS
0x777b868d <CLBCatQ.DLL+0x868d> CLBCatQ.DLL!GetCatalogObject2
0x777b73b5 f6 83 4c 02 00 00 04 test 0x0000024c(%ebx) $0x04

Error #2: UNINITIALIZED READ: reading 0x01c130f0-0x01c130f4 4 byte(s)
0x73802ccc <msdmo.dll+0x2ccc> msdmo.dll!DMOEnum
0x73802d6d <msdmo.dll+0x2d6d> msdmo.dll!DMOEnum
0x76507a9e <DEVENUM.DLL+0x7a9e> DEVENUM.DLL!DllUnregisterServer
0x76507c1e <DEVENUM.DLL+0x7c1e> DEVENUM.DLL!DllUnregisterServer
0x765087c9 <DEVENUM.DLL+0x87c9> DEVENUM.DLL!DllUnregisterServer
0x73802ccc 3b 41 08 cmp %eax 0x08(%ecx)

Error #6: UNINITIALIZED READ: reading 0x0022f8e8-0x0022f8e9 1 byte(s)
0x777bc032 <CLBCatQ.DLL+0xc032> CLBCatQ.DLL!GetStgDatabase
0x777bc472 <CLBCatQ.DLL+0xc472> CLBCatQ.DLL!DestroyStgDatabase
0x777bc42c <CLBCatQ.DLL+0xc42c> CLBCatQ.DLL!DestroyStgDatabase
0x777bc40f <CLBCatQ.DLL+0xc40f> CLBCatQ.DLL!GetStgDatabase
0x777bcac1 <CLBCatQ.DLL+0xcac1> CLBCatQ.DLL!DestroyStgDatabase
0x777bc032 f6 46 24 01 test 0x24(%esi) $0x01

Error #7: UNINITIALIZED READ: reading 0x0022fa40-0x0022fa41 1 byte(s)
0x777bc032 <CLBCatQ.DLL+0xc032> CLBCatQ.DLL!GetStgDatabase
0x777bc42c <CLBCatQ.DLL+0xc42c> CLBCatQ.DLL!DestroyStgDatabase
0x777bc40f <CLBCatQ.DLL+0xc40f> CLBCatQ.DLL!GetStgDatabase
0x777bcac1 <CLBCatQ.DLL+0xcac1> CLBCatQ.DLL!DestroyStgDatabase
0x777bbc96 <CLBCatQ.DLL+0xbc96> CLBCatQ.DLL!GetStgDatabase
0x777bc032 f6 46 24 01 test 0x24(%esi) $0x01

have not looked at xp32

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant