Bitmap object Use-after-Free #2 The attached PoC triggers a blue screen due to a use after free vulnerability. The crashes are unreliable, however you can use Special Pool in order to get reliable crashes ( see below ). The crashes indicate that it is possible to write to arbitrary addresses. Crash without Special Pool: *** Fatal System Error: 0x0000000a (0x00000000,0x00000002,0x00000001,0x82AB566F) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows 7 7601 x86 compatible target at (Tue Mar 31 11:24:03.150 2015 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ............................................................... ................................................................ ......................... Loading User Symbols ............................................... Loading unloaded module list .... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck A, {0, 2, 1, 82ab566f} *** WARNING: Unable to verify checksum for a31.exe *** ERROR: Module load completed but symbols could not be loaded for a31.exe Probably caused by : win32k.sys ( win32k!W32PIDLOCK::vLockSingleThread+14 ) Followup: MachineOwner --------- Assertion: *** DPC watchdog timeout This is NOT a break in update time This is most likely a BUG in an ISR Perform a stack trace to find the culprit The period will be doubled on continuation Use gh to continue!! nt!KeAccumulateTicks+0x3c5: 82aba38c cd2c int 2Ch kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: 00000000, memory referenced Arg2: 00000002, IRQL Arg3: 00000001, bitfield : bit 0 : value 0 = read operation, 1 = write operation bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status) Arg4: 82ab566f, address which referenced memory Debugging Details: ------------------ WRITE_ADDRESS: 00000000 CURRENT_IRQL: 1c FAULTING_IP: nt!KeWaitForSingleObject+373 82ab566f 8939 mov dword ptr [ecx],edi DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT BUGCHECK_STR: 0xA PROCESS_NAME: a31.exe TRAP_FRAME: 97433acc -- (.trap 0xffffffff97433acc) ErrCode = 00000002 eax=85247580 ebx=85247578 ecx=00000000 edx=00000000 esi=8531fd48 edi=8531fe08 eip=82ab566f esp=97433b40 ebp=97433ba0 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 nt!KeWaitForSingleObject+0x373: 82ab566f 8939 mov dword ptr [ecx],edi ds:0023:00000000=???????? Resetting default scope LAST_CONTROL_TRANSFER: from 82ab9853 to 82aba38c STACK_TEXT: 97433568 82ab9853 0002625a 00000000 0000a600 nt!KeAccumulateTicks+0x3c5 974335a8 82ab9700 82a210a8 b44c75c4 00000000 nt!KeUpdateRunTime+0x145 97433600 82ab8f03 97433602 97433602 000000d1 nt!KeUpdateSystemTime+0x613 97433600 82a210a8 97433602 97433602 000000d1 nt!KeUpdateSystemTimeAssist+0x13 97433684 82a0fb8c 00001000 00000000 974336e4 hal!READ_PORT_USHORT+0x8 97433694 82a0fcf5 82b1df92 3235ebba 00000065 hal!HalpCheckPowerButton+0x2e 97433698 82b1df92 3235ebba 00000065 00000000 hal!HaliHaltSystem+0x7 974336e4 82b1ea39 00000003 00000000 82ab566f nt!KiBugCheckDebugBreak+0x73 97433aac 82a7fb4f 0000000a 00000000 00000002 nt!KeBugCheck2+0x68b 97433aac 82ab566f 0000000a 00000000 00000002 nt!KiTrap0E+0x1b3 97433ba0 9539a4c6 85247578 00000006 00000000 nt!KeWaitForSingleObject+0x373 97433bb8 95397337 fe9e3728 97433be8 95396115 win32k!W32PIDLOCK::vLockSingleThread+0x14 97433bc4 95396115 210109de 0026f74c 953fb057 win32k!DC::vSetRendering+0x53 97433bd8 953ead4d ffb84008 00000001 00000000 win32k!DEVLOCKOBJ::bLock+0x265 97433c20 82a7c896 210109de 00000003 00000010 win32k!GreSetICMMode+0x3d 97433c20 778e70f4 210109de 00000003 00000010 nt!KiSystemServicePostCall 0026f734 77341864 7734181e 210109de 00000003 ntdll!KiFastSystemCallRet 0026f738 7734181e 210109de 00000003 00000010 GDI32!NtGdiSetIcmMode+0xc 0026f750 773417cf 210109de 000e0740 00000000 GDI32!IcmSelectColorTransform+0x4a 0026f770 77341870 210109de 000e0740 00000000 GDI32!IcmDeleteLocalDC+0x21 0026f790 76075439 210109de 0026f808 000512ef GDI32!GdiReleaseDC+0x6b 0026f79c 000512ef 00000000 210109de 001f0334 USER32!ReleaseDC+0x18 WARNING: Stack unwind information not available. Following frames may be wrong. 0026f808 000516d8 00000001 00292d08 00292d48 a31+0x12ef 0026f850 75d5ee1c 7ffdf000 0026f89c 779037eb a31+0x16d8 0026f85c 779037eb 7ffdf000 77b85930 00000000 kernel32!BaseThreadInitThunk+0xe 0026f89c 779037be 00051755 7ffdf000 00000000 ntdll!__RtlUserThreadStart+0x70 0026f8b4 00000000 00051755 7ffdf000 00000000 ntdll!_RtlUserThreadStart+0x1b STACK_COMMAND: kb FOLLOWUP_IP: win32k!W32PIDLOCK::vLockSingleThread+14 9539a4c6 c3 ret SYMBOL_STACK_INDEX: b SYMBOL_NAME: win32k!W32PIDLOCK::vLockSingleThread+14 FOLLOWUP_NAME: MachineOwner MODULE_NAME: win32k IMAGE_NAME: win32k.sys DEBUG_FLR_IMAGE_TIMESTAMP: 54ee8ecd FAILURE_BUCKET_ID: 0xA_win32k!W32PIDLOCK::vLockSingleThread+14 BUCKET_ID: 0xA_win32k!W32PIDLOCK::vLockSingleThread+14 Followup: MachineOwner --------- The issue reproduces reliably with Special Pool ( https://msdn.microsoft.com/en-us/library/windows/hardware/ff551832%28v=vs.85%29.aspx ) enabled for win32k.sys. The resulting crash output looks as follows: ******************************************************************************* * * This is the string you add to your checkin description * Driver Verifier: Enabled for win32k.sys on Build 7601 Swoke0cxHt9I3y4CfWvmAH * ******************************************************************************* nt!DbgLoadImageSymbols+0x47: 82a36578 cc int 3 kd> g *** Fatal System Error: 0x0000000a (0xBFBFBFE7,0x00000002,0x00000001,0x82A94579) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows 7 7601 x86 compatible target at (Tue Mar 31 11:55:25.308 2015 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ............................................................... ................................................................ ......................... Loading User Symbols ............................................... Loading unloaded module list .... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck A, {bfbfbfe7, 2, 1, 82a94579} *** WARNING: Unable to verify checksum for a31.exe *** ERROR: Module load completed but symbols could not be loaded for a31.exe Probably caused by : win32k.sys ( win32k!W32PIDLOCK::vLockSingleThread+14 ) Followup: MachineOwner --------- Assertion: *** DPC watchdog timeout This is NOT a break in update time This is most likely a BUG in an ISR Perform a stack trace to find the culprit The period will be doubled on continuation Use gh to continue!! nt!KeAccumulateTicks+0x3c5: 82a9938c cd2c int 2Ch kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: bfbfbfe7, memory referenced Arg2: 00000002, IRQL Arg3: 00000001, bitfield : bit 0 : value 0 = read operation, 1 = write operation bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status) Arg4: 82a94579, address which referenced memory Debugging Details: ------------------ WRITE_ADDRESS: bfbfbfe7 CURRENT_IRQL: 1c FAULTING_IP: nt!KeWaitForSingleObject+27d 82a94579 f00fba2807 lock bts dword ptr [eax],7 DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT BUGCHECK_STR: 0xA PROCESS_NAME: a31.exe TRAP_FRAME: 930fca9c -- (.trap 0xffffffff930fca9c) ErrCode = 00000002 eax=bfbfbfe7 ebx=bfbfbfe7 ecx=8a4737c0 edx=00000000 esi=8a473760 edi=8a473820 eip=82a94579 esp=930fcb10 ebp=930fcb70 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 nt!KeWaitForSingleObject+0x27d: 82a94579 f00fba2807 lock bts dword ptr [eax],7 ds:0023:bfbfbfe7=???????? Resetting default scope LAST_CONTROL_TRANSFER: from 82a98853 to 82a9938c STACK_TEXT: 930fc538 82a98853 0002625a 00000000 00007100 nt!KeAccumulateTicks+0x3c5 930fc578 82a98700 82e4b0a8 40799a77 00000000 nt!KeUpdateRunTime+0x145 930fc5d0 82a97f03 930fc502 930fc502 000000d1 nt!KeUpdateSystemTime+0x613 930fc5d0 82e4b0a8 930fc502 930fc502 000000d1 nt!KeUpdateSystemTimeAssist+0x13 930fc654 82e39b8c 00001000 00000000 930fc6b4 hal!READ_PORT_USHORT+0x8 930fc664 82e39cf5 82afcf92 26f0a881 00000065 hal!HalpCheckPowerButton+0x2e 930fc668 82afcf92 26f0a881 00000065 00000000 hal!HaliHaltSystem+0x7 930fc6b4 82afda39 00000003 bfbfbfe7 82a94579 nt!KiBugCheckDebugBreak+0x73 930fca7c 82a5eb4f 0000000a bfbfbfe7 00000002 nt!KeBugCheck2+0x68b 930fca7c 82a94579 0000000a bfbfbfe7 00000002 nt!KiTrap0E+0x1b3 930fcb70 82d5b9b3 bfbfbfe7 00000006 00000000 nt!KeWaitForSingleObject+0x27d 930fcba0 9366a4c6 bfbfbfe7 00000006 00000000 nt!VerifierKeWaitForSingleObject+0xfe 930fcbb8 93667337 fbf1e728 930fcbe8 93666115 win32k!W32PIDLOCK::vLockSingleThread+0x14 930fcbc4 93666115 0c01021a 0016fbf0 936cb057 win32k!DC::vSetRendering+0x53 930fcbd8 936bad4d fef78130 00000001 00000000 win32k!DEVLOCKOBJ::bLock+0x265 930fcc20 82a5b896 0c01021a 00000003 00000010 win32k!GreSetICMMode+0x3d 930fcc20 774770f4 0c01021a 00000003 00000010 nt!KiSystemServicePostCall 0016fbd8 76871864 7687181e 0c01021a 00000003 ntdll!KiFastSystemCallRet 0016fbdc 7687181e 0c01021a 00000003 00000010 GDI32!NtGdiSetIcmMode+0xc 0016fbf4 768717cf 0c01021a 00050740 00000000 GDI32!IcmSelectColorTransform+0x4a 0016fc14 76871870 0c01021a 00050740 00000000 GDI32!IcmDeleteLocalDC+0x21 0016fc34 759e5439 0c01021a 0016fcac 002c12ef GDI32!GdiReleaseDC+0x6b 0016fc40 002c12ef 00000000 0c01021a 0003017c USER32!ReleaseDC+0x18 WARNING: Stack unwind information not available. Following frames may be wrong. 0016fcac 002c16d8 00000001 00362a70 00362ab0 a31+0x12ef 0016fcf4 771bee1c 7ffdb000 0016fd40 774937eb a31+0x16d8 0016fd00 774937eb 7ffdb000 7740fde2 00000000 kernel32!BaseThreadInitThunk+0xe 0016fd40 774937be 002c1755 7ffdb000 00000000 ntdll!__RtlUserThreadStart+0x70 0016fd58 00000000 002c1755 7ffdb000 00000000 ntdll!_RtlUserThreadStart+0x1b STACK_COMMAND: kb FOLLOWUP_IP: win32k!W32PIDLOCK::vLockSingleThread+14 9366a4c6 c3 ret SYMBOL_STACK_INDEX: c SYMBOL_NAME: win32k!W32PIDLOCK::vLockSingleThread+14 FOLLOWUP_NAME: MachineOwner MODULE_NAME: win32k IMAGE_NAME: win32k.sys DEBUG_FLR_IMAGE_TIMESTAMP: 54ee8ecd FAILURE_BUCKET_ID: 0xA_VRF_win32k!W32PIDLOCK::vLockSingleThread+14 BUCKET_ID: 0xA_VRF_win32k!W32PIDLOCK::vLockSingleThread+14 Followup: MachineOwner ---------