Detect kernel information disclosure by Bochspwn-reloaded - GSoC 2020 - Final report

by khanhnt | August 31, 2020

After 3 months since the last blog, I found and pull the patches of 12 memory disclosure bugs:

Additionally, I did a small change to make bochspwn-reloaded able to detect unitialized memory use for the kernel. When reading a memory which is marked as uninitialized, it reports unitialized memory use. By using memory taint tracking of bochspwn-reloaded, I can figure out which memory is uninitialized so I only need to determine where that memory is being read. Usually, mov assembly family instruction is used to read and write memory. I added this code to know current executing instruction is mov then if it’s read operation, I consider it’s an uninitialized memory use. The folder windows-x86-uiu contains the code which is used to detect uninitialized memory in use. As a result I’ve found 1 bug:

While doing the fixes, the most hard part is tracking memory, finding where the original memory is allocated. I use rosautotest to trigger those bugs so I guess there are few bugs left which aren’t hit by the tests. Especially in uninitialized memory use, there were many reports reported by the tool but I don’t have enough time to investigate, maybe some of them are false positive. I’m going to spend time to investigate and fix those uninitialized memory after the GSoC.