Detect kernel information disclosure by Bochspwn-reloaded - GSoC 2020 - Final report
by khanhnt | August 31, 2020
After 3 months since the last blog, I found and pull the patches of 12 memory disclosure bugs:
- [NTOS:PS] Fix stack memory disclosure in PsGetContextThread: merged
- [Win32SS][USER] Fix stack memory disclosure in NtUserBuildPropList: merged
- [MOUNTMGR] Fix pool memory disclosure in QueryPointsFromMemory: merged
- [Win32SS][GDI] Fix pool memory disclosure in NtGdiGetGlyphOutline: merged
- [DRIVERS] Fix pool memory disclsoure in CreateDiskDeviceObject of disk driver: closed
- [NTGDI] Fix stack memory disclosure in NtGdiGetTextMetricsW: merged
- [NTOS:KE] Fix stack memory disclosure in KiInitializeUserApc: merged
- [NTOS:IO] Fix pool memory disclosure in IopQueueTargetDeviceEvent: merged
- [Win32SS][GDI] Fix pool memory disclosure in NtGdiGetOutlineTextMetricsInternalW: merged
- [WIN32SS][NTUSER] Fix uninitialized memory cause memory disclosure used for KeUserModeCallback: merged
- [FILESYSTEMS] Fix pool memory disclosure in filesystem drivers supporting FS_INFORMATION_CLASS.FileFsVolumeInformation: merged
- [SDK] Fix pool memory disclosure in IopParseDevice: merged
Additionally, I did a small change to make bochspwn-reloaded able to detect unitialized memory use for the kernel. When reading a memory which is marked as uninitialized, it reports unitialized memory use. By using memory taint tracking of bochspwn-reloaded, I can figure out which memory is uninitialized so I only need to determine where that memory is being read. Usually, mov assembly family instruction is used to read and write memory. I added this code instrument.cc#L628 to know current executing instruction is mov then if it’s read operation instrument.cc#L464, I consider it’s an uninitialized memory use. The folder windows-x86-uiu contains the code which is used to detect uninitialized memory in use. As a result I’ve found 1 bug:
While doing the fixes, the most hard part is tracking memory, finding where the original memory is allocated. I use rosautotest to trigger those bugs so I guess there are few bugs left which aren’t hit by the tests. Especially in uninitialized memory use, there were many reports reported by the tool but I don’t have enough time to investigate, maybe some of them are false positive. I’m going to spend time to investigate and fix those uninitialized memory after the GSoC.