handle NtUserMessageCall and various message types

[derekbruening]

From bruen...@google.com on May 24, 2013 10:38:16

The StrChrW uninit from issue #1248 is written by a WM_GETTEXT message.
It shows up in an NtUserMessageCall system call:

0043d298 753e5e7f SHLWAPI!SHStripMneumonicW+0x16
0043d29c 02fea5cc
0043d2a0 00000026

0:000> dc 02fea5cc
02fea5cc 0043004d 00000000 00000000 00000000 M.C.............
0:000> U @@(pc)
drmemorylib!replace_wcschr+0x1e [c:\derek\drmemory\git\src\drmemory\replace.c @ 311]:
027dd29e 3bd6 cmp edx,esi
+0x01c edx : 0x43

so that string itself is uninit?

it's passed to SHStripMneumonicW, so allocated by calc.

the string is 0x14 into this malloc:
in event_basic_block(tag=0x010256fd)
set range 0x0043d2ac-0x0043d2b0 => 0x0
replace_malloc 1052
carving out new chunk @0x02fea598 => head=0x02fea5a0, res=0x02fea5b8
replace_alloc_common arena=0x02fc0000 flags=0x4 request=1052, alloc=1056 => 0x02fea5b8
set range 0x02fea5b8-0x02fea9d4 => 0x3
replace_malloc 1052 => 0x02fea5b8

calc!CCalculatorDialog::CreateRoundedButton+0xc4:
010256fd be0e000000 mov esi,0xe
01025702 8974240c mov [esp+0xc],esi
01025706 681c040000 push 0x41c
0102570b e8b3680000 call calc!operator new (0102bfc3)

in native run, the result of that new +0x14 was written by the kernel (not
caught by watchpoint)

here it is, lParam arg to NtUserMessageCall for 0xd ==

app xsp=0x006fcc78
arg 0 = 0xcc022c hWnd
arg 1 = 0xd Msg == WM_GETTEXT
arg 2 = 0x200 wParam
arg 3 = 0x329a5cc lParam
arg 4 = 0x0 ResultInfo
arg 5 = 0x2b1 dwType == FNID_SENDMESSAGE
arg 6 = 0x0 Ansi
arg 7 = 0xcc022c
arg 8 = 0x329a5cc
arg 9 = 0x1141910
arg 10 = 0x8
arg 11 = 0x0
arg 12 = 0x6bdd90
arg 13 = 0xcc022c
arg 14 = 0x6fcd18
arg 15 = 0x778f2c92
arg 16 = 0x0
arg 17 = 0x0
XXX pre 0x0329a5cc == 0x00000000
system call #4104==4104.0 NtUserMessageCall
#0 USER32.dll!SendMessageWorker+0xdea (0x75d6b76a <USER32.dll+0xb76a>) modid:0
#1 fp=0x006fccdc parent=0x006fcd28 USER32.dll!GetWindowTextW+0xb9 (0x75d78847 <USER32.dll+0x18847>)
modid:0
#2 fp=0x006fcd28 parent=0x006fcda8 CGlowButton::CGlowButton+0x9e (0x01025aac <calc.exe+0x25aac>) mo
did:0
#3 fp=0x006fcda8 parent=0x006fce10 CCalculatorDialog::CreateRoundedButton+0x137 (0x01025771 <calc.e
xe+0x25771>) modid:0
#4 fp=0x006fce10 parent=0x006fce4c CScientificKeypad::AssociateOwnerDraw+0x34 (0x0102457c <calc.exe
+0x2457c>) modid:0
#5 fp=0x006fce4c parent=0x006fce5c CScientificKeypad::SetDialogHandle+0x46 (0x01022e37 <calc.exe+0x
22e37>) modid:0
#6 fp=0x006fce5c parent=0x006fd2d4 CCalculatorMode::LayoutCalcModeGeneric+0x6c (0x01030a59 <calc.ex
e+0x30a59>) modid:0
#7 fp=0x006fd2d4 parent=0x006fd338 CScientificMode::LayoutCalculatorMode+0x3a (0x0103c461 <calc.exe
+0x3c461>) modid:0
#8 fp=0x006fd338 parent=0x006fd360 CContainer::LayoutScientificMode+0xb8 (0x0103c3dd <calc.exe+0x3c
3dd>) modid:0
#9 fp=0x006fd360 parent=0x006fdbd4 CContainer::AssembleDialogsWithoutToolset+0x31c (0x010269a1 <cal
c.exe+0x269a1>) modid:0
#10 fp=0x006fdbd4 parent=0x006ff798 WinMain +0x851 (0x0100185b <calc.exe+0x185b>) modid:0
iterating over args for syscall #0x1008.0x0 NtUserMessageCall
processing pre system call #0x1008.0x0 NtUserMessageCall
pre considering arg 0 0 0
processing pre system call #0x1008.0x0 NtUserMessageCall
pre considering arg 0 0 0
Ki routine 0x778f2c64: marked stack 0x006fcc28-0x006fcc78 as defined
Entering windows callback handler
...
XXX pre 0x0329a5cc == 0x00000000
system call #3==3.0 NtCallbackReturn
#0 USER32.dll!__fnOUTSTRING+0x8b (0x75d78d06 <USER32.dll+0x18d06>) modid:0
#1 fp=0x006fbbf4 parent=0x00000000 USER32.dll!__fnOUTSTRING+0x8a (0x75d78d06 <USER32.dll+0x18d06>)
modid:0
#2 fp=0x006fccdc parent=0x006fcd28 USER32.dll!GetWindowTextW+0xb9 (0x75d78847 <USER32.dll+0x18847>)
modid:0
#3 fp=0x006fcd28 parent=0x006fcda8 CGlowButton::CGlowButton+0x9e (0x01025aac <calc.exe+0x25aac>) mo
did:0
#4 fp=0x006fcda8 parent=0x006fce10 CCalculatorDialog::CreateRoundedButton+0x137 (0x01025771 <calc.e
xe+0x25771>) modid:0
#5 fp=0x006fce10 parent=0x006fce4c CScientificKeypad::AssociateOwnerDraw+0x34 (0x0102457c <calc.exe
+0x2457c>) modid:0
#6 fp=0x006fce4c parent=0x006fce5c CScientificKeypad::SetDialogHandle+0x46 (0x01022e37 <calc.exe+0x
22e37>) modid:0
#7 fp=0x006fce5c parent=0x006fd2d4 CCalculatorMode::LayoutCalcModeGeneric+0x6c (0x01030a59 <calc.ex
e+0x30a59>) modid:0
#8 fp=0x006fd2d4 parent=0x006fd338 CScientificMode::LayoutCalculatorMode+0x3a (0x0103c461 <calc.exe
+0x3c461>) modid:0
#9 fp=0x006fd338 parent=0x006fd360 CContainer::LayoutScientificMode+0xb8 (0x0103c3dd <calc.exe+0x3c
3dd>) modid:0
#10 fp=0x006fd360 parent=0x006fdbd4 CContainer::AssembleDialogsWithoutToolset+0x31c (0x010269a1 <cal
c.exe+0x269a1>) modid:0
#11 fp=0x006fdbd4 parent=0x006ff798 WinMain +0x851 (0x0100185b <calc.exe+0x185b>) modid:0
iterating over args for syscall #0x3.0x0 NtCallbackReturn
processing pre system call #0x3.0x0 NtCallbackReturn
pre considering arg 0 4 80
pre considering arg 1 4 80
pre considering arg 2 4 80
pre considering arg 0 0 0
processing pre system call #0x3.0x0 NtCallbackReturn
pre considering arg 0 4 80
pre considering arg 1 4 80
pre considering arg 2 4 80
pre considering arg 0 0 0
cbret: marking stack 0x006fbbf8-0x006fcc78 as unaddressable
XXX post 0x0329a5cc == 0x0043004d
processing post system call #0x1008.0x0 NtUserMessageCall res=0x2
post considering arg 0 0 0 0x00cc022c

BOOL
NTAPI
NtUserMessageCall(
HWND hWnd,
UINT Msg,
WPARAM wParam,
LPARAM lParam,
ULONG_PTR ResultInfo,
DWORD dwType, // FNID_XX types
BOOL Ansi);

lParam is supposed to be signed:
typedef UINT_PTR WPARAM;
typedef LONG_PTR LPARAM;

looking up SendMessage on MSDN => system-defined messages => window
messages => WM_GETTEXT:
wParam = size of buffer, lParam = buffer, retval = chars copied (minus
NULL). thus the res=0x2 => it's not a BOOL!

There's a pile of FNID_* message types to handle, and a pile of sub-types:
FNID_SENDMESSAGE then sends a WM_* message. May be worth doing sub-tables,
w/ support for tertiary tables?

Original issue: http://code.google.com/p/drmemory/issues/detail?id=1249

[derekbruening]

From derek.br...@gmail.com on May 24, 2013 12:03:18

This issue was closed by revision r1393 .

Status: Fixed