Uninit reads below SetupDiGetClassDevsW

[derekbruening]

From timurrrr@google.com on July 21, 2011 06:10:44

Repro taken from issue #499 :

#include <windows.h>
#include <dshow.h>

#include <stdio.h>

#pragma comment(lib, "ole32.lib")
#pragma comment(lib, "strmiids.lib")

class ScopedCOMInitializer {
public:
ScopedCOMInitializer() : hr_(CoInitialize(NULL)) { }

ScopedCOMInitializer::~ScopedCOMInitializer() {
  if (SUCCEEDED(hr_))
    CoUninitialize();
}

private:
HRESULT hr_;
};

int main() {
ScopedCOMInitializer sci;

ICreateDevEnum *dev_enum;
HRESULT hr = CoCreateInstance(CLSID_SystemDeviceEnum, NULL, CLSCTX_INPROC,
                              IID_ICreateDevEnum, (LPVOID*)&dev_enum);
if (!SUCCEEDED(hr)) {
    printf("FAIL\n");
    return 1;
}

IEnumMoniker *moniker;
hr = dev_enum->CreateClassEnumerator(CLSID_VideoInputDeviceCategory, &moniker, 0);
if (SUCCEEDED(hr)) {
    printf("PASS\n");
} else {
    printf("FAIL\n");
    return 1;
}
dev_enum->Release();

return 0;

}

[XP 32-bit with symbols]

Error #1: UNINITIALIZED READ: reading register eax
@0:00:05.626 in thread 4280
0x7792b4c6 <SETUPAPI.dll+0xb4c6> SETUPAPI.dll!SetupDiGetClassDevsExW
0x7792b604 <SETUPAPI.dll+0xb604> SETUPAPI.dll!SetupDiGetClassDevsW
0x75f49bf7 <DEVENUM.DLL+0x9bf7> DEVENUM.DLL!CEnumInterfaceClass::GetDevicePath
0x75f47588 <DEVENUM.DLL+0x7588> DEVENUM.DLL!CCreateSwEnum::CreateOnePnpMoniker
0x75f4769d <DEVENUM.DLL+0x769d> DEVENUM.DLL!CCreateSwEnum::CreatePnpMonikers
0x75f4837d <DEVENUM.DLL+0x837d> DEVENUM.DLL!CCreateSwEnum::CreateClassEnumerator
0x75f442c4 <DEVENUM.DLL+0x42c4> DEVENUM.DLL!CClassManagerBase::CreateClassEnumerator
0x75f48344 <DEVENUM.DLL+0x8344> DEVENUM.DLL!CCreateSwEnum::CreateClassEnumerator
0x75f46e0e <DEVENUM.DLL+0x6e0e> DEVENUM.DLL!CCreateSwEnum::CreateClassEnumerator
0x00401099 <test.exe+0x1099> test.exe!main
test.cpp:34

...

Error #3: UNINITIALIZED READ: reading 0x00185d82-0x00185d84 2 byte(s)
@0:00:05.673 in thread 4280
0x10038293 <drmemorylib.dll+0x38293> drmemorylib.dll!replace_wcslen
drmemory\replace.c:323
0x7792cfc7 <SETUPAPI.dll+0xcfc7> SETUPAPI.dll!OpenDeviceInterfaceSubKey
0x7792d19c <SETUPAPI.dll+0xd19c> SETUPAPI.dll!pSetupGetDevInstNameAndStatusForInterfaceDevice
0x7792d481 <SETUPAPI.dll+0xd481> SETUPAPI.dll!SetupDiGetClassDevsExW
0x7792b604 <SETUPAPI.dll+0xb604> SETUPAPI.dll!SetupDiGetClassDevsW
<same stack as #1 below>

[XP 32-bits w/o symbols]

Error #2: UNINITIALIZED READ: reading register eax
@0:00:04.035 in thread 5720
0x7792b4c6 <SETUPAPI.dll+0xb4c6> SETUPAPI.dll!SetupDiGetClassDevsExW
0x7792b604 <SETUPAPI.dll+0xb604> SETUPAPI.dll!SetupDiGetClassDevsW
0x75f49bf7 <DEVENUM.DLL+0x9bf7> DEVENUM.DLL!DllUnregisterServer
0x75f47588 <DEVENUM.DLL+0x7588> DEVENUM.DLL!DllUnregisterServer
0x75f4769d <DEVENUM.DLL+0x769d> DEVENUM.DLL!DllUnregisterServer
0x75f4837d <DEVENUM.DLL+0x837d> DEVENUM.DLL!DllUnregisterServer
0x75f442c4 <DEVENUM.DLL+0x42c4> DEVENUM.DLL!?
0x75f48344 <DEVENUM.DLL+0x8344> DEVENUM.DLL!DllUnregisterServer
0x75f46e0e <DEVENUM.DLL+0x6e0e> DEVENUM.DLL!DllUnregisterServer
0x00401099 <test.exe+0x1099> test.exe!main
test.cpp:34

...

Error #4: UNINITIALIZED READ: reading 0x00185d82-0x00185d84 2 byte(s)
@0:00:04.067 in thread 5720
0x10038293 <drmemorylib.dll+0x38293> drmemorylib.dll!replace_wcslen
drmemory\replace.c:323
0x7792cfc7 <SETUPAPI.dll+0xcfc7> SETUPAPI.dll!SetupDiEnumDeviceInterfaces
0x7792d19c <SETUPAPI.dll+0xd19c> SETUPAPI.dll!SetupDiEnumDeviceInterfaces
0x7792d481 <SETUPAPI.dll+0xd481> SETUPAPI.dll!SetupDiEnumDeviceInterfaces
0x7792b604 <SETUPAPI.dll+0xb604> SETUPAPI.dll!SetupDiGetClassDevsW
<same stack as Error #2 below>

Looks like some NtUser syscall doesn't initialize some of its OUT fields?

Original issue: http://code.google.com/p/drmemory/issues/detail?id=503

[derekbruening]

From timurrrr@google.com on July 21, 2011 03:31:54

On Win7 the stack looks slightly different:
[with symbols]
Error #10: UNINITIALIZED READ: reading 0x0060b4fc-0x0060b4fe 2 byte(s)
@0:00:22.071 in thread 1464
0x75b525db <DEVOBJ.dll+0x25db> DEVOBJ.dll!DevObjGetClassDevs
0x761ca499 <SETUPAPI.dll+0xa499> SETUPAPI.dll!SetupDiGetClassDevsExW
0x761cb096 <SETUPAPI.dll+0xb096> SETUPAPI.dll!SetupDiGetClassDevsW
0x72f9a7dd <DEVENUM.DLL+0xa7dd> DEVENUM.DLL!CEnumInterfaceClass::GetDevicePath
0x72f9831f <DEVENUM.DLL+0x831f> DEVENUM.DLL!CCreateSwEnum::CreateOnePnpMoniker
0x72f98452 <DEVENUM.DLL+0x8452> DEVENUM.DLL!CCreateSwEnum::CreatePnpMonikers
0x72f992e4 <DEVENUM.DLL+0x92e4> DEVENUM.DLL!CCreateSwEnum::CreateClassEnumerator
0x72f94a2b <DEVENUM.DLL+0x4a2b> DEVENUM.DLL!CClassManagerBase::CreateClassEnumerator
0x72f992ab <DEVENUM.DLL+0x92ab> DEVENUM.DLL!CCreateSwEnum::CreateClassEnumerator
0x72f97a31 <DEVENUM.DLL+0x7a31> DEVENUM.DLL!CCreateSwEnum::CreateClassEnumerator
0x00401099 <test.exe+0x1099> test.exe!main
test.cpp:34

[w/o symbols]
Error #10: UNINITIALIZED READ: reading 0x005f8af4-0x005f8af6 2 byte(s)
@0:00:10.031 in thread 1692
0x75b525db <DEVOBJ.dll+0x25db> DEVOBJ.dll!DevObjGetClassDevs
0x761ca499 <SETUPAPI.dll+0xa499> SETUPAPI.dll!SetupDiGetClassDevsExW
0x761cb096 <SETUPAPI.dll+0xb096> SETUPAPI.dll!SetupDiGetClassDevsW
0x72f9a7dd <DEVENUM.DLL+0xa7dd> DEVENUM.DLL!DllRegisterServer
0x72f9831f <DEVENUM.DLL+0x831f> DEVENUM.DLL!DllRegisterServer
0x72f98452 <DEVENUM.DLL+0x8452> DEVENUM.DLL!DllRegisterServer
0x72f992e4 <DEVENUM.DLL+0x92e4> DEVENUM.DLL!DllRegisterServer
0x72f94a2b <DEVENUM.DLL+0x4a2b> DEVENUM.DLL!?
0x72f992ab <DEVENUM.DLL+0x92ab> DEVENUM.DLL!DllRegisterServer
0x72f97a31 <DEVENUM.DLL+0x7a31> DEVENUM.DLL!DllRegisterServer
0x00401099 <test.exe+0x1099> test.exe!main
test.cpp:34

[derekbruening]

From bruen...@google.com on July 21, 2011 09:52:49

you mention NtUser syscalls -- which ones do you see that you suspect? maybe you can investigate this one further.

Owner: timurrrr@google.com

[derekbruening]

From bruen...@google.com on July 21, 2011 12:02:46

I'll take it

Owner: bruen...@google.com

[derekbruening]

From bruen...@google.com on July 21, 2011 14:03:57

what I see on win7 looks like issue #486 :

uninit arg value. it's argnum=3 == TokenInformationLength
arg 0 = 0x26c
arg 1 = 0x1
arg 2 = 0x8a1068
arg 3 = 0x24
arg 4 = 0x18ec0c
Error #3: UNINITIALIZED READ: reading 0x0018ebcc-0x0018ebd0 4 byte(s) within 0x0018ebcc-0x0018ebd0
@0:00:05.709 in thread 3120
system call NtQueryInformationToken
0x75bbd019 <SETUPAPI.dll+0xd019> SETUPAPI.dll!pSetupRestoreThreadPrivileges

0:000> dds @@(mc->esp)
0018ebbc 7593ba52 KERNELBASE!GetTokenInformation+0x1a
0018ebc0 0000026c
0018ebc4 00000001
0018ebc8 004f1068
0018ebcc 00000024
0018ebd0 0018ec0c
0018ebd4 0018ec30
0018ebd8 75bbd019 setupapi!pSetupRestoreThreadPrivileges+0xc8
0018ebdc 0000026c
0018ebe0 00000001
0018ebe4 004f1068
0018ebe8 00000024
0018ebec 0018ec0c

setupapi!pSetupRestoreThreadPrivileges+0x9b:
75bbcff4 e800c7ffff call setupapi!SpUtilsMalloc (75bb96f9)
75bbcff9 8bd8 mov ebx,eax
75bbcffb 895dd8 mov [ebp-0x28],ebx
75bbcffe 85db test ebx,ebx
75bbd000 0f8454840400 je setupapi!pSetupRestoreThreadPrivileges+0xa9 (75c0545a)
75bbd006 6a00 push 0x0
75bbd008 ffd7 call edi
75bbd00a 8d45dc lea eax,[ebp-0x24]
75bbd00d 50 push eax
75bbd00e ff75d4 push dword ptr [ebp-0x2c]
75bbd011 53 push ebx
75bbd012 6a01 push 0x1
75bbd014 ff7508 push dword ptr [ebp+0x8]
75bbd017 ffd6 call esi

preceded by:
Error #2: UNINITIALIZED READ: reading 0x0018ebdc-0x0018ebe0 4 byte(s)
@0:00:10.104 in thread 6264
0x776ee07a <ntdll.dll+0x2e07a> ntdll.dll!RtlAllocateHeap
0x75bb970f <SETUPAPI.dll+0x970f> SETUPAPI.dll!SpUtilsMalloc
0x75bbcff9 <SETUPAPI.dll+0xcff9> SETUPAPI.dll!pSetupRestoreThreadPrivileges
0x776ee07a f7 45 0c 61 0f 81 7d test 0x0c(%ebp) $0x7d810f61
so that's flags arg

and size arg (probably same 0x24)
Error #1: UNINITIALIZED READ: reading 0x0018ebe0-0x0018ebe4 4 byte(s)
@0:00:05.316 in thread 6264
0x776ee052 <ntdll.dll+0x2e052> ntdll.dll!RtlAllocateHeap
0x75bb970f <SETUPAPI.dll+0x970f> SETUPAPI.dll!SpUtilsMalloc
0x75bbcff9 <SETUPAPI.dll+0xcff9> SETUPAPI.dll!pSetupRestoreThreadPrivileges
0x776ee052 81 7d 10 ff ff ff 7f cmp 0x10(%ebp) $0x7fffffff

setupapi!pSetupRestoreThreadPrivileges+0x5e:
75bbcfb9 8d45dc lea eax,[ebp-0x24]
75bbcfbc 50 push eax
75bbcfbd 53 push ebx
75bbcfbe 53 push ebx
75bbcfbf 6a01 push 0x1
75bbcfc1 ff7508 push dword ptr [ebp+0x8]
75bbcfc4 8b35ac14bb75 mov esi,[setupapi!_imp__GetTokenInformation (75bb14ac)]
75bbcfca ffd6 call esi
75bbcfcc 85c0 test eax,eax
75bbcfce 0f8574840400 jne setupapi!pSetupRestoreThreadPrivileges+0x75 (75c05448)
75bbcfd4 e837f4ffff call setupapi!pSetupGetLastError (75bbc410)
75bbcfd9 8945e4 mov [ebp-0x1c],eax
75bbcfdc 85c0 test eax,eax
75bbcfde 0f846b840400 je setupapi!pSetupRestoreThreadPrivileges+0x85 (75c0544f)
75bbcfe4 83f87a cmp eax,0x7a
75bbcfe7 0f8592000000 jne setupapi!pSetupRestoreThreadPrivileges+0x137 (75bbd07f)
75bbcfed 8b45dc mov eax,[ebp-0x24]
75bbcff0 8945d4 mov [ebp-0x2c],eax
75bbcff3 50 push eax
75bbcff4 e800c7ffff call setupapi!SpUtilsMalloc (75bb96f9)

system call 30 NtQueryInformationToken failed with 0xc0000023
== STATUS_BUFFER_TOO_SMALL

/* FIXME issue #486: syscalls that return the capacity needed in an OUT param
 * will still write to it when returning STATUS_BUFFER_TOO_SMALL

[derekbruening]

From bruen...@google.com on July 21, 2011 19:20:07

this one looks like a real bug since the UNICODE_STRING Buffer should
include the NULL, though since no write of NULL earlier maybe it is relying
on nobody reading past MaximumLength:
arg 0 = 0x18fb20
arg 1 = 0x20019
arg 2 = 0x18fafc
pre considering arg 0 4 2
pre considering arg 2 24 5
UNICODE_STRING Buffer=0x0062395c Length=248 MaximumLength=248
Error #1: UNADDRESSABLE ACCESS: reading 0x00623a54-0x00623a56 2 byte(s) within 0x0062395c-0x00623a56
Note: next higher malloc: 0x00623a70-0x00623a94
Note: prev lower malloc: 0x00623958-0x00623a54
system call NtOpenKey UNICODE_STRING content
0x75e37be5 <ole32.dll+0xa7be5> ole32.dll!CComClassInfo::RefreshNeeded
0x75de580c <ole32.dll+0x5580c> ole32.dll!CComCatalog::CheckForRefresh

0:000> dt us
Local var @ 0x178d9c54 Type UNICODE_STRING
"\REGISTRY\USER\S-1-5-21-39260824-743453154-142223018-400740_CLASSES\Wow6432Node\CLSID{860BB310-5D01-11D0-BD3B-00A0C911CE86}"
+0x000 Length : 0xf8
+0x002 MaximumLength : 0xf8
+0x004 Buffer : 0x0062395c "\REGISTRY\USER\S-1-5-21-39260824-743453154-142223018-400740_CLASSES\Wow6432Node\CLSID{860BB310-5D01-11D0-BD3B-00A0C911CE86}"
0:000> dc @@(us.Buffer) L50
0062395c 0052005c 00470045 00530049 00520054 .R.E.G.I.S.T.R.
0062396c 005c0059 00530055 00520045 0053005c Y..U.S.E.R..S.
0062397c 0031002d 0035002d 0032002d 002d0031 -.1.-.5.-.2.1.-.
0062398c 00390033 00360032 00380030 00340032 3.9.2.6.0.8.2.4.
0062399c 0037002d 00330034 00350034 00310033 -.7.4.3.4.5.3.1.
006239ac 00340035 0031002d 00320034 00320032 5.4.-.1.4.2.2.2.
006239bc 00300033 00380031 0034002d 00300030 3.0.1.8.-.4.0.0.
006239cc 00340037 005f0030 004c0043 00530041 7.4.0..C.L.A.S.
006239dc 00450053 005c0053 006f0057 00360077 S.E.S..W.o.w.6.
006239ec 00330034 004e0032 0064006f 005c0065 4.3.2.N.o.d.e..
006239fc 004c0043 00490053 005c0044 0038007b C.L.S.I.D..{.8.
00623a0c 00300036 00420042 00310033 002d0030 6.0.B.B.3.1.0.-.
00623a1c 00440035 00310030 0031002d 00440031 5.D.0.1.-.1.1.D.
00623a2c 002d0030 00440042 00420033 0030002d 0.-.B.D.3.B.-.0.
00623a3c 00410030 00430030 00310039 00430031 0.A.0.C.9.1.1.C.
00623a4c 00380045 007d0036 00000000 00000000 E.8.6.}.........

ole32!CheckRefresh+0x5f:
75e75c8d 8b4510 mov eax,[ebp+0x10]
75e75c90 8d4804 lea ecx,[eax+0x4]
75e75c93 0fb700 movzx eax,word ptr [eax] <== size of Buffer
75e75c96 668945e0 mov [ebp-0x20],ax
75e75c9a 668945e2 mov [ebp-0x1e],ax
75e75c9e 8d45e0 lea eax,[ebp-0x20]
75e75ca1 8945d0 mov [ebp-0x30],eax <== UNICODE_STRING*
75e75ca4 8d45c8 lea eax,[ebp-0x38]
75e75ca7 50 push eax
75e75ca8 6819000200 push 0x20019
75e75cad 8d45ec lea eax,[ebp-0x14]
75e75cb0 50 push eax
75e75cb1 894de4 mov [ebp-0x1c],ecx <== Buffer
75e75cb4 c745c818000000 mov dword ptr [ebp-0x38],0x18
75e75cbb 895dcc mov [ebp-0x34],ebx
75e75cbe c745d440000000 mov dword ptr [ebp-0x2c],0x40
75e75cc5 895dd8 mov [ebp-0x28],ebx
75e75cc8 895ddc mov [ebp-0x24],ebx
75e75ccb ff15f011d975 call dword ptr [ole32!_imp__NtOpenKey (75d911f0)]
75e75cd1 3bc3 cmp eax,ebx
75e75cd3 7d34 jge ole32!CheckRefresh+0xdb (75e75d09)

ebp-0x1c == Buffer

ebp+0x10 == 3rd param to CheckRefresh

it's 00623958
which is a size followed by wchar_t array:
0:000> dd 00623958
00623958 000000f8 0052005c 00470045 00530049

00623958 is the start of the malloc

the question is, is this a bug, or should my UNICODE_STRING handler just
stop at MaximumLength even if equal to Length and/or haven't hit NULL yet?

**** UNINITs from NtAlpcSendWaitReceivePort?

the other uninits may be from NtAlpcSendWaitReceivePort which is part of issue #98

% grep -E '^Error|NtAlpc' ls -1td logs/D*|head -1/g*
Error #1: UNADDRESSABLE ACCESS: reading 0x00563a54-0x00563a56 2 byte(s) within 0x0056395c-0x00563a56
system call #0x71 NtAlpcConnectPort
processing post system call #0x71 NtAlpcConnectPort res=0x0
system call #0x82 NtAlpcSendWaitReceivePort
processing post system call #0x82 NtAlpcSendWaitReceivePort res=0x0
system call #0x82 NtAlpcSendWaitReceivePort
processing post system call #0x82 NtAlpcSendWaitReceivePort res=0x0
Error #2: UNINITIALIZED READ: reading 0x0018f5cc-0x0018f5d0 4 byte(s)
Error #3: UNINITIALIZED READ: reading register edi
system call #0x82 NtAlpcSendWaitReceivePort
processing post system call #0x82 NtAlpcSendWaitReceivePort res=0x0
Error #4: UNINITIALIZED READ: reading 0x0018f484-0x0018f488 4 byte(s)
Error #5: UNINITIALIZED READ: reading 0x0018f4c4-0x0018f4c8 4 byte(s)
...

on XP that syscall doesn't exist, but it looks like it's doing something
equivalent:
% grep -E 'NtDeviceIo|ioctl|^Error' ls -1td logs/D*|head -1/g*
system call #0x4 NtDeviceIoControlFile
WARNING: unknown ioctl 0x390008 => op 2
Error #1: UNINITIALIZED READ: reading 0x004b2197-0x004b21a7 16 byte(s) within 0x004b2190-0x004b2290
system call NtDeviceIoControlFile InputBuffer
processing post system call #0x4 NtDeviceIoControlFile res=0x0
system call #0x4 NtDeviceIoControlFile
WARNING: unknown ioctl 0x390008 => op 2
processing post system call #0x4 NtDeviceIoControlFile res=0x0
system call #0x4 NtDeviceIoControlFile
WARNING: unknown ioctl 0x390008 => op 2
processing post system call #0x4 NtDeviceIoControlFile res=0x0
system call #0x4 NtDeviceIoControlFile
WARNING: unknown ioctl 0x390008 => op 2
processing post system call #0x4 NtDeviceIoControlFile res=0x0
system call #0x4 NtDeviceIoControlFile
WARNING: unknown ioctl 0x390008 => op 2
processing post system call #0x4 NtDeviceIoControlFile res=0x0
system call #0x4 NtDeviceIoControlFile
WARNING: unknown ioctl 0x390008 => op 2
processing post system call #0x4 NtDeviceIoControlFile res=0x0
system call #0x4 NtDeviceIoControlFile
WARNING: unknown ioctl 0x390008 => op 2
processing post system call #0x4 NtDeviceIoControlFile res=0x0
Error #2: UNINITIALIZED READ: reading register ebx
Error #3: UNINITIALIZED READ: reading register ebx
...

[derekbruening]

From timurrrr@google.com on July 22, 2011 08:21:29

Re: NtQueryInformationToken
see issue #380

[derekbruening]

From bruen...@google.com on August 02, 2011 11:51:07

I put in some fixes for issue #92 , issue #529 , and issue #486 that
removed most of the uninits on win7.

on win7 the only uninit I still see is split as issue #535 on xp64 I still see these on the issue #499 test app:

Error #1: UNINITIALIZED READ: reading register ebx
0x7da50098 <RPCRT4.dll+0x30098> RPCRT4.dll!rc4_key
0x7da4ffee <RPCRT4.dll+0x2ffee> RPCRT4.dll!GenerateRandomNumber
0x7da35505 <RPCRT4.dll+0x15505> RPCRT4.dll!UuidCreate
0x776aeab0 <ole32.dll+0x3eab0> ole32.dll!wCoCreateGuid
0x776aed41 <ole32.dll+0x3ed41> ole32.dll!CObjectContext::CreateObjectContext
0x776aea27 <ole32.dll+0x3ea27> ole32.dll!InitThreadCtx
0x776ae991 <ole32.dll+0x3e991> ole32.dll!wCoInitializeEx
0x776ae918 <ole32.dll+0x3e918> ole32.dll!CoInitializeEx
0x776a47ec <ole32.dll+0x347ec> ole32.dll!CoInitialize
0x0040119f < issue499 .exe+0x119f> issue499 .exe!?
0x0040105d < issue499 .exe+0x105d> issue499 .exe!?
0x00401955 < issue499 .exe+0x1955> issue499 .exe!?
0x7da50098 8a 04 33 mov (%ebx,%esi,1) -> %al
0x7da500ac 8a 04 33 mov (%ebx,%esi,1) -> %al
0x7da500c1 8a 04 33 mov (%ebx,%esi,1) -> %al
0x7da500d6 8a 04 33 mov (%ebx,%esi,1) -> %al

I thought the data might come from here:

WARNING: unknown ioctl 0x390008 => op 2
arg 0 = 0x3b4
arg 1 = 0x0
arg 2 = 0x0
arg 3 = 0x0
arg 4 = 0x12fb14
arg 5 = 0x390008
arg 6 = 0x4b2190
arg 7 = 0x100
arg 8 = 0x12fbd0
arg 9 = 0x100
pre considering arg 4 8 2
pre considering arg 8 -9 2
pre considering arg 0 0 0
WARNING: unknown ioctl 0x390008 => op 2
unknown system call #0x4
pre-unknown-syscall #0x4: param 4 == 0x0012fb14 1260 bytes
pre-unknown-syscall #0x4: param 5 == 0x00390008 2048 bytes
pre-unknown-syscall #0x4: param 6 == 0x004b2190 2048 bytes
pre-unknown-syscall #0x4: param 17 == 0x0012fb08 13 bytes
pre-unknown-syscall #0x4: param 20 == 0x7d4d89b4 2048 bytes
processing post system call #0x4 NtDeviceIoControlFile res=0x0
post considering arg 4 8 2 0x0012fb14
start 0x0012fb14, size 0x8
marking 0x12fb14-0x12fb1c written parameter #4
post considering arg 8 -9 2 0x0012fbd0
start 0x0012fbd0, size 0x100
marking 0x12fbd0-0x12fcd0 written parameter #8
post considering arg 0 0 0 0x000003b4
system call #0x4 NtDeviceIoControlFile
0x7d4d07fa <KERNEL32.dll+0x107fa> KERNEL32.dll!DeviceIoControl
fp=0x0012fb3c parent=0x0012fb98 0x0044e3fd <ADVAPI32.dll+0xe3fd> ADVAPI32.dll!GatherRandomKeyFastUserMode
fp=0x0012fb98 parent=0x0012fcd4 0x0044e482 <ADVAPI32.dll+0xe482> ADVAPI32.dll!RandomFillBuffer
fp=0x0012fcd4 parent=0x0012fcec 0x0044f119 <ADVAPI32.dll+0xf119> ADVAPI32.dll!GenRandom
fp=0x0012fcec parent=0x0012fd0c 0x0044f0dc <ADVAPI32.dll+0xf0dc> ADVAPI32.dll!NewGenRandomEx
fp=0x0012fd0c parent=0x0012fd38 0x0044f084 <ADVAPI32.dll+0xf084> ADVAPI32.dll!NewGenRandom
fp=0x0012fd38 parent=0x0012fd50 0x0044f047 <ADVAPI32.dll+0xf047> ADVAPI32.dll!SystemFunction036
fp=0x0012fd50 parent=0x0012fe74 0x7da4ffcd <RPCRT4.dll+0x2ffcd> RPCRT4.dll!GenerateRandomNumber
fp=0x0012fe74 parent=0x0012fe88 0x7da35505 <RPCRT4.dll+0x15505> RPCRT4.dll!UuidCreate

#define FILE_DEVICE_KSEC 0x00000039

kernel driver confirms that we're not missing any kernel write
here (i.e., there's nothing OUT in the IN buffer):
arg 0 = 0x7cc
arg 1 = 0x0
arg 2 = 0x0
arg 3 = 0x0
arg 4 = 0x12fb14
arg 5 = 0x390008
arg 6 = 0x77e46318
arg 7 = 0x100
arg 8 = 0x12fbd0
arg 9 = 0x100
driver info: syscall #0x42 write 0: 0x0012fbd0-0x0012fcd0
set range 0x0012fbd0-0x0012fcd0 => 0x0
processing post system call #0x42 NtDeviceIoControlFile res=0x0
post considering arg 4 8 1
start 0x0012fb14, size 0x8
marking 0x12fb14-0x12fb1c written
post considering arg 8 -9 1
start 0x0012fbd0, size 0x100
marking 0x12fbd0-0x12fcd0 written
post considering arg 0 0 0

manual inspection also shows random bytes written up to exactly 0x100

RPCRT4!rc4_key:
7da50035 53 push ebx
7da50036 b800010203 mov eax,0x3020100
7da5003b b910000000 mov ecx,0x10
7da50040 56 push esi
7da50041 8b74240c mov esi,[esp+0xc]
7da50045 57 push edi
7da50046 bf08080808 mov edi,0x8080808
7da5004b 8bd6 mov edx,esi
7da5004d 55 push ebp
7da5004e bd04050607 mov ebp,0x7060504
7da50053 8902 mov [edx],eax
7da50055 83c208 add edx,0x8
7da50058 03c7 add eax,edi
7da5005a 896afc mov [edx-0x4],ebp
7da5005d 03ef add ebp,edi
7da5005f 8902 mov [edx],eax
7da50061 83c208 add edx,0x8
7da50064 03c7 add eax,edi
7da50066 896afc mov [edx-0x4],ebp
7da50069 03ef add ebp,edi
7da5006b 49 dec ecx
7da5006c 75e5 jnz RPCRT4!rc4_key+0x1e (7da50053)
7da5006e 8b6c241c mov ebp,[esp+0x1c]
7da50072 33c0 xor eax,eax
7da50074 880a mov [edx],cl
7da50076 8a442418 mov al,[esp+0x18]
7da5007a 8d3c28 lea edi,[eax+ebp]
7da5007d 884a01 mov [edx+0x1],cl
7da50080 33db xor ebx,ebx <== zeroed here. this was prior bb.
7da50082 33d2 xor edx,edx
7da50084 33c9 xor ecx,ecx
7da50086 2403 and al,0x3
7da50088 0f85a2520000 jne RPCRT4!rc4_key+0xc3 (7da55330)
7da5008e 8a1431 mov dl,[ecx+esi]
7da50091 8a4500 mov al,[ebp]
7da50094 02d8 add bl,al
7da50096 02da add bl,dl
7da50098 8a0433 mov al,[ebx+esi]

+0x014 xbx : 0x76
+0x008 xsi : 0x2234fc
+0x00c ebp : 0x12fd70

0:000> dd @@(mc->ebp)
0012fd70 9133ae76 06eb62b6 371752dc f4a5c3da

native:
0012f63c 00000054
0012f640 00000000
0012f644 00000000
0012f648 00000000
0012f64c 0012f670
0012f650 00390008
0012f654 004b2190 ADVAPI32!ErrorSessionKey+0x30
0012f658 00000100
0012f65c 0012f72c
0012f660 00000100

0044f2fd 8b44241c mov eax,[esp+0x1c]
0044f301 2bc3 sub eax,ebx
0044f303 8938 mov [eax],edi <== written here
0:000> dd 0x12fd70-0x12fbd0 + 0012f72c
0012f8cc af7b0371 01c00608 7d68589c 01c00000

edi came from:
ADVAPI32!rc4+0x50:
0044f25a 8b7804 mov edi,[eax+0x4]
...
0044f280 33f8 xor edi,eax
...
0044f2fb 33f8 xor edi,eax

full:
ADVAPI32!rc4+0x50:
0044f25a 8b7804 mov edi,[eax+0x4]
0044f25d 41 inc ecx
0044f25e 33c0 xor eax,eax
0044f260 81e1ff000000 and ecx,0xff
0044f266 8a040e mov al,[esi+ecx]
0044f269 03d0 add edx,eax
0044f26b 81e2ff000000 and edx,0xff
0044f271 8a1c16 mov bl,[esi+edx]
0044f274 881c0e mov [esi+ecx],bl
0044f277 41 inc ecx
0044f278 880416 mov [esi+edx],al
0044f27b 02c3 add al,bl
0044f27d 8a0406 mov al,[esi+eax]
0044f280 33f8 xor edi,eax
0044f282 81e1ff000000 and ecx,0xff
0044f288 33c0 xor eax,eax
0044f28a 8a040e mov al,[esi+ecx]
0044f28d 03d0 add edx,eax
0044f28f 81e2ff000000 and edx,0xff
0044f295 8a1c16 mov bl,[esi+edx]
0044f298 881c0e mov [esi+ecx],bl
0044f29b 41 inc ecx
0044f29c 880416 mov [esi+edx],al
0044f29f 02c3 add al,bl
0044f2a1 8a0406 mov al,[esi+eax]
0044f2a4 c1e008 shl eax,0x8
0044f2a7 33f8 xor edi,eax
0044f2a9 81e1ff000000 and ecx,0xff
0044f2af 33c0 xor eax,eax
0044f2b1 8a040e mov al,[esi+ecx]
0044f2b4 03d0 add edx,eax
0044f2b6 81e2ff000000 and edx,0xff
0044f2bc 8a1c16 mov bl,[esi+edx]
0044f2bf 881c0e mov [esi+ecx],bl
0044f2c2 41 inc ecx
0044f2c3 880416 mov [esi+edx],al
0044f2c6 02c3 add al,bl
0044f2c8 8a0406 mov al,[esi+eax]
0044f2cb c1e010 shl eax,0x10
0044f2ce 33f8 xor edi,eax
0044f2d0 81e1ff000000 and ecx,0xff
0044f2d6 33c0 xor eax,eax
0044f2d8 8a040e mov al,[esi+ecx]
0044f2db 03d0 add edx,eax
0044f2dd 81e2ff000000 and edx,0xff
0044f2e3 8a1c16 mov bl,[esi+edx]
0044f2e6 881c0e m...

[derekbruening]

From bruen...@google.com on August 02, 2011 11:51:07

...ov [esi+ecx],bl
0044f2e9 880416 mov [esi+edx],al
0044f2ec 02c3 add al,bl
0044f2ee 8a0406 mov al,[esi+eax]
0044f2f1 c1e018 shl eax,0x18
0044f2f4 8d1cad00000000 lea ebx,[00000000+ebp*4]
0044f2fb 33f8 xor edi,eax
0044f2fd 8b44241c mov eax,[esp+0x1c]
0044f301 2bc3 sub eax,ebx
0044f303 8938 mov [eax],edi
0044f305 4d dec ebp
0044f306 0f854effffff jne ADVAPI32!rc4+0x50 (0044f25a)

looking more and more like bit manip: not clear yet whether would be fixed
by bit granularity or is more complex like issue #489 or issue #529

[derekbruening]

From timurrrr@google.com on August 02, 2011 11:55:31

Error #1: UNINITIALIZED READ: reading register ebx
0x7da50098 <RPCRT4.dll+0x30098> RPCRT4.dll!rc4_key
0x7da4ffee <RPCRT4.dll+0x2ffee> RPCRT4.dll!GenerateRandomNumber
xref issue #18 , issue #511

[derekbruening]

From bruen...@google.com on August 02, 2011 12:50:15

rc4_key is issue #511 left here on xp64 are:

Error #1: UNINITIALIZED READ: reading 0x0022fe2c-0x0022fe2d 1 byte(s)
0x777b73b5 <CLBCatQ.DLL+0x73b5> CLBCatQ.DLL!GetCatalogObject2
0x777bafc8 <CLBCatQ.DLL+0xafc8> CLBCatQ.DLL!GetStgDatabase
0x777ba687 <CLBCatQ.DLL+0xa687> CLBCatQ.DLL!OpenComponentLibrarySharedEx
0x777ba604 <CLBCatQ.DLL+0xa604> CLBCatQ.DLL!OpenComponentLibrarySharedTS
0x777b868d <CLBCatQ.DLL+0x868d> CLBCatQ.DLL!GetCatalogObject2
0x777b73b5 f6 83 4c 02 00 00 04 test 0x0000024c(%ebx) $0x04

Error #2: UNINITIALIZED READ: reading 0x01c130f0-0x01c130f4 4 byte(s)
0x73802ccc <msdmo.dll+0x2ccc> msdmo.dll!DMOEnum
0x73802d6d <msdmo.dll+0x2d6d> msdmo.dll!DMOEnum
0x76507a9e <DEVENUM.DLL+0x7a9e> DEVENUM.DLL!DllUnregisterServer
0x76507c1e <DEVENUM.DLL+0x7c1e> DEVENUM.DLL!DllUnregisterServer
0x765087c9 <DEVENUM.DLL+0x87c9> DEVENUM.DLL!DllUnregisterServer
0x73802ccc 3b 41 08 cmp %eax 0x08(%ecx)

Error #6: UNINITIALIZED READ: reading 0x0022f8e8-0x0022f8e9 1 byte(s)
0x777bc032 <CLBCatQ.DLL+0xc032> CLBCatQ.DLL!GetStgDatabase
0x777bc472 <CLBCatQ.DLL+0xc472> CLBCatQ.DLL!DestroyStgDatabase
0x777bc42c <CLBCatQ.DLL+0xc42c> CLBCatQ.DLL!DestroyStgDatabase
0x777bc40f <CLBCatQ.DLL+0xc40f> CLBCatQ.DLL!GetStgDatabase
0x777bcac1 <CLBCatQ.DLL+0xcac1> CLBCatQ.DLL!DestroyStgDatabase
0x777bc032 f6 46 24 01 test 0x24(%esi) $0x01

Error #7: UNINITIALIZED READ: reading 0x0022fa40-0x0022fa41 1 byte(s)
0x777bc032 <CLBCatQ.DLL+0xc032> CLBCatQ.DLL!GetStgDatabase
0x777bc42c <CLBCatQ.DLL+0xc42c> CLBCatQ.DLL!DestroyStgDatabase
0x777bc40f <CLBCatQ.DLL+0xc40f> CLBCatQ.DLL!GetStgDatabase
0x777bcac1 <CLBCatQ.DLL+0xcac1> CLBCatQ.DLL!DestroyStgDatabase
0x777bbc96 <CLBCatQ.DLL+0xbc96> CLBCatQ.DLL!GetStgDatabase
0x777bc032 f6 46 24 01 test 0x24(%esi) $0x01

have not looked at xp32