-
Notifications
You must be signed in to change notification settings - Fork 257
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False uninits in ADVAPI32.dll!SystemFunction036 #65
Comments
From rsleevi@chromium.org on May 24, 2011 20:29:03 For what it's worth, it's correct in reporting an uninitialized read - but that is an edge case. In the above example, SystemFunction036 will read from tmp. This is because it uses the buffer supplies as an auxiliary random seed. CryptGenRandom, which is just a facade for SystemFunction036 in the default MSFT provider, documents this (since "technically" SystemFunction036 is undocumented/unsupported) http://msdn.microsoft.com/en-us/library/aa379942(VS.85).aspx As a way to confirm this, if you initialize tmp (eg: memset), does the error disappear? I would agree that there is a desired change here, even if it's not a FalsePositive, since it would be better to suppress this error universally, lest users end up thinking similarly to http://digitaloffense.net/tools/debian-openssl/ . While CryptGenRandom/SystemFunction036 are cryptographically strong by themselves (meaning the additional entropy is not necessary), it would seem better not to bubble this up at all. |
From timurrrr@google.com on June 21, 2011 03:19:32 as of r343 , the report looks different (this is Win XP 32-bit): Probably the difference is caused by a new ioctl handling code. Ryan, |
From timurrrr@google.com on June 21, 2011 03:28:05 Marking this as WontFix. Ryan, thanks for the info! Status: WontFix |
From timurrrr@google.com on June 21, 2011 03:28:56 Issue 15 has been merged into this issue. |
From timurrrr@google.com on July 20, 2011 07:34:00 Derek, UNINITIALIZED READ Status: Started |
From bruen...@google.com on July 20, 2011 07:43:17 I don't follow -- did something happen to trigger re-opening this issue? |
From timurrrr@google.com on July 20, 2011 07:46:39
|
From bruen...@google.com on July 20, 2011 13:28:38 so this is still "SystemFunction036" (the chrome instances) even w/ symbols? what's the caller there? seems to call advapi32!NewGenRandom on xpwow64. if it really is always a crypto func on all platforms w/ its buf param as OUT only, suppressing uninits seems reasonable. though I wonder how many nearby non-exported functions show up as this (though that applies to other suppressions too). |
From timurrrr@google.com on July 22, 2011 08:06:33 No surprise SystemFunction036 keeps its name even with symbols since this is an exported symbol. Proof: #include <windows.h> #pragma comment(lib, "Ole32.lib") int main() { [XP 32-bit report with symbols] |
From bruen...@google.com on July 22, 2011 08:14:47
It has to be an exported symbol to show up w/o symbols, but w/o +offs ( issue #290 ) it could easily be one of dozens of other functions in reality |
From timurrrr@google.com on July 22, 2011 11:36:35 The uninits were suppressed in r412 Status: Fixed |
From bruen...@google.com on August 02, 2011 13:09:30 xref issue #503 comment 7 |
From timurrrr@google.com on October 06, 2010 09:30:43
As of r65 , the following code gives 2 uninits below SystemFunction036:
===test.cpp===
#include <windows.h>
typedef BOOL (WINAPI *SystemFunction036_T)(PVOID, ULONG);
SystemFunction036_T SystemFunction036;
int main() {
char tmp[10];
HINSTANCE advapi32 = LoadLibraryA("advapi32.dll");
SystemFunction036 = (SystemFunction036_T)GetProcAddress(advapi32, "SystemFunction036");
(*SystemFunction036)(tmp, 10);
return 0;
}
->
Error
#1
: UNINITIALIZED READ: reading 0x0012ff10-0x0012ff14 4 byte(s)@0:00:04.513 in thread 3220
0x00aa8315 <ADVAPI32.dll+0x8315> ADVAPI32.dll!SystemFunction036
0x00aa82f3 <ADVAPI32.dll+0x82f3> ADVAPI32.dll!SystemFunction036
0x00aa82b6 <ADVAPI32.dll+0x82b6> ADVAPI32.dll!SystemFunction036
0x0040104e <test.exe+0x104e> test.exe!main z:\dr-sandbox\issues\systemfunction036\test.cpp:10
I really enjoyed the name of the function and the way libjingle uses it http://google.com/codesearch/p?hl=en#OAMlx_jo-ck/src/third_party/libjingle/source/talk/base/helpers.cc&q=source/talk/base/helpers.cc&l=66 looks like a hack...
But I also saw such reports in other advapi32.dll functions when they are used correctly.
According to http://source.winehq.org/WineAPI/SystemFunction036.html , this function invokes RtlGenRandom
Original issue: http://code.google.com/p/drmemory/issues/detail?id=65
The text was updated successfully, but these errors were encountered: