Use after free of USER_SENT_MESSAGE when running user32_apitest:SendMessageTimeout

Running Wine Test, Module: user32, Test: SendMessageTimeout

(..\dll\win32\kernel32\client\proc.c:696) Default environment has 'USERPROFILE=C:\Documents and Settings\Administrator' for new process C:\ReactOS\bin\user32_apitest.exe (C:\ReactOS\bin\user32_apitest.exe SendMessageTimeout)

(..\ntoskrnl\mm\ARM3\procsup.c:409) Thread wants too much stack

(..\win32ss\user\ntuser\callback.c:349) err: Error Callback to User space Status c00000fd

(..\win32ss\user\ntuser\main.c:781) err: Thread exiting with locked stack. pti F484EE18

(..\win32ss\user\ntuser\msgqueue.c:1282) err: NB Receiving Thread woken up dead!

(..\win32ss\user\ntuser\msgqueue.c:1282) err: NB Receiving Thread woken up dead!

(..\win32ss\user\ntuser\msgqueue.c:1282) err: NB Receiving Thread woken up dead!

(..\win32ss\user\ntuser\msgqueue.c:1282) err: NB Receiving Thread woken up dead!

(..\win32ss\user\ntuser\msgqueue.c:1282) err: NB Receiving Thread woken up dead!

(..\win32ss\user\ntuser\msgqueue.c:1282) err: NB Receiving Thread woken up dead!

*** Fatal System Error: 0x000000d5

                       (0xF4926FDC,0x00000000,0xF25FA3CE,0x00000000)

Driver at fault: 

***    win32k.sys - Address F25FA3CE base at F258D000, DateStamp 5639fe5b

.

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.

Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows Server 2003 3790 x86 compatible target at (Wed Nov  4 13:57:50.752 2015 (UTC + 1:00)), ptr64 FALSE

Loading Kernel Symbols

....................................................

Loading User Symbols

..............

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D5, {f4926fdc, 0, f25fa3ce, 0}

Probably caused by : win32k.sys ( win32k!co_MsqDispatchOneSentMessage+23e )

Followup: MachineOwner

---------

nt!RtlpBreakWithStatusInstruction:

80519738 cc              int     3

kd> !analyze -v

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5)

Memory was referenced after it was freed.

This cannot be protected by try-except.

When possible, the guilty driver's name (Unicode string) is printed on

the bugcheck screen and saved in KiBugCheckDriver.

Arguments:

Arg1: f4926fdc, memory referenced

Arg2: 00000000, value 0 = read operation, 1 = write operation

Arg3: f25fa3ce, if non-zero, the address which referenced memory.

Arg4: 00000000, (reserved)

Debugging Details:

------------------

READ_ADDRESS:  f4926fdc 

FAULTING_IP: 

win32k!co_MsqDispatchOneSentMessage+23e [c:\ros\reactos-clean\reactos\win32ss\user\ntuser\msgqueue.c @ 965]

f25fa3ce 83793c00        cmp     dword ptr [ecx+3Ch],0

MM_INTERNAL_CODE:  0

IMAGE_NAME:  win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  5639fe5b

MODULE_NAME: win32k

FAULTING_MODULE: f258d000 win32k

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0xD5

PROCESS_NAME:  user32_apitest.

CURRENT_IRQL:  1

TRAP_FRAME:  00000010 -- (.trap 0x10)

Unable to read trap frame at 00000010

LAST_CONTROL_TRANSFER:  from 8047dc56 to 80519738

STACK_TEXT:  

<snip>

STACK_COMMAND:  kb

FOLLOWUP_IP: 

win32k!co_MsqDispatchOneSentMessage+23e [c:\ros\reactos-clean\reactos\win32ss\user\ntuser\msgqueue.c @ 965]

f25fa3ce 83793c00        cmp     dword ptr [ecx+3Ch],0

FAULTING_SOURCE_CODE:  

   961:                                   Message->Msg.lParam);

   962:    }

   963: 

   964:    /* If the message is a callback, insert it in the callback senders MessageQueue */

>  965:    if (Message->CompletionCallback)

   966:    {

   967:       if (Message->ptiCallBackSender)

   968:       {

   969:          Message->lResult = Result;

   970:          Message->QS_Flags |= QS_SMRESULT;

SYMBOL_STACK_INDEX:  8

SYMBOL_NAME:  win32k!co_MsqDispatchOneSentMessage+23e

FOLLOWUP_NAME:  MachineOwner

FAILURE_BUCKET_ID:  0xD5_win32k!co_MsqDispatchOneSentMessage+23e

BUCKET_ID:  0xD5_win32k!co_MsqDispatchOneSentMessage+23e

Followup: MachineOwner

---------

kd> kp

ChildEBP RetAddr  

f207c664 8047dc56 nt!RtlpBreakWithStatusInstruction

f207c694 8047e531 nt!KiBugCheckDebugBreak(unsigned long StatusCode = 3)+0x36 [c:\ros\reactos-clean\reactos\ntoskrnl\ke\bug.c @ 538]

f207ca30 8047eb6e nt!KeBugCheckWithTf(unsigned long BugCheckCode = 0x50, unsigned long BugCheckParameter1 = 0xf4926fdc, unsigned long BugCheckParameter2 = 0, unsigned long BugCheckParameter3 = 0xf207cb84, unsigned long BugCheckParameter4 = 0, struct _KTRAP_FRAME * TrapFrame = 0xf207cb84)+0x551 [c:\ros\reactos-clean\reactos\ntoskrnl\ke\bug.c @ 1102]

f207ca50 8049d1c9 nt!KeBugCheckEx(unsigned long BugCheckCode = 0x50, unsigned long BugCheckParameter1 = 0xf4926fdc, unsigned long BugCheckParameter2 = 0, unsigned long BugCheckParameter3 = 0xf207cb84, unsigned long BugCheckParameter4 = 0)+0x1e [c:\ros\reactos-clean\reactos\ntoskrnl\ke\bug.c @ 1462]

f207cb2c 804bda2b nt!MmArmAccessFault(unsigned char StoreInstruction = 0x00 '', void * Address = 0xf4926fdc, char Mode = 0n0 '', void * TrapInformation = 0xf207cb84)+0x739 [c:\ros\reactos-clean\reactos\ntoskrnl\mm\arm3\pagfault.c @ 1860]

f207cb48 804fe785 nt!MmAccessFault(unsigned char StoreInstruction = 0x00 '', void * Address = 0xf4926fdc, char Mode = 0n0 '', void * TrapInformation = 0xf207cb84)+0x10b [c:\ros\reactos-clean\reactos\ntoskrnl\mm\mmfault.c @ 251]

f207cb7c 804036ef nt!KiTrap0EHandler(struct _KTRAP_FRAME * TrapFrame = 0xf207cb84)+0x195 [c:\ros\reactos-clean\reactos\ntoskrnl\ke\i386\traphdlr.c @ 1281]

f207cb7c f25fa3ce nt!KiTrap0E+0x8f

f207cc14 f25f07c2 win32k!co_MsqDispatchOneSentMessage(struct _THREADINFO * pti = 0xf475ae18)+0x23e [c:\ros\reactos-clean\reactos\win32ss\user\ntuser\msgqueue.c @ 965]

f207cc54 f25f0c75 win32k!co_IntPeekMessage(struct tagMSG * Msg = 0xf207ccc0, struct _WND * Window = 0x00000000, unsigned int MsgFilterMin = 0, unsigned int MsgFilterMax = 0, unsigned int RemoveMsg = 1, long * ExtraInfo = 0xf207cc8c, int bGMSG = 0)+0x82 [c:\ros\reactos-clean\reactos\win32ss\user\ntuser\message.c @ 840]

f207cc90 f25f2e91 win32k!co_IntGetPeekMessage(struct tagMSG * pMsg = 0xf207ccc0, struct HWND__ * hWnd = 0x00000000, unsigned int MsgFilterMin = 0, unsigned int MsgFilterMax = 0, unsigned int RemoveMsg = 1, int bGMSG = 0)+0xd5 [c:\ros\reactos-clean\reactos\win32ss\user\ntuser\message.c @ 1064]

f207ccf8 804ff949 win32k!NtUserPeekMessage(struct tagMSG * pMsg = 0x0067ff9c, struct HWND__ * hWnd = 0x00000000, unsigned int MsgFilterMin = 0, unsigned int MsgFilterMax = 0, unsigned int RemoveMsg = 1)+0x71 [c:\ros\reactos-clean\reactos\win32ss\user\ntuser\message.c @ 2188]

f207cd1c 804feefd nt!KiSystemCallTrampoline(void * Handler = 0xf25f2e20, void * Arguments = 0x0067ff44, unsigned long StackBytes = 0x14)+0x19 [c:\ros\reactos-clean\reactos\ntoskrnl\include\internal\i386\ke.h @ 742]

f207cd5c 80403e13 nt!KiSystemServiceHandler(struct _KTRAP_FRAME * TrapFrame = 0xf207cd64, void * Arguments = 0x0067ff44)+0x22d [c:\ros\reactos-clean\reactos\ntoskrnl\ke\i386\traphdlr.c @ 1738]

f207cd5c 7c92d1de nt!KiFastCallEntry+0x8c

0067ff38 7c5d53dd ntdll!KiFastSystemCallRet

0067ff3c 7c5c57cb user32!NtUserPeekMessage+0xc

0067ff60 7c5c57ff user32!PeekMessageWorker(struct tagMSG * pMsg = 0x0067ff9c, struct HWND__ * hWnd = 0x00000000, unsigned int wMsgFilterMin = 0, unsigned int wMsgFilterMax = 0, unsigned int wRemoveMsg = 1)+0x11b [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 2128]

0067ff80 00422ab2 user32!PeekMessageA(struct tagMSG * lpMsg = 0x0067ff9c, struct HWND__ * hWnd = 0x00000000, unsigned int wMsgFilterMin = 0, unsigned int wMsgFilterMax = 0, unsigned int wRemoveMsg = 1)+0x1f [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 2144]

0067ffb8 7c7da124 user32_apitest!Thread1(void * Parameter = 0x20000000)+0xf2 [c:\ros\reactos-clean\reactos\modules\rostests\apitests\user32\sendmessagetimeout.c @ 126]

0067ffec 00000000 kernel32!BaseThreadStartup(<function> * lpStartAddress = 0x004229c0, void * lpParameter = 0x20000000)+0x54 [c:\ros\reactos-clean\reactos\dll\win32\kernel32\client\thread.c @ 69]

kd> dv

            pti = 0xf475ae18

        Message = 0xf4926fa0

          Entry = 0xf4926fa0

         Result = 0

            Ret = 0xf45daff0

        SaveMsg = 0x00000000

kd> dd 0xf4926fa0

f4926fa0  ???????? ???????? ???????? ????????

f4926fb0  ???????? ???????? ???????? ????????

f4926fc0  ???????? ???????? ???????? ????????

f4926fd0  ???????? ???????? ???????? ????????

f4926fe0  ???????? ???????? ???????? ????????

f4926ff0  ???????? ???????? ???????? ????????

f4927000  ???????? ???????? ???????? ????????

f4927010  ???????? ???????? ???????? ????????