Uploaded image for project: 'Core ReactOS'
  1. Core ReactOS
  2. CORE-13415

Pool use after free when running user32_winetest:dce

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • 0.4.6
    • Win32SS
    • None

    Description

      *** Fatal System Error: 0x000000d5
      		 
                             (0xF64B3FD0,0x00000000,0xF22BE162,0x00000000)
      		 
       
      		 
      Driver at fault: 
       
      		 
      ***    win32k.sys - Address F22BE162 base at F228B000, DateStamp 58bad0d2
      		 
       
      		 
      .
      		 
      
      		 
      Entered debugger on embedded INT3 at 0x0008:0x80942954.
      		 
      kdb:>
      		 
       bt
      		 
      Eip:
      		 
      <NTOSKRNL.EXE:142955 (:0 (RtlpBreakWithStatusInstruction))>
      		 
      Frames:
      		 
      <NTOSKRNL.EXE:827fd (ntoskrnl/ke/bug.c:1100 (KeBugCheckWithTf))>
      		 
      <NTOSKRNL.EXE:82dd4 (ntoskrnl/ke/bug.c:1456 (KeBugCheckEx))>
      		 
      <NTOSKRNL.EXE:aa633 (ntoskrnl/mm/ARM3/pagfault.c:1989 (MmArmAccessFault))>
      		 
      <NTOSKRNL.EXE:dbc16 (ntoskrnl/mm/mmfault.c:251 (MmAccessFault))>
      		 
      <NTOSKRNL.EXE:126b5a (ntoskrnl/ke/i386/traphdlr.c:1278 (KiTrap0EHandler))>
      		 
      <NTOSKRNL.EXE:36ac (:0 (KiTrap0E))>
      		 
      <win32k.sys:3315d (win32ss/user/ntuser/class.c:262 (IntDestroyClass))>
      		 
      <win32k.sys:3397c (win32ss/user/ntuser/class.c:314 (DestroyProcessClasses))>
      		 
      <win32k.sys:173d2 (win32ss/user/ntuser/main.c:762 (ExitThreadCallback))>
      		 
      <win32k.sys:17e1d (win32ss/user/ntuser/main.c:866 (Win32kThreadCallback))>
      		 
      <NTOSKRNL.EXE:101c9c (ntoskrnl/ps/kill.c:743 (PspExitThread))>
      		 
      <NTOSKRNL.EXE:1020cc (ntoskrnl/ps/kill.c:1017 (PspTerminateThreadByPointer))>
      		 
      <NTOSKRNL.EXE:102a1f (ntoskrnl/ps/kill.c:1249 (NtTerminateProcess))>
      		 
      <NTOSKRNL.EXE:127864 (ntoskrnl/include/internal/i386/ke.h:706 (KiSystemServiceHandler))>
      		 
      <NTOSKRNL.EXE:3da9 (:0 (KiFastCallEntry))>
      		 
      <ntdll.dll:c81d>
      		 
      <msvcrt.dll:1499e>
      		 
      <user32_winetest.exe:100498>
      		 
      <user32_winetest.exe:1004cb>
      		 
      <kernel32.dll:10412>
      		 
      <00000000>

      The DCE has already been freed through DceFreeThreadDCE at this point.
      Windows protects against this by avoiding the ExFreePool call in certain cases and deferring cleanup until process exit (W32PF_OWNDCCLEANUP). We don't implement that so we try to free the DCE twice.

      Attachments

        Issue Links

          blocks

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CORE-10380 Use special pool for win32k allocations

          • Major - Major loss of function.
          • Open

          Activity

            People

              ThFabba ThFabba
              ThFabba ThFabba
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: