Uploaded image for project: 'Core ReactOS'
  1. Core ReactOS
  2. CORE-18122

Fuzzing NtUserCreateAcceleratorTable with ROCALL causes BSoD

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • None
    • None

    Description

      ReactOS 0.4.15-x86-dev (Build 20220320-755631e). Debug log exceeds max size, here's the trace:

      (/win32ss/user/ntuser/winsta.c:1020) err: Validation of window station handle (7FFFFFFE) failed
      		 
      (/win32ss/user/ntuser/winsta.c:1020) err: Validation of window station handle (FFFFFFFF) failed
      		 
      (/win32ss/user/ntuser/winsta.c:1020) err: Validation of window station handle (0000FFFE) failed
      		 
      (/win32ss/user/ntuser/winsta.c:1020) err: Validation of window station handle (00000001) failed
      		 
      (/win32ss/user/ntuser/winsta.c:1020) err: Validation of window station handle (FFFFFFFF) failed
      		 
      (/win32ss/user/ntuser/winsta.c:1020) err: Validation of window station handle (00000001) failed
      		 
      (/win32ss/user/ntuser/winsta.c:1020) err: Validation of window station handle (0000FFFE) failed
      		 
      (/win32ss/user/ntuser/winsta.c:1020) err: Validation of window station handle (FFFFFFFE) failed
      		 
      (/ntoskrnl/mm/ARM3/pool.c:497) FAILED to allocate 4294967290 bytes from paged pool
      		 
      (/ntoskrnl/mm/ARM3/pool.c:497) FAILED to allocate 4294967284 bytes from paged pool
      		 
      (/ntoskrnl/mm/ARM3/pool.c:497) FAILED to allocate 4294967290 bytes from paged pool
      		 
      (/ntoskrnl/mm/ARM3/pool.c:497) FAILED to allocate 4294967284 bytes from paged pool*** Assertion failed: NumberOfBytes != 0
      		 
      ***   Source File: /ntoskrnl/mm/ARM3/expool.c, line 1919Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? 
      kdb:> o
      		 
      Execute '.cxr F8E59964' to dump context
      		 
      
      		 
      Entered debugger on embedded INT3 at 0x0008:0x8058B775.
      		 
      kdb:> bt
      		 
      Eip:
      		 
      <ntoskrnl.exe:18b776 (home/runner/work/reactos/reactos/build/../src/sdk/lib/rtl/i386/debug_asm.S:33 (DbgBreakPoint))>
      		 
      Frames:
      		 
      <ntoskrnl.exe:ad0b1 (ntoskrnl/mm/ARM3/expool.c:1919 (ExAllocatePoolWithTag))>
      		 
      <win32k.sys:2401b (win32ss/user/ntuser/accelerator.c:266 (NtUserCreateAcceleratorTable))>
      		 
      <ntoskrnl.exe:3fe5 (:0 (KiSystemCallTrampoline))>
      		 
      <ntoskrnl.exe:14e739 (ntoskrnl/ke/i386/traphdlr.c:1840 (KiSystemServiceHandler))>
      		 
      <ntoskrnl.exe:3e2f (:0 (KiFastCallEntry))>
      		 
      <ntdll.dll:10181>
      		 
      <ROCALL_checked.exe:1203>
      		 
      <kernel32.dll:1c97b>
      		 
      kdb:> cont
      		 
      (/ntoskrnl/mm/ARM3/pool.c:497) FAILED to allocate 4294967284 bytes from paged pool
      		 
      (/ntoskrnl/mm/ARM3/pool.c:497) FAILED to allocate 4294967284 bytes from paged pool*** Assertion failed: NumberOfBytes != 0
      		 
      ***   Source File: /ntoskrnl/mm/ARM3/expool.c, line 1919Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? 
      kdb:>

      Attachments

        Activity

          People

            Unassigned Unassigned
            ctasan ctasan
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: