Information

  • This crash occur at win32kfull!vStrWrite01+0x8b as result of non-paged pointer dereference
  • Later in the same function it is possible to write back to this pointer

BugCheck:

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: fffffddace291000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffffdb7dbdd52db, If non-zero, the instruction address which referenced the bad memory address.
Arg4: 0000000000000000, (reserved)

Stack at crash:

nt!DbgBreakPointWithStatus
nt!KiBugCheckDebugBreak+0x12
nt!KeBugCheck2+0x906
nt!KeBugCheckEx+0x107
nt!MiSystemFault+0x196bc3
nt!MmAccessFault+0x218
nt!KiPageFault+0x360
win32kfull!vStrWrite01+0x8b
win32kfull!EngStretchBltNew+0xc87
win32kfull!EngStretchBlt+0xd4
win32kfull!EngStretchBltROP+0x325
win32kfull!BLTRECORD::bStretch+0x37f
win32kfull!GreStretchBltInternal+0x733
win32kfull!NtGdiStretchBlt+0x68
win32k!NtGdiStretchBlt+0x81
nt!KiSystemServiceCopyEnd+0x25
win32u!NtGdiStretchBlt+0x14
gdi32full!StretchBlt+0xaf
GDI32!StretchBltStub+0x91
poc!main+0x83 [r:\poc\poc\main.c @ 12]

Registers:

rax=0000000000000008 rbx=0000000000000000 rcx=0000000000000000
rdx=fffffddac7280ff0 rsi=0000000000000000 rdi=0000000000000000
rip=fffffdb7dbdd52db rsp=fffff98de5c66b60 rbp=fffff98de5c66be0
 r8=fffffddace291000  r9=0000000000000100 r10=0000000000000001
r11=fffffdb7dbcf0000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
win32kfull!vStrWrite01+0x8b:
fffffdb7`dbdd52db 418b10          mov     edx,dword ptr [r8] ds:fffffdda`ce291000=????????

Reproduce:

  1. Compile the poc attached and copy it to the target machine
  2. Enable verifier flags 0x1 to win32k drivers
  3. Run the compiled poc and machine will crash with BSOD

PoC:
attached


Attachments:
main.c

References:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0791