Information

  • This crash occur at win32kfull!vStrWrite04+0x18a as result of non-paged pointer dereference
  • Later in the same function it is possible to write back to this pointer

BugCheck:

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffa9d2c7b19000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: ffffa9abc18bc7ca, If non-zero, the instruction address which referenced the bad memory address.
Arg4: 0000000000000000, (reserved)

Stack at crash:

nt!DbgBreakPointWithStatus
nt!KiBugCheckDebugBreak+0x12
nt!KeBugCheck2+0x952
nt!KeBugCheckEx+0x107
nt!MiSystemFault+0x195f11
nt!MmAccessFault+0x34f
nt!KiPageFault+0x360
win32kfull!vStrWrite04+0x18a
win32kfull!EngStretchBltNew+0xc89
win32kfull!EngStretchBlt+0xd1
win32kfull!EngStretchBltROP+0x319
win32kfull!BLTRECORD::bStretch+0x37f
win32kfull!GreStretchBltInternal+0x721
win32kfull!NtGdiStretchBlt+0x68
nt!KiSystemServiceCopyEnd+0x25
win32u!NtGdiStretchBlt+0x14
gdi32full!StretchBlt+0xaf
GDI32!StretchBltStub+0x90
poc+0x1156

Registers:

Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000002 rsi=0000000000000000 rdi=0000000000000000
rip=ffffa9abc18bc7ca rsp=fffff408294d6b50 rbp=fffff408294d6bb9
 r8=ffffa9d2c7b19000  r9=0000000000000000 r10=0000000000000000
r11=0000000000000001 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
win32kfull!vStrWrite04+0x18a:
ffffa9ab`c18bc7ca 418b10          mov     edx,dword ptr [r8] ds:ffffa9d2`c7b19000=????????

Reproduce:

  1. Compile the poc attached and copy it to the target machine
  2. Enable verifier flags 0x1 to win32k drivers
  3. Run the compiled poc and machine will crash with BSOD

PoC:
attached


Attachments:
poc.c

References:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1247