Information

  • This crash occur at win32kfull!pxrlStrRead01AND+0x5b as result of non-paged pointer dereference

BugCheck:

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffa9d2caad70bc, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: ffffa9abc166f66b, If non-zero, the instruction address which referenced the bad memory address.
Arg4: 0000000000000000, (reserved)

Stack at crash:

nt!DbgBreakPointWithStatus
nt!KiBugCheckDebugBreak+0x12
nt!KeBugCheck2+0x952
nt!KeBugCheckEx+0x107
nt!MiSystemFault+0x195f11
nt!MmAccessFault+0x34f
nt!KiPageFault+0x360
win32kfull!pxrlStrRead01AND+0x5b
win32kfull!EngStretchBltNew+0xdca
win32kfull!EngStretchBlt+0xd1
win32kfull!EngStretchBltROP+0x158
win32kfull!BLTRECORD::bStretch+0x37f
win32kfull!GreStretchBltInternal+0x721
win32kfull!NtGdiStretchBlt+0x68
nt!KiSystemServiceCopyEnd+0x25
win32u!NtGdiStretchBlt+0x14
gdi32full!StretchBlt+0xaf
GDI32!StretchBltStub+0x90
poc+0x109c

Registers:

rax=0000000000000000 rbx=0000000000000017 rcx=0000000000000004
rdx=ffffa9d2caaf8fe0 rsi=0000000000000001 rdi=0000000000000000
rip=ffffa9abc166f66b rsp=fffff40828c6ebf8 rbp=fffff40828c6f290
 r8=ffffa9d2caaf6fe0  r9=ffffa9d2c81e0000 r10=fffffffffff006f7
r11=0000000000000000 r12=fffff40828c6eef0 r13=0000000000000000
r14=ffffa9d2caad70bc r15=fffff40828c6f8d8
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040246
win32kfull!pxrlStrRead01AND+0x5b:
ffffa9ab`c166f66b 458b3e          mov     r15d,dword ptr [r14] ds:002b:ffffa9d2`caad70bc=????????

Reproduce:

  1. Compile the poc attached and copy it to the target machine
  2. Enable verifier flags 0x1 to win32k drivers
  3. Run the compiled poc and machine will crash with BSOD

PoC:
attached


Attachments:
poc.c

References:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1510
https://research.checkpoint.com/2020/bugs-on-the-windshield-fuzzing-the-windows-kernel/