NtGdiDdDDISetHwProtectionTeardownRecovery (0x121B) service implemented in Windows 10 TH2 has no validation of input parameter which is pointer.
This feature(?) exist since TH2 release and confirmed in 10586.456 version of Win32k.
It was fixed only in RS1 builds, below is 14372 (so it's in production for about year).
Code: Select all
Service implemented in win32kbase.sys and can be easily used to crash system..text:00000001C00BA0C0 public NtGdiDdDDISetHwProtectionTeardownRecovery
.text:00000001C00BA0C0 NtGdiDdDDISetHwProtectionTeardownRecovery proc near
.text:00000001C00BA0C0 xor r8d, r8d
.text:00000001C00BA0C3 mov edx, 1
.text:00000001C00BA0C8 cmp [rcx+4], r8d //<- Have a nice BSOD
.text:00000001C00BA0CC setz r8b
.text:00000001C00BA0D0 xor ecx, ecx
.text:00000001C00BA0D2 jmp DCompositionForceRender
.text:00000001C00BA0D2 NtGdiDdDDISetHwProtectionTeardownRecovery endp
This feature(?) exist since TH2 release and confirmed in 10586.456 version of Win32k.
It was fixed only in RS1 builds, below is 14372 (so it's in production for about year).
Code: Select all
New service -> new bug. Nice code quality..text:00000001C00C96A0 public NtGdiDdDDISetHwProtectionTeardownRecovery
.text:00000001C00C96A0 NtGdiDdDDISetHwProtectionTeardownRecovery proc near
.text:00000001C00C96A0
.text:00000001C00C96A0 arg_8 = qword ptr 10h
.text:00000001C00C96A0
.text:00000001C00C96A0 sub rsp, 28h
.text:00000001C00C96A4 cmp rcx, cs:W32UserProbeAddress
.text:00000001C00C96AB cmovnb rcx, cs:W32UserProbeAddress
.text:00000001C00C96B3 movsd xmm0, qword ptr [rcx]
.text:00000001C00C96B7 movsd [rsp+28h+arg_8], xmm0
.text:00000001C00C96BD xor r8d, r8d
.text:00000001C00C96C0 cmp dword ptr [rsp+28h+arg_8+4], r8d
.text:00000001C00C96C5 setz r8b
.text:00000001C00C96C9 mov edx, 1
.text:00000001C00C96CE xor ecx, ecx
.text:00000001C00C96D0 call DCompositionForceRender
.text:00000001C00C96D5 jmp short loc_1C00C96DC
.text:00000001C00C96D7 ; ---------------------------------------------------------------------------
.text:00000001C00C96D7 mov eax, 0C000000Dh
.text:00000001C00C96DC
.text:00000001C00C96DC loc_1C00C96DC:
.text:00000001C00C96DC add rsp, 28h
.text:00000001C00C96E0 retn
.text:00000001C00C96E0 NtGdiDdDDISetHwProtectionTeardownRecovery endp
Ring0 - the source of inspiration