[Cryptography] Windows security leads to 0-day in Windows security

Peter Gutmann pgut001 at cs.auckland.ac.nz
Mon Nov 2 06:01:08 EST 2020


Stephan Neuhaus <stephan.neuhaus at zhaw.ch> writes:

>It seems strange to me that one of the better C/C++ compilers out there
>(Visual Studio) wouldn't see the potential for an integer overflow here.

Visual Studio is pretty good about warning about truncation/type conversion
errors if you set the warning level to 4 (and then disable the warnings for
Windows headers to allow them to compile, which leads me to believe that
Windows code isn't built with /W4), but doesn't do much to look for possible
over/underflow.  PREfast finds nothing in the code, two other good checkers
that perform a different type of analysis, PVS Studio and cppcheck, similarly
find, or at least report, nothing.  I'll raise a case with the devs (the PVS
Studio devs are particularly good here, whenever a vuln like this comes out
they tend to add a means of checking for it pretty quickly), but it may be
that warning for something like this will result either in an avalanche of
false positives or the need to apply not-necessarily-practical levels of
analysis to detect the problem.  If you look at the code flow analysis here
you need to either flow backwards from the use of the buffer to the allocation
to the allocate-size-calculation, or know that BCryptAlloc() is an allocation
function and flow back to the size calculation, to find it:

NTSTATUS CfgAdtpFormatPropertyBlock(PBYTE SourceBuffer, USHORT SourceLength, PUNICODE_STRING Destination) {
	CONST USHORT DestinationSize = (USHORT)(6 * SourceLength);
	PWCHAR OutputBuffer = BCryptAlloc(DestinationSize);

	for (USHORT i = 0; i < SourceLength; i++) {
		*OutputBuffer++ = "0123456789abcdef"[*SourceBuffer >> 4];
		*OutputBuffer++ = "0123456789abcdef"[*SourceBuffer & 0xF];
		*OutputBuffer++ = ' ';
		SourceBuffer++;
	}

	Destination->MaximumLength = DestinationSize;
	Destination->Length = DestinationSize - 2;
	Destination->Buffer = OutputBuffer;

	return STATUS_SUCCESS;
}

Peter.



More information about the cryptography mailing list