December 18th, 2007

Not every first-chance exception is a security vulnerability

In the category of dubious vulnerability, I submit the following (paraphrased) report:

If I call the FormatMessage function, I can cause a buffer overflow exception if I provide an insertion that is more than 2000 characters long.

The FormatMessage function in Windows NT, 2000 and XP used the dynamically expanding buffer technique to allocate memory for the resulting message. If the resulting string was more than one page in length (4KB on an x86 system), there was an exception thrown when the FormatMessage function tried to write to the 4096th byte of the buffer. This looks like a buffer overflow, and in a sense it is, but it’s a controlled overflow (the bytes beyond the end of the buffer are under the program’s control), the exception is entirely expected, and it is correctly handled. Using intentionally invalid pages to trigger just-in-time memory commit is a rare technique, so it’s not surprising that people aren’t familiar with it. In fact, to avoid these sorts of false alarm security vulnerability reports, the kernel folks rewrote the FormatMessage function in Windows Vista so it doesn’t use this technique any more. It’s an odd Catch-22. You remove something that is frequently mistaken for a security vulnerability so that people stop mistakenly reporting it, but the fact that you remove it only confirms in the mind of the people who filed the false alarms that they found something for real!

(For further reading, may I recommend this blog entry from Larry Osterman.)

Topics
Other

Author

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

0 comments

Discussion are closed.