{"id":106004,"date":"2021-12-07T07:00:00","date_gmt":"2021-12-07T15:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=106004"},"modified":"2021-12-07T06:46:39","modified_gmt":"2021-12-07T14:46:39","slug":"20211207-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20211207-00\/?p=106004","title":{"rendered":"It rather involved being on the other side of this airtight hatchway: Producing malicious data in a kernel driver"},"content":{"rendered":"<p>A security vulnerability report went something like this:<\/p>\n<blockquote class=\"q\"><p>We have found a vulnerability in the <code>LogXyz<\/code> function. If the packet being logged contains malicious field lengths, the function can read past the end of the buffer and log data from its process space, resulting in information disclosure. Attached is a sample driver that triggers the overflow.<\/p><\/blockquote>\n<p>Okay, that sounds bad. This is the sort of thing that led to <a href=\"https:\/\/en.wikipedia.org\/wiki\/Heartbleed\">Heartbleed<\/a>.<\/p>\n<p>But a closer look at the <code>LogXyz<\/code> function shows that the packet it is logging came from a driver. So this attack presupposes that a malicious driver has been installed on the system.<\/p>\n<p>If you have a malicious driver on your system, you have bigger problems than a buffer overflow in a logging function.<\/p>\n<p>What we have here is a bug, but not a security vulnerability. The <code>LogXyz<\/code> function should be more resilient to malformed data, but any such malformed data came from kernel mode, which already has the power to do anything it wants to user mode. The driver could just access the <code>LogXyz<\/code> function&#8217;s memory directly and get whatever it wants, no need to trick it into writing the information to a log (and then having to go dig it out of the log).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Sure, you can fool other people, but you can do far more than that already.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-106004","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"<p>Sure, you can fool other people, but you can do far more than that already.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/106004","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=106004"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/106004\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=106004"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=106004"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=106004"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}