{"id":24123,"date":"2007-12-18T10:00:00","date_gmt":"2007-12-18T10:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2007\/12\/18\/not-every-first-chance-exception-is-a-security-vulnerability\/"},"modified":"2007-12-18T10:00:00","modified_gmt":"2007-12-18T10:00:00","slug":"not-every-first-chance-exception-is-a-security-vulnerability","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20071218-00\/?p=24123","title":{"rendered":"Not every first-chance exception is a security vulnerability"},"content":{"rendered":"<p>In the category of dubious vulnerability, I submit the following (paraphrased) report:<\/p>\n<blockquote class=\"q\"><p> If I call the <code>FormatMessage<\/code> function, I can cause a buffer overflow exception if I provide an insertion that is more than 2000 characters long. <\/p><\/blockquote>\n<p> The <code>FormatMessage<\/code> function in Windows&nbsp;NT, 2000 and&nbsp;XP used the <a href=\"http:\/\/msdn.microsoft.com\/library\/en-us\/memory\/base\/reserving_and_committing_memory.asp\"> dynamically expanding buffer technique<\/a> to allocate memory for the resulting message. If the resulting string was more than one page in length (4KB on an x86 system), there was an exception thrown when the <code>FormatMessage<\/code> function tried to write to the 4096th byte of the buffer. This looks like a buffer overflow, and in a sense it is, but it&#8217;s a controlled overflow (the bytes beyond the end of the buffer are under the program&#8217;s control), the exception is entirely expected, and it is correctly handled.\n Using intentionally invalid pages to trigger just-in-time memory commit is a rare technique, so it&#8217;s not surprising that people aren&#8217;t familiar with it. In fact, to avoid these sorts of false alarm security vulnerability reports, the kernel folks rewrote the <code>FormatMessage<\/code> function in Windows Vista so it doesn&#8217;t use this technique any more.\n It&#8217;s an odd Catch-22. You remove something that is frequently mistaken for a security vulnerability so that people stop mistakenly reporting it, but the fact that you remove it only confirms in the mind of the people who filed the false alarms that they found something for real!<\/p>\n<p> (For further reading, may I recommend <a href=\"http:\/\/blogs.msdn.com\/larryosterman\/archive\/2006\/10\/16\/so-when-is-it-ok-to-use-seh.aspx\"> this blog entry from Larry Osterman<\/a>.) <\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the category of dubious vulnerability, I submit the following (paraphrased) report: If I call the FormatMessage function, I can cause a buffer overflow exception if I provide an insertion that is more than 2000 characters long. The FormatMessage function in Windows&nbsp;NT, 2000 and&nbsp;XP used the dynamically expanding buffer technique to allocate memory for the [&hellip;]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-24123","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"<p>In the category of dubious vulnerability, I submit the following (paraphrased) report: If I call the FormatMessage function, I can cause a buffer overflow exception if I provide an insertion that is more than 2000 characters long. The FormatMessage function in Windows&nbsp;NT, 2000 and&nbsp;XP used the dynamically expanding buffer technique to allocate memory for the [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/24123","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=24123"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/24123\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=24123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=24123"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=24123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}