<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:宋体;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@宋体";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
text-align:justify;
text-justify:inter-ideograph;
font-size:10.5pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML 预设格式 Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:宋体;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.HTMLChar
{mso-style-name:"HTML 预设格式 Char";
mso-style-priority:99;
mso-style-link:"HTML 预设格式";
font-family:宋体;}
span.c
{mso-style-name:c;}
span.k
{mso-style-name:k;}
span.str
{mso-style-name:str;}
.MsoChpDefault
{mso-style-type:export-only;}
/* Page Definitions */
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
{page:Section1;}
-->
</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="ZH-CN" link="blue" vlink="purple" style="text-justify-trim:punctuation">
<div class="Section1">
<pre><span lang="EN-US">off-by-one errors on ntoskrnl/io/iomgr/arcname.c, IopAssignArcNamesToCdrom() doesn’t check the <o:p></o:p></span></pre>
<pre><span lang="EN-US">KeLoaderBlock->ArcBootDeviceName length, using sprintf cloud cause kernel stack buffer overflow<o:p></o:p></span></pre>
<pre><span lang="EN-US">Or an off-by-one error.<o:p></o:p></span></pre>
<pre><span lang="EN-US"><o:p> </o:p></span></pre>
<pre><span lang="EN-US">BOOLEAN<o:p></o:p></span></pre>
<pre><span lang="EN-US">INIT_FUNCTION<o:p></o:p></span></pre>
<pre><span lang="EN-US">NTAPI<o:p></o:p></span></pre>
<pre><span lang="EN-US">IopAssignArcNamesToCdrom(IN PULONG Buffer, IN ULONG DiskNumber)<o:p></o:p></span></pre>
<pre><span lang="EN-US">{<o:p></o:p></span></pre>
<pre><span lang="EN-US"> CHAR ArcBuffer[128];<o:p></o:p></span></pre>
<pre>…<span lang="EN-US"><o:p></o:p></span></pre>
<pre><span lang="EN-US"> <span class="k">if</span> (IopApplyRosCdromArcHack(DiskNumber))<o:p></o:p></span></pre>
<pre><span lang="EN-US"> {<o:p></o:p></span></pre>
<pre><span lang="EN-US"> <span class="c">/* Not check the </span>KeLoaderBlock->ArcBootDeviceName length, sprintf could cause <o:p></o:p></span></pre>
<pre style="margin-left:66.0pt;text-indent:-66.0pt"><span lang="EN-US"> Kernel stack buffer overflow with ArcBuffer. Even if KeLoaderBlock->ArcBootDeviceName length eval 128, <o:p></o:p></span></pre>
<pre style="margin-left:65.85pt;mso-para-margin-left:6.27gd;text-indent:42.0pt"><span lang="EN-US">it will miss </span>‘<span lang="EN-US">\0</span>’<span lang="EN-US"> */<o:p></o:p></span></pre>
<pre><span lang="EN-US"> sprintf(ArcBuffer, <span class="str">"<a href="file:///\\ArcName\%25s">\\ArcName\\%s</a>"</span>, KeLoaderBlock->ArcBootDeviceName);<o:p></o:p></span></pre>
<pre>…<span lang="EN-US"><o:p></o:p></span></pre>
<pre><span lang="EN-US">}<o:p></o:p></span></pre>
<pre><span lang="EN-US">So IopAssignArcNamesToCdrom() should check the KeLoaderBlock->ArcBootDeviceName length or replace<o:p></o:p></span></pre>
<pre><span lang="EN-US">Sprintf to snprintf. The same errors also in IopCreateArcNames(),IopReassignSystemRoot().<o:p></o:p></span></pre>
<pre><span lang="EN-US"><o:p> </o:p></span></pre>
<pre><span lang="EN-US">Thanks. <o:p></o:p></span></pre>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="1">This email (including any attachments) is confidential and may be legally privileged. If you received this email in error, please delete it immediately and do not copy it or use it for any purpose or disclose its contents
to any other person. Thank you.<br>
<br>
本电邮(包括任何附件)可能含有机密资料并受法律保护。如您不是正确的收件人,请您立即删除本邮件。请不要将本电邮进行复制并用作任何其他用途、或透露本邮件之内容。谢谢。<br>
</font>
</body>
</html>