derekbruening
commented
9 years ago From bruen...@google.com on July 15, 2011 09:31:34
not worth suppressing since limited to this app but wanted to document as calc has been a good test case
Status: Verified
From bruen...@google.com on July 15, 2011 12:28:39
running calc start+stop on win7:
in event_basic_block(tag=0x006248e7) in event_basic_block(tag=0x00612cad) in event_basic_block(tag=0x0061bbaf) in event_basic_block(tag=0x0061bbba) in event_basic_block(tag=0x0061b827) Error
#1: UNINITIALIZED READ: reading register eax @0:00:17.525 in thread 3524 0x0061b82d <calc.exe+0xb82d> calc.exe!CCalculatorMode::LayoutCalcModeGeneric 0x00627a9a <calc.exe+0x17a9a> calc.exe!CStandardMode::LayoutCalculatorMode 0x00627a35 <calc.exe+0x17a35> calc.exe!CContainer::LayoutStandardMode 0x006278a3 <calc.exe+0x178a3> calc.exe!CContainer::AssembleDialogsWithoutToolset 0x00611b0e <calc.exe+0x1b0e> calc.exe!WinMain 0x0061b82d 83 f8 02 cmp %eax $0x00000002no obvious syscall candidate earlier
with REPORT_ALL_UNINIT, the memory source is found slightly earlier: in event_basic_block(tag=0x002648e7) in event_basic_block(tag=0x00252cad) in event_basic_block(tag=0x0025bbaf) in event_basic_block(tag=0x0025bbba) in event_basic_block(tag=0x0025b827) Error
#68: UNINITIALIZED READ: reading 0x029bec7c-0x029bec80 4 byte(s) @0:00:20.589 in thread 2284 0x0025b82a <calc.exe+0xb82a> calc.exe!CCalculatorMode::LayoutCalcModeGeneric ... 0x0025b82a 8b 40 34 mov 0x34(%eax) -> %eaxfollowed by same spot: Error
#69: UNINITIALIZED READ: reading register eax 0x0025b82d 83 f8 02 cmp %eax $0x00000002no syscalls have mem addr like that as param
having all syscalls processed for unknown writes: still there
0:000> dds @@(mc->ebp - 4) 0024e424 029bec48 0024e428 0024e484 0024e42c 006d7a9a calc!CStandardMode::LayoutCalculatorMode+0x33
0:000> dyb @@(((char *)shadow_table[0x029b]) + (0x029bec7c/4)) L8 76543210 76543210 76543210 76543210
2514d12f 11111111 00000000 11111111 11111111 ff 00 ff ff 2514d133 11111111 00000000 00000000 00000000 ff 00 00 00 0:000> dyb @@(((char *)shadow_table[0x029b]) + (0x029bec48/4)) L8 76543210 76543210 76543210 76543210
2514d122 00000000 11111111 00000000 00000000 00 ff 00 00 2514d126 00000000 00000000 00000000 00000000 00 00 00 00 0:000> dd 029bec48 029bec48 006c6dc4 000c00c4 029bed3c 0071433c 029bec58 00714568 000c37f0 00714574 000c3c20 029bec68 000c4040 00000000 00000000 00000000 029bec78 00000000 00000000 00000001 00000000
presumably ecx is "this". early on in this routine: calc!CCalculatorMode::LayoutCalcModeGeneric+0x13: 006cb71e 894dfc mov [ebp-0x4],ecx
006cb811 ff15d0126c00 call dword ptr [calc!_imp__SetWindowLongW (006c12d0)] 006cb817 8b4dfc mov ecx,[ebp-0x4] 006cb81a 6848050000 push 0x548 006cb81f ff751c push dword ptr [ebp+0x1c] 006cb822 e83c030000 call calc!CCalculatorMode::SetAccessibleName (006cbb63) 006cb827 8b45fc mov eax,[ebp-0x4] 006cb82a 8b4034 mov eax,[eax+0x34] 006cb82d 83f802 cmp eax,0x2
so it's reading a CCalculatorMode field at +0x34
bp calc!CCalculatorMode::CCalculatorMode in windbg and then ba w4 at +0x34 in windbg shows it's not written until delete time: 0021f8f8 773aabf9 002c4018 000099c0 feeefeee ntdll!RtlFillMemoryUlong+0x10 0021f9ec 77353472 002c4008 002c49e8 002c49e0 ntdll!RtlpFreeHeap+0x5e5 0021fa0c 773f162e 002c0000 50000063 002c49e8 ntdll!RtlFreeHeap+0x142 0021fa54 773aab3a 002c0000 50000063 002c49e8 ntdll!RtlDebugFreeHeap+0x1f9 0021fb48 77353472 002c49e0 002c49e8 002c49e8 ntdll!RtlpFreeHeap+0x5d 0021fb68 751498cd 002c0000 00000000 002c49e8 ntdll!RtlFreeHeap+0x142 0021fbb4 003cd3b3 002c49e8 00414210 0021fbf0 msvcrt!free+0xcd 0021fbc4 003d872c 00000001 0e85ddc7 002c0ea8 calc!CStandardMode::`vector deleting destructor'+0x19
ditto but break on read shows calc reading 0xbaadf00d: Breakpoint 0 hit eax=003de548 ebx=00114210 ecx=006849e8 edx=006849e3 esi=006849e8 edi=76d10dfb eip=000cb9a3 esp=003de524 ebp=003de554 iopl=0 nv up ei ng nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000282 calc!CCalculatorMode::CCalculatorMode: 000cb9a3 8bff mov edi,edi 0:000> dd 006849e8 006849e8 baadf00d baadf00d baadf00d baadf00d 006849f8 baadf00d baadf00d baadf00d baadf00d 00684a08 baadf00d baadf00d baadf00d baadf00d 00684a18 baadf00d baadf00d baadf00d baadf00d 0:000> ba r4 006849e8+34 0:000> g Breakpoint 1 hit eax=baadf00d ebx=76d06ffe ecx=a92e675f edx=00000000 esi=0011433c edi=76d10c62 eip=000cb82d esp=003de4cc ebp=003de51c iopl=0 nv up ei pl zr na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 calc!CCalculatorMode::LayoutCalcModeGeneric+0x12e: 000cb82d 83f802 cmp eax,0x2 0:000> dd 006849e8 006849e8 000c6dc4 baadf00d 00684adc 0011433c 006849f8 00114568 006811d8 00114574 00682fe8 00684a08 00683418 00000000 00000000 00000000 00684a18 00000000 baadf00d 00000001 baadf00d 00684a28 baadf00d baadf00d 00000000 40240000 0:000> kb 003de51c 000d7a9a 00684a30 00684a38 00684adc calc!CCalculatorMode::LayoutCalcModeGeneric+0x12e 003de578 000d7a35 00000000 a91382fb 76d17381 calc!CStandardMode::LayoutCalculatorMode+0x33 003de5a4 000d78a3 00000000 76d5d3eb 00114210 calc!CContainer::LayoutStandardMode+0xaf 003dee28 000c1b0e 00000000 00114a68 0044375c calc!CContainer::AssembleDialogsWithoutToolset+0x97 003dfb98 000d219a 000c0000 00000000 0044375c calc!WinMain+0x581
but why isn't mine filled w/ baadf00d? b/c I'm disabling crtdbg. natively I only see the one constructor, the one read, and the one write.
conclusion: this is a real uninitialized read in win7 calc. it's not there on xp wow64.
Original issue: http://code.google.com/p/drmemory/issues/detail?id=495