Secure mode is vulnerable to an unprobe'd buffer.

@masthoon and I found the below issue in the HEVD secure mode:

(base) c:\work\codes\wtf\targets\hevd>..\..\src\build\wtf.exe run --name hevd --state state --backend=bochscpu --input crashes\crash-0xfffff764b91c0000-0x0-0xffffbf84fb10e780-0x2-0x0 --limit 10000000
Initializing the debugger instance.. (this takes a bit of time)
Setting debug register status to zero.
Setting debug register status to zero.
Running crashes\crash-0xfffff764b91c0000-0x0-0xffffbf84fb10e780-0x2-0x0
Hevd: DbgPrintEx: ****** HEVD_IOCTL_DOUBLE_FETCH ******
Hevd: DbgPrintEx: [+] UserDoubleFetch: 0x%p
Hevd: DbgPrintEx: [+] KernelBuffer: 0x%p
Hevd: DbgPrintEx: [+] KernelBuffer Size: 0x%X
Hevd: DbgPrintEx: [+] UserDoubleFetch->Buffer: 0x%p
Hevd: DbgPrintEx: [+] UserDoubleFetch->Size: 0x%X
Hevd: KeBugCheck2: crash-0xfffff764b91c0000-0x0-0xffffbf84fb10e780-0x2-0x0
--------------------------------------------------
Run stats:
Instructions executed: 2107 (1777 unique)
          Dirty pages: 61440 bytes (0 MB)
      Memory accesses: 10743 bytes (0 MB)
#1 cov: 1777 exec/s: 0.5 lastcov: 0.0s crash: 1 timeout: 0 cr3: 0 uptime: 2.0s

The issue is in:

#ifdef SECURE
        UserBuffer = UserDoubleFetch->Buffer;
        UserBufferSize = UserDoubleFetch->Size;

        DbgPrint("[+] UserDoubleFetch->Buffer: 0x%p\n", UserBuffer);
        DbgPrint("[+] UserDoubleFetch->Size: 0x%X\n", UserBufferSize);

        if (UserBufferSize > sizeof(KernelBuffer))
        {
            DbgPrint("[-] Invalid Buffer Size: 0x%X\n", UserBufferSize);

            Status = STATUS_INVALID_PARAMETER;
            return Status;
        }

        //
        // Secure Note: This is secure because the developer is fetching
        // 'UserDoubleFetch->Buffer' and 'UserDoubleFetch->Size' from user
        // mode just once and storing it in a temporary variable. Later, this
        // stored values are passed to RtlCopyMemory()/memcpy(). Hence, there
        // will be no race condition
        //

        RtlCopyMemory((PVOID)KernelBuffer, UserBuffer, UserBufferSize);
#else

UserDoubleFetch->Buffer isn't probed.

Cheers

hacksysteam / HackSysExtremeVulnerableDriver

Secure mode is vulnerable to an unprobe'd buffer. #42