Windows 10 platform authenticator - access violation reading

timvw01 commented 1 year ago

I did this

Use the windows 10 authenticator from Webauthn-authenticator-rs

let mut authenticator = Box::new(webauthn_authenticator_rs::win10::Win10::default());

Then use the register method to register (this works properly).

Where it goes wrong is:

let r = authenticator
        .perform_auth(
            url,
            pubkey,
            60_000,
        );

What happened

Compiling works, during run-time running the .perform_auth(), the authenticator does appear, after entering a correct code the following error appears:

error: test failed, to rerun pass `--lib`

Caused by:
  process didn't exit successfully: `C:\example\target\debug\deps\example.exe` (exit code: 0xc0000005, STATUS_ACCESS_VIOLATION)

The actual errors comes from this line of the windows-0.41.0 package (windows-0.41.0/src/core/strings/pcwstr.rs)

pub unsafe fn as_wide(&self) -> &[u16] {
        let len = super::wcslen(*self);           // This line gives the error
        std::slice::from_raw_parts(self.0, len)
    }

Exception has occurred: W32/0xC0000005
Unhandled exception at 0x00007FF73498DD7E in example-bffd3a9dcd8d4338.exe: 0xC0000005: Access violation reading location 0x0000000000000000.

The exact same code does work on a windows 11 desktop.

Version (and git commit)

webauthn-rs = { version = "0.4.8", optional = true, features = ["danger-credential-internals", "resident-key-support"] }
webauthn-rs-core = { version = "0.4.9", optional = true }
webauthn-authenticator-rs = { version =  "0.4.9" , optional = true, features = ["win10"]}

Operating System / Version

Doesnt work: OS Name Microsoft Windows 10 Home Version 10.0.19045 Build 19045 Works: Windows 11 v?

Any other comments

Not sure if i should post this here or at the windows-0.41.0 package github. Did anyone else run into this?

yaleman commented 1 year ago

Sounds like something @micolous would know

Firstyear commented 1 year ago

@timvw01 This part of the library is still "growing" so I'd expect some issues like this, but thank you for reporting them so we can help investigate :)

micolous commented 1 year ago

@timvw01 That could easily be a bug in this library too... though you mention it worked on Windows 11; so I suspect there's a compatibility issue with that version of Windows.

Can you please provide some details for me:

the output of rustc -vV (which will show what compiler and CPU architecture you're using)
the full OS build number shown in Settings -> System -> About -> Windows Specifications

("19045" only tells me you're on Windows 10 22H2, not the minor version)
the full version of c:\windows\system32\webauthn.dll and c:\windows\syswow64\webauthn.dll on your system (and if you can, the SHA-256 of the files as well).

That should be visible in Explorer's properties dialog, eg: 10.0.19041.2075, and this may not match your Windows version.
are you running the code on the same machine that the authenticator is connected to, or via an RDP connection to another host?
what model security key are you using? what transport are you using (USB, NFC, BTLE)? which protocols does it support/have enabled (U2F, CTAP 2.0, 2.1, etc.)?

I may have the same key, so might be able to try stuff out locally.
can you reproduce the access violation running the authenticate example in the repository?
```
cargo run --example authenticate --features win10 -- win10
```
Even if it's just affecting your code, it's still helpful to figure out if there's some missing input handling.
the log output with a complete stack trace ($Env:RUST_BACKTRACE = "full") and trace debug output enabled ($Env:RUST_LOG = "trace")
the contents of the PublicKeyCredentialRequestOptions struct for the perform_auth call (trace!(?pubkey); should work)

You can also see what Windows is doing in the Event Viewer: attached is a custom view XML that'll show you everything in the last 24 hours: https://gist.github.com/micolous/95f9c20b6e36988475fd514f33bab2c5

timvw01 commented 1 year ago

Absolutely, see below:

the output of rustc -vV (which will show what compiler and CPU architecture you're using)

rustc 1.65.0 (897e37553 2022-11-02) binary: rustc commit-hash: 897e37553bba8b42751c67658967889d11ecd120 commit-date: 2022-11-02 host: x86_64-pc-windows-msvc release: 1.65.0 LLVM version: 15.0.0

the full OS build number

19045.2486

the full version of c:\windows\system32\webauthn.dll

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          890EE5E38BBE940A5CF9605F5D61EE2D9B00FD893023C5286B25DBB82B3DC918       C:\Windows\System32\webauthn.dll

and c:\windows\syswow64\webauthn.dll

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          BF881993AA1B48294F9757DAE7277C4C4050A1CAF19AE3E9F4AEC67D7242E261       C:\Windows\SysWOW64\webauthn.dll

are you running the code on the same machine

Yes its the same machine

what model security key are you using? what transport are you using (USB, NFC, BTLE)? Its windows itself, so Windows Hello i guess?
which protocols does it support/have enabled (U2F, CTAP 2.0, 2.1, etc.)? Not too sure about this one, where can i find this info?
can you reproduce the access violation running the authenticate example in the repository?

yes, the results and the point at which it crashes are the same

error: process didn't exit successfully: `target\debug\examples\authenticate.exe win10` (exit code: 0xc0000005, STATUS_ACCESS_VIOLATION)

the log output

Using Windows 10...
2023-01-24T20:34:10.112941Z TRACE webauthn_authenticator_rs::win10: WebAuthNGetApiVersionNumber(): 2
2023-01-24T20:34:10.124279Z TRACE webauthn_authenticator_rs::win10: WebAuthNIsUserVerifyingPlatformAuthenticatorAvailable() = true
2023-01-24T20:34:10.126805Z  INFO authenticate: 🍿 challenge -> CreationChallengeResponse { public_key: PublicKeyCredentialCreationOptions { rp: RelyingParty { name: "https://localhost:8080/auth", id: "localhost" }, user: User { id: Base64UrlSafeData([9e, aa, e4, 59, 44, 1c, 49, c2, 86, 13, e3, 99, 6b, dc, 96, ee]), name: "william", display_name: "william" }, challenge: Base64UrlSafeData([db, c7, 4b, cc, ae, 80, 66, 75, 47, 58, 47, f0, a2, 8b, 86, 8d, ae, 3e, 57, ed, bc, c2, 24, 77, e0, d9, bc, 4b, 26, d2, 8f, 
78]), pub_key_cred_params: [PubKeyCredParams { type_: "public-key", alg: fffffffffffffff9 }, PubKeyCredParams { type_: "public-key", alg: fffffffffffffeff }], timeout: Some(1), attestation: Some(None), exclude_credentials: None, authenticator_selection: Some(AuthenticatorSelectionCriteria { authenticator_attachment: None, require_resident_key: false, user_verification: Preferred }), extensions: None } }
2023-01-24T20:34:10.133167Z TRACE webauthn_authenticator_rs::win10::gui: Tried to set the foreground window, but the request was denied.
2023-01-24T20:34:14.229481Z TRACE webauthn_rs_core::core: state=RegistrationState { policy: Preferred, exclude_credentials: [], challenge: Base64UrlSafeData([219, 199, 75, 
204, 174, 128, 102, 117, 71, 88, 71, 240, 162, 139, 134, 141, 174, 62, 87, 237, 188, 194, 36, 119, 224, 217, 188, 75, 38, 210, 143, 120]), credential_algorithms: [ES256, RS256], require_resident_key: false, authenticator_attachment: None, extensions: RequestRegistrationExtensions { cred_protect: None, uvm: Some(true), cred_props: Some(true), 
min_pin_length: None, hmac_create_secret: None }, experimental_allow_passkeys: true }
2023-01-24T20:34:14.261176Z TRACE webauthn_rs_core::core: reg=RegisterPublicKeyCredential { id: "ctHQ_ShgsGb2-lP6Dgh4iG-ZOJRyCy5IYlv1yDA5j2s", raw_id: Base64UrlSafeData([114, 209, 208, 253, 40, 96, 176, 102, 246, 250, 83, 250, 14, 8, 120, 136, 111, 153, 56, 148, 114, 11, 46, 72, 98, 91, 245, 200, 48, 57, 143, 107]), response: AuthenticatorAttestationResponseRaw { attestation_object: Base64UrlSafeData([163, 99, 102, 109, 116, 100, 110, 111, 110, 101, 103, 97, 116, 116, 83, 116, 109, 116, 160, 104, 97, 117, 116, 
104, 68, 97, 116, 97, 89, 1, 103, 73, 150, 13, 229, 136, 14, 140, 104, 116, 52, 23, 15, 100, 118, 96, 91, 143, 228, 174, 185, 162, 134, 50, 199, 153, 92, 243, 186, 131, 29, 151, 99, 69, 0, 0, 0, 0, 96, 40, 176, 23, 177, 212, 76, 2, 180, 179, 175, 205, 175, 201, 107, 178, 0, 32, 114, 209, 208, 253, 40, 96, 176, 102, 246, 250, 83, 250, 14, 8, 120, 136, 111, 153, 56, 148, 114, 11, 46, 72, 98, 91, 245, 200, 48, 57, 143, 107, 164, 1, 3, 3, 57, 1, 0, 32, 89, 1, 0, 181, 63, 82, 32, 36, 61, 47, 48, 47, 158, 226, 232, 177, 219, 84, 93, 23, 64, 160, 221, 24, 123, 141, 92, 188, 82, 139, 97, 82, 94, 112, 73, 115, 254, 145, 55, 199, 248, 3, 83, 36, 224, 69, 221, 76, 49, 77, 162, 195, 81, 28, 
80, 178, 183, 142, 161, 249, 37, 36, 238, 159, 29, 107, 49, 80, 195, 137, 129, 244, 245, 148, 110, 176, 131, 104, 198, 251, 63, 125, 235, 71, 105, 82, 237, 25, 60, 96, 11, 
26, 157, 190, 167, 75, 224, 51, 81, 113, 0, 247, 51, 3, 24, 69, 191, 12, 101, 79, 112, 62, 55, 38, 1, 132, 38, 62, 14, 136, 152, 34, 37, 147, 174, 151, 97, 207, 32, 221, 114, 33, 7, 72, 160, 75, 218, 97, 20, 225, 242, 28, 78, 142, 100, 95, 62, 4, 164, 212, 111, 128, 74, 208, 92, 254, 7, 62, 242, 208, 94, 223, 60, 242, 234, 202, 37, 200, 31, 38, 217, 208, 45, 19, 5, 181, 116, 190, 13, 193, 137, 134, 149, 26, 239, 126, 60, 174, 57, 170, 18, 165, 250, 58, 21, 213, 247, 155, 38, 198, 210, 78, 198, 66, 130, 39, 118, 226, 135, 241, 166, 115, 196, 89, 143, 37, 249, 204, 90, 248, 161, 188, 201, 193, 18, 196, 140, 118, 69, 30, 250, 208, 135, 255, 223, 224, 50, 147, 26, 18, 134, 90, 132, 58, 230, 199, 53, 221, 44, 182, 54, 227, 76, 29, 163, 242, 152, 194, 73, 33, 67, 1, 0, 1]), client_data_json: Base64UrlSafeData([123, 34, 116, 121, 112, 101, 34, 58, 34, 119, 101, 98, 97, 117, 116, 104, 110, 46, 99, 114, 101, 97, 116, 101, 34, 44, 34, 99, 104, 97, 108, 108, 101, 110, 103, 101, 34, 58, 34, 50, 56, 100, 76, 122, 75, 54, 65, 90, 
110, 86, 72, 87, 69, 102, 119, 111, 111, 117, 71, 106, 97, 52, 45, 86, 45, 50, 56, 119, 105, 82, 51, 52, 78, 109, 56, 83, 121, 98, 83, 106, 51, 103, 34, 44, 34, 111, 114, 105, 103, 105, 110, 34, 58, 34, 104, 116, 116, 112, 115, 58, 47, 47, 108, 111, 99, 97, 108, 104, 111, 115, 116, 58, 56, 48, 56, 48, 47, 34, 44, 34, 116, 111, 107, 101, 110, 
66, 105, 110, 100, 105, 110, 103, 34, 58, 110, 117, 108, 108, 125]), transports: Some([Internal]) }, type_: "none", extensions: RegistrationExtensionsClientOutputs { appid: None, cred_props: None, hmac_secret: None, cred_protect: None, min_pin_length: None } }
2023-01-24T20:34:14.303526Z TRACE webauthn_rs_core::internals: AttestationObjectInner v=Map({Text("fmt"): Text("none"), Text("attStmt"): Map({}), Text("authData"): Bytes([73, 150, 13, 229, 136, 14, 140, 104, 116, 52, 23, 15, 100, 118, 96, 91, 143, 228, 174, 185, 162, 134, 50, 199, 153, 92, 243, 186, 131, 29, 151, 99, 69, 0, 0, 0, 0, 96, 40, 176, 23, 177, 212, 76, 2, 180, 179, 175, 205, 175, 201, 107, 178, 0, 32, 114, 209, 208, 253, 40, 96, 176, 102, 246, 250, 83, 250, 14, 8, 120, 136, 111, 153, 56, 148, 114, 11, 46, 72, 98, 91, 245, 200, 48, 57, 143, 107, 164, 1, 3, 3, 57, 1, 0, 32, 89, 1, 0, 181, 63, 82, 32, 36, 61, 47, 48, 47, 158, 226, 232, 177, 219, 84, 93, 23, 64, 160, 221, 
24, 123, 141, 92, 188, 82, 139, 97, 82, 94, 112, 73, 115, 254, 145, 55, 199, 248, 3, 83, 36, 224, 69, 221, 76, 49, 77, 162, 195, 81, 28, 80, 178, 183, 142, 161, 249, 37, 36, 238, 159, 29, 107, 49, 80, 195, 137, 129, 244, 245, 148, 110, 176, 131, 104, 198, 251, 63, 125, 235, 71, 105, 82, 237, 25, 60, 96, 11, 26, 157, 190, 167, 75, 224, 51, 81, 113, 0, 247, 51, 3, 24, 69, 191, 12, 101, 79, 112, 62, 55, 38, 1, 132, 38, 62, 14, 136, 152, 34, 37, 147, 174, 151, 97, 207, 32, 221, 114, 33, 7, 72, 160, 75, 218, 97, 20, 225, 242, 28, 78, 142, 100, 95, 62, 4, 164, 212, 111, 128, 74, 208, 92, 254, 7, 62, 242, 208, 94, 223, 60, 242, 234, 202, 37, 200, 31, 38, 217, 208, 45, 19, 5, 181, 116, 190, 13, 193, 137, 134, 149, 26, 239, 126, 60, 174, 57, 170, 18, 165, 250, 58, 21, 213, 247, 155, 38, 198, 210, 78, 198, 66, 130, 39, 118, 226, 135, 241, 166, 115, 196, 89, 
143, 37, 249, 204, 90, 248, 161, 188, 201, 193, 18, 196, 140, 118, 69, 30, 250, 208, 135, 255, 223, 224, 50, 147, 26, 18, 134, 90, 132, 58, 230, 199, 53, 221, 44, 182, 54, 
227, 76, 29, 163, 242, 152, 194, 73, 33, 67, 1, 0, 1])})
2023-01-24T20:34:14.337132Z TRACE webauthn_rs_core::internals: extensions=None
2023-01-24T20:34:14.340918Z DEBUG webauthn_rs_core::core: extensions: RegistrationSignedExtensions { cred_protect: None, hmac_secret: None, unknown_keys: {} }
2023-01-24T20:34:14.354052Z DEBUG webauthn_rs_core::core: attestation is: None
2023-01-24T20:34:14.364987Z DEBUG webauthn_rs_core::core: attested credential data is: AttestedCredentialData { aaguid: [96, 40, 176, 23, 177, 212, 76, 2, 180, 179, 175, 205, 175, 201, 107, 178], credential_id: Base64UrlSafeData([114, 209, 208, 253, 40, 96, 176, 102, 246, 250, 83, 250, 14, 8, 120, 136, 111, 153, 56, 148, 114, 11, 46, 72, 98, 
91, 245, 200, 48, 57, 143, 107]), credential_pk: Map({Integer(1): Integer(3), Integer(3): Integer(-257), Integer(-1): Bytes([181, 63, 82, 32, 36, 61, 47, 48, 47, 158, 226, 
232, 177, 219, 84, 93, 23, 64, 160, 221, 24, 123, 141, 92, 188, 82, 139, 97, 82, 94, 112, 73, 115, 254, 145, 55, 199, 248, 3, 83, 36, 224, 69, 221, 76, 49, 77, 162, 195, 81, 28, 80, 178, 183, 142, 161, 249, 37, 36, 238, 159, 29, 107, 49, 80, 195, 137, 129, 244, 245, 148, 110, 176, 131, 104, 198, 251, 63, 125, 235, 71, 105, 82, 237, 25, 60, 96, 11, 26, 157, 190, 167, 75, 224, 51, 81, 113, 0, 247, 51, 3, 24, 69, 191, 12, 101, 79, 112, 62, 55, 38, 1, 132, 38, 62, 14, 136, 152, 34, 37, 147, 174, 151, 97, 207, 32, 221, 114, 33, 7, 72, 160, 75, 218, 97, 20, 225, 242, 28, 78, 142, 100, 95, 62, 4, 164, 212, 111, 128, 74, 208, 92, 254, 7, 62, 242, 208, 94, 223, 60, 242, 234, 202, 37, 200, 31, 38, 217, 208, 45, 19, 5, 181, 116, 190, 13, 193, 137, 134, 149, 26, 239, 126, 60, 174, 57, 170, 18, 165, 250, 58, 21, 213, 247, 155, 38, 198, 210, 78, 198, 66, 130, 39, 118, 226, 135, 241, 166, 115, 196, 89, 143, 37, 249, 204, 90, 248, 161, 188, 201, 193, 18, 196, 140, 118, 69, 30, 250, 208, 135, 255, 223, 224, 50, 147, 26, 18, 134, 90, 
132, 58, 230, 199, 53, 221, 44, 182, 54, 227, 76, 29, 163, 242, 152, 194, 73]), Integer(-2): Bytes([1, 0, 1])}) }
2023-01-24T20:34:14.383536Z TRACE webauthn_rs_core::internals: extensions=RegisteredExtensions { cred_protect: NotRequested, hmac_create_secret: NotRequested, appid: NotRequested, cred_props: Ignored }
2023-01-24T20:34:14.394581Z DEBUG webauthn_rs_core::core: attested_ca_crt = None
2023-01-24T20:34:14.399774Z TRACE authenticate: cred=Credential { cred_id: Base64UrlSafeData([114, 209, 208, 253, 40, 96, 176, 102, 246, 250, 83, 250, 14, 8, 120, 136, 111, 153, 56, 148, 114, 11, 46, 72, 98, 91, 245, 200, 48, 57, 143, 107]), cred: COSEKey { type_: RS256, key: RSA(COSERSAKey { n: Base64UrlSafeData([181, 63, 82, 32, 36, 61, 47, 48, 47, 158, 226, 232, 177, 219, 84, 93, 23, 64, 160, 221, 24, 123, 141, 92, 188, 82, 139, 97, 82, 94, 112, 73, 115, 254, 145, 55, 199, 248, 3, 83, 36, 224, 69, 221, 76, 49, 77, 162, 195, 81, 28, 80, 178, 183, 142, 161, 249, 37, 36, 238, 159, 29, 107, 49, 80, 195, 137, 129, 244, 245, 148, 110, 176, 131, 104, 198, 251, 63, 125, 235, 71, 105, 
82, 237, 25, 60, 96, 11, 26, 157, 190, 167, 75, 224, 51, 81, 113, 0, 247, 51, 3, 24, 69, 191, 12, 101, 79, 112, 62, 55, 38, 1, 132, 38, 62, 14, 136, 152, 34, 37, 147, 174, 
151, 97, 207, 32, 221, 114, 33, 7, 72, 160, 75, 218, 97, 20, 225, 242, 28, 78, 142, 100, 95, 62, 4, 164, 212, 111, 128, 74, 208, 92, 254, 7, 62, 242, 208, 94, 223, 60, 242, 234, 202, 37, 200, 31, 38, 217, 208, 45, 19, 5, 181, 116, 190, 13, 193, 137, 134, 149, 26, 239, 126, 60, 174, 57, 170, 18, 165, 250, 58, 21, 213, 247, 155, 38, 198, 210, 78, 198, 66, 130, 39, 118, 226, 135, 241, 166, 115, 196, 89, 143, 37, 249, 204, 90, 248, 161, 188, 201, 193, 18, 196, 140, 118, 69, 30, 250, 208, 135, 255, 223, 224, 50, 147, 26, 18, 134, 90, 132, 58, 230, 199, 53, 221, 44, 182, 54, 227, 76, 29, 163, 242, 152, 194, 73]), e: [1, 0, 1] }) }, counter: 0, transports: None, user_verified: true, backup_eligible: false, backup_state: false, registration_policy: Preferred, extensions: RegisteredExtensions { cred_protect: NotRequested, hmac_create_secret: NotRequested, appid: NotRequested, cred_props: Ignored }, attestation: ParsedAttestation { data: None, metadata: None }, attestation_format: None }
2023-01-24T20:34:14.414276Z TRACE webauthn_authenticator_rs::win10: options=PublicKeyCredentialRequestOptions { challenge: Base64UrlSafeData([92, 169, 87, 7, 34, 124, 65, 126, 98, 158, 199, 208, 178, 250, 13, 33, 61, 218, 145, 220, 57, 120, 8, 197, 223, 50, 125, 155, 145, 243, 194, 112]), timeout: Some(1), rp_id: "localhost", allow_credentials: [AllowCredentials { type_: "public-key", id: Base64UrlSafeData([114, 209, 208, 253, 40, 96, 176, 102, 246, 250, 83, 250, 14, 8, 120, 136, 111, 153, 56, 148, 114, 11, 46, 72, 98, 91, 245, 200, 48, 57, 143, 107]), transports: None }], user_verification: Preferred, extensions: Some(RequestAuthenticationExtensions { appid: Some("example.app.id"), uvm: None, hmac_get_secret: None }) }
2023-01-24T20:34:14.521673Z TRACE webauthn_authenticator_rs::win10::gui: Tried to set the foreground window, but the request was denied.
error: process didn't exit successfully: `target\debug\examples\authenticate.exe win10` (exit code: 0xc0000005, STATUS_ACCESS_VIOLATION)

_the contents of the PublicKeyCredentialRequestOptions struct for the performauth call

2023-01-24T20:46:35.333514Z TRACE authenticate: chal.public_key=PublicKeyCredentialRequestOptions { challenge: Base64UrlSafeData([77, 104, 154, 252, 164, 179, 74, 167, 184, 211, 121, 108, 37, 60, 252, 28, 208, 90, 101, 35, 229, 247, 136, 53, 106, 2, 202, 85, 156, 54, 24, 82]), timeout: Some(1), rp_id: "localhost", allow_credentials: [AllowCredentials { type_: "public-key", id: Base64UrlSafeData([224, 24, 140, 160, 74, 74, 23, 95, 43, 90, 73, 219, 188, 185, 74, 105, 4, 55, 250, 188, 57, 175, 126, 226, 0, 24, 122, 175, 72, 28, 3, 124]), transports: None }], user_verification: Preferred, extensions: Some(RequestAuthenticationExtensions { appid: Some("example.app.id"), uvm: None, hmac_get_secret: None }) }

You can also see what Windows is doing in the Event Viewer

Nice this will be helpful with the further webauthn development !

micolous commented 1 year ago

Thanks for that!

It looks like you have the same binaries as me, and only one version of Windows 10 behind (current is 19045.2546), but I would have been running 19045.2486 a couple of weeks ago.

I think the issue is with the platform authenticator (Windows Hello's built-in authenticator, WebAuthNIsUserVerifyingPlatformAuthenticatorAvailable() = true), and I don't have one of those.

I think there's a null pointer being returned on Win10 with the platform authenticator; but to figure out which one it is, I'll need a full stack trace, which you can get from WinDbg. If you don't have WinDbg already, it's available in the Windows SDK, which is an optional component in the Visual Studio Build Tools (which you would have used to install MSVC components for Rust):

(I can't remember whether this is one of the default installed items)

So what you'd need to do is:

Build the authenticate example: cargo build --example authenticate --features win10
Copy the git commit ID you built from into this bug
Open WinDbg (X64)
File -> Open Executable
Set Arguments to win10
Select authenticate.exe in .\target\debug\examples:
You should then get an empty console window with the debugger paused.
Go to the WinDbg window and press F5 to start running the authenticate example
You then should get prompted to set up a security key, press OK and do that part with the platform authenticator until it crashes

WinDbg should show a message in the Command window like:

(47c4.4448): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

Get a stack trace: in the textbox at the bottom of the Command window (where it'll say 0:000>), type k then press Enter
Copy that stack trace into this issue.
Press Shift F5 to stop debugging.

The stack trace will look something like this; here I added a bug to the code in my local copy which tries to dereference a null pointer.

0:000> k
 # Child-SP          RetAddr           Call Site
00 00000061`a44e6c98 00007ff7`355ed38c VCRUNTIME140!memcpy+0x17c [D:\a\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 299] 
01 00000061`a44e6ca0 00007ff7`34f179c9 authenticate!alloc::slice::hack::impl$1::to_vec<u8,alloc::alloc::Global>+0x11c [/rustc/90743e7298aca107ddaa0c202a4d3604e29bfeb6\library\alloc\src\slice.rs @ 162] 
02 (Inline Function) --------`-------- authenticate!alloc::slice::hack::to_vec+0x5 [/rustc/90743e7298aca107ddaa0c202a4d3604e29bfeb6\library\alloc\src\slice.rs @ 106] 
03 (Inline Function) --------`-------- authenticate!alloc::slice::impl$0::to_vec_in+0xf [/rustc/90743e7298aca107ddaa0c202a4d3604e29bfeb6\library\alloc\src\slice.rs @ 436] 
04 (Inline Function) --------`-------- authenticate!alloc::slice::impl$0::to_vec+0x19 [/rustc/90743e7298aca107ddaa0c202a4d3604e29bfeb6\library\alloc\src\slice.rs @ 411] 
05 00000061`a44e6e40 00007ff7`34f1a24b authenticate!alloc::vec::impl$35::from<u8>+0x39 [/rustc/90743e7298aca107ddaa0c202a4d3604e29bfeb6\library\alloc\src\vec\mod.rs @ 3094] 
06 00000061`a44e6ec0 00007ff7`34e2512c authenticate!core::convert::impl$3::into<slice$<u8>,alloc::vec::Vec<u8,alloc::alloc::Global> >+0x1b [/rustc/90743e7298aca107ddaa0c202a4d3604e29bfeb6\library\core\src\convert\mod.rs @ 727] 
07 00000061`a44e6f00 00007ff7`34a8d7a1 authenticate!webauthn_authenticator_rs::win10::impl$1::perform_register+0xe3c [~\Documents\webauthn-rs\webauthn-authenticator-rs\src\win10\mod.rs @ 185] 
08 00000061`a44e7d20 00007ff7`34a78cc4 authenticate!authenticate::main::async_block$0+0x1101 [~\Documents\webauthn-rs\webauthn-authenticator-rs\examples\authenticate\main.rs @ 195] 
09 00000061`a44f0a30 00007ff7`34a70e8a authenticate!core::future::from_generator::impl$1::poll<enum2$<authenticate::main::async_block_env$0> >+0x64 [/rustc/90743e7298aca107ddaa0c202a4d3604e29bfeb6\library\core\src\future\mod.rs @ 91] 
0a 00000061`a44f0ac0 00007ff7`34a70c7e authenticate!tokio::runtime::park::impl$4::block_on::closure$0<core::future::from_generator::GenFuture<enum2$<authenticate::main::async_block_env$0> > >+0x4a [~\.cargo\registry\src\github.com-1ecc6299db9ec823\tokio-1.24.1\src\runtime\park.rs @ 283] 
0b (Inline Function) --------`-------- authenticate!tokio::runtime::coop::with_budget+0x58 [~\.cargo\registry\src\github.com-1ecc6299db9ec823\tokio-1.24.1\src\runtime\coop.rs @ 102] 
0c (Inline Function) --------`-------- authenticate!tokio::runtime::coop::budget+0xa8 [~\.cargo\registry\src\github.com-1ecc6299db9ec823\tokio-1.24.1\src\runtime\coop.rs @ 68] 
0d 00000061`a44f0b30 00007ff7`34a8258c authenticate!tokio::runtime::park::CachedParkThread::block_on<core::future::from_generator::GenFuture<enum2$<authenticate::main::async_block_env$0> > >+0x20e [~\.cargo\registry\src\github.com-1ecc6299db9ec823\tokio-1.24.1\src\runtime\park.rs @ 283] 
0e 00000061`a44f2a10 00007ff7`34a70631 authenticate!tokio::runtime::context::BlockingRegionGuard::block_on<core::future::from_generator::GenFuture<enum2$<authenticate::main::async_block_env$0> > >+0x6c [~\.cargo\registry\src\github.com-1ecc6299db9ec823\tokio-1.24.1\src\runtime\context.rs @ 315] 
0f 00000061`a44f4800 00007ff7`34ad0f25 authenticate!tokio::runtime::scheduler::multi_thread::MultiThread::block_on<core::future::from_generator::GenFuture<enum2$<authenticate::main::async_block_env$0> > >+0x81 [~\.cargo\registry\src\github.com-1ecc6299db9ec823\tokio-1.24.1\src\runtime\scheduler\multi_thread\mod.rs @ 66] 
10 00000061`a44f6610 00007ff7`34a80460 authenticate!tokio::runtime::runtime::Runtime::block_on<core::future::from_generator::GenFuture<enum2$<authenticate::main::async_block_env$0> > >+0x105 [~\.cargo\registry\src\github.com-1ecc6299db9ec823\tokio-1.24.1\src\runtime\runtime.rs @ 284] 
11 00000061`a44fa1d0 00007ff7`34aba93b authenticate!authenticate::main+0xe0 [~\Documents\webauthn-rs\webauthn-authenticator-rs\examples\authenticate\main.rs @ 213] 
12 00000061`a44ffc00 00007ff7`34ab698e authenticate!core::ops::function::FnOnce::call_once<void (*)(),tuple$<> >+0xb [/rustc/90743e7298aca107ddaa0c202a4d3604e29bfeb6\library\core\src\ops\function.rs @ 251] 
13 (Inline Function) --------`-------- authenticate!core::hint::black_box [/rustc/90743e7298aca107ddaa0c202a4d3604e29bfeb6\library\core\src\hint.rs @ 226] 
14 00000061`a44ffc40 00007ff7`34a57a41 authenticate!std::sys_common::backtrace::__rust_begin_short_backtrace<void (*)(),tuple$<> >+0xe [/rustc/90743e7298aca107ddaa0c202a4d3604e29bfeb6\library\std\src\sys_common\backtrace.rs @ 124] 
15 00000061`a44ffc70 00007ff7`3560c90e authenticate!std::rt::lang_start::closure$0<tuple$<> >+0x11 [/rustc/90743e7298aca107ddaa0c202a4d3604e29bfeb6\library\std\src\rt.rs @ 166] 
16 (Inline Function) --------`-------- authenticate!core::ops::function::impls::impl$2::call_once+0xb [/rustc/90743e7298aca107ddaa0c202a4d3604e29bfeb6/library\core\src\ops\function.rs @ 286] 
17 (Inline Function) --------`-------- authenticate!std::panicking::try::do_call+0xb [/rustc/90743e7298aca107ddaa0c202a4d3604e29bfeb6/library\std\src\panicking.rs @ 483] 
18 (Inline Function) --------`-------- authenticate!std::panicking::try+0xb [/rustc/90743e7298aca107ddaa0c202a4d3604e29bfeb6/library\std\src\panicking.rs @ 447] 
19 (Inline Function) --------`-------- authenticate!std::panic::catch_unwind+0xb [/rustc/90743e7298aca107ddaa0c202a4d3604e29bfeb6/library\std\src\panic.rs @ 137] 
1a (Inline Function) --------`-------- authenticate!std::rt::lang_start_internal::closure$2+0xb [/rustc/90743e7298aca107ddaa0c202a4d3604e29bfeb6/library\std\src\rt.rs @ 148] 
1b (Inline Function) --------`-------- authenticate!std::panicking::try::do_call+0xb [/rustc/90743e7298aca107ddaa0c202a4d3604e29bfeb6/library\std\src\panicking.rs @ 483] 
1c (Inline Function) --------`-------- authenticate!std::panicking::try+0xb [/rustc/90743e7298aca107ddaa0c202a4d3604e29bfeb6/library\std\src\panicking.rs @ 447] 
1d (Inline Function) --------`-------- authenticate!std::panic::catch_unwind+0xb [/rustc/90743e7298aca107ddaa0c202a4d3604e29bfeb6/library\std\src\panic.rs @ 137] 
1e 00000061`a44ffcb0 00007ff7`34a57a1a authenticate!std::rt::lang_start_internal+0xbe [/rustc/90743e7298aca107ddaa0c202a4d3604e29bfeb6/library\std\src\rt.rs @ 148] 
1f 00000061`a44ffe00 00007ff7`34a80539 authenticate!std::rt::lang_start<tuple$<> >+0x3a [/rustc/90743e7298aca107ddaa0c202a4d3604e29bfeb6\library\std\src\rt.rs @ 165] 
20 00000061`a44ffe70 00007ff7`3588ae5c authenticate!main+0x19
21 (Inline Function) --------`-------- authenticate!invoke_main+0x22 [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 78] 
22 00000061`a44ffea0 00007ffd`62ee7614 authenticate!__scrt_common_main_seh+0x10c [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288] 
23 00000061`a44ffee0 00007ffd`630226a1 KERNEL32!BaseThreadInitThunk+0x14
24 00000061`a44fff10 00000000`00000000 ntdll!RtlUserThreadStart+0x21

That should point me at what's broken. :)

micolous commented 1 year ago

Just checking in to see if you could get a stack trace for this?

I figured out how to get my Windows 11 machine to use the platform authenticator – it had a TPM, but the control panel entries to set it up were hidden when connecting over RDP. I couldn't get a crash out of it with the authenticate example.

Unfortunately the Windows 11 machine is ARM, so that can't run Windows 10... so I've now got a TPM on order for my x86_64 Windows 10 machine, so I'll see if that lets me reproduce the issue.

timvw01 commented 1 year ago

Sorry, i was away for a while! Here is the trace:

0:000> k
 # Child-SP          RetAddr           Call Site
00 000000e6`120fc8a0 00007ff7`7f6c6b75 authenticate!windows::core::strings::pcwstr::PCWSTR::as_wide+0xe [C:\Users\Timvw01\.cargo\registry\src\github.com-1ecc6299db9ec823\windows-0.41.0\src\core\strings\pcwstr.rs @ 35] 
01 000000e6`120fc900 00007ff7`7f670a8a authenticate!windows::core::strings::pcwstr::PCWSTR::to_string+0x25 [C:\Users\Timvw01\.cargo\registry\src\github.com-1ecc6299db9ec823\windows-0.41.0\src\core\strings\pcwstr.rs @ 45] 
02 000000e6`120fc960 00007ff7`7f6711f8 authenticate!webauthn_authenticator_rs::win10::extensions::impl$3::try_from+0x3a [E:\Downloads\webauthn-rs-master\webauthn-rs-master\webauthn-authenticator-rs\src\win10\extensions.rs @ 227] 
03 000000e6`120fcd60 00007ff7`7f66378a authenticate!webauthn_authenticator_rs::win10::extensions::native_to_assertion_extensions+0x128 [E:\Downloads\webauthn-rs-master\webauthn-rs-master\webauthn-authenticator-rs\src\win10\extensions.rs @ 251] 
04 000000e6`120fcf30 00007ff7`7f472a22 authenticate!webauthn_authenticator_rs::win10::impl$1::perform_auth+0xffa [E:\Downloads\webauthn-rs-master\webauthn-rs-master\webauthn-authenticator-rs\src\win10\mod.rs @ 311] 
05 000000e6`120fde60 00007ff7`7f45767b authenticate!authenticate::main+0xf92 [E:\Downloads\webauthn-rs-master\webauthn-rs-master\webauthn-authenticator-rs\examples\authenticate\main.rs @ 134] 
06 000000e6`120ffc20 00007ff7`7f45b04e authenticate!core::ops::function::FnOnce::call_once<void (*)(),tuple$<> >+0xb [/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\ops\function.rs @ 248] 
07 (Inline Function) --------`-------- authenticate!core::hint::black_box [/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\hint.rs @ 223] 
08 000000e6`120ffc60 00007ff7`7f45e8a1 authenticate!std::sys_common::backtrace::__rust_begin_short_backtrace<void (*)(),tuple$<> >+0xe [/rustc/897e37553bba8b42751c67658967889d11ecd120\library\std\src\sys_common\backtrace.rs @ 125] 
09 000000e6`120ffc90 00007ff7`7f9f677e authenticate!std::rt::lang_start::closure$0<tuple$<> >+0x11 [/rustc/897e37553bba8b42751c67658967889d11ecd120\library\std\src\rt.rs @ 166] 
0a (Inline Function) --------`-------- authenticate!core::ops::function::impls::impl$2::call_once+0xb [/rustc/897e37553bba8b42751c67658967889d11ecd120/library\core\src\ops\function.rs @ 283] 
0b (Inline Function) --------`-------- authenticate!std::panicking::try::do_call+0xb [/rustc/897e37553bba8b42751c67658967889d11ecd120/library\std\src\panicking.rs @ 492] 
0c (Inline Function) --------`-------- authenticate!std::panicking::try+0xb [/rustc/897e37553bba8b42751c67658967889d11ecd120/library\std\src\panicking.rs @ 456] 
0d (Inline Function) --------`-------- authenticate!std::panic::catch_unwind+0xb [/rustc/897e37553bba8b42751c67658967889d11ecd120/library\std\src\panic.rs @ 137] 
0e (Inline Function) --------`-------- authenticate!std::rt::lang_start_internal::closure$2+0xb [/rustc/897e37553bba8b42751c67658967889d11ecd120/library\std\src\rt.rs @ 148] 
0f (Inline Function) --------`-------- authenticate!std::panicking::try::do_call+0xb [/rustc/897e37553bba8b42751c67658967889d11ecd120/library\std\src\panicking.rs @ 492] 
10 (Inline Function) --------`-------- authenticate!std::panicking::try+0xb [/rustc/897e37553bba8b42751c67658967889d11ecd120/library\std\src\panicking.rs @ 456] 
11 (Inline Function) --------`-------- authenticate!std::panic::catch_unwind+0xb [/rustc/897e37553bba8b42751c67658967889d11ecd120/library\std\src\panic.rs @ 137] 
12 000000e6`120ffcd0 00007ff7`7f45e87a authenticate!std::rt::lang_start_internal+0xbe [/rustc/897e37553bba8b42751c67658967889d11ecd120/library\std\src\rt.rs @ 148] 
13 000000e6`120ffe20 00007ff7`7f47387c authenticate!std::rt::lang_start<tuple$<> >+0x3a [/rustc/897e37553bba8b42751c67658967889d11ecd120\library\std\src\rt.rs @ 165] 
14 000000e6`120ffe90 00007ff7`7fa1c200 authenticate!main+0x1c
15 (Inline Function) --------`-------- authenticate!invoke_main+0x22 [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 78] 
16 000000e6`120ffec0 00007ffd`cf4b7614 authenticate!__scrt_common_main_seh+0x10c [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288] 
17 000000e6`120fff00 00007ffd`d0b226a1 KERNEL32!BaseThreadInitThunk+0x14
18 000000e6`120fff30 00000000`00000000 ntdll!RtlUserThreadStart+0x21

Cannot make much soup of it i'm afraid..

Firstyear commented 1 year ago

@micolous Reading the stack it looks similar to the one we went over last night so I think you got it with the dwVersion fix.

timvw01 commented 1 year ago

Yes it works! Great! ive applied #287 and it now it works as expected.

micolous commented 1 year ago

Yup, that trace is the same.

It looks like that when you use a platform authenticator, the memory layout is a little different.

With a platform credential, the library tries to parse a WEBAUTHN_EXTENSIONS; except that field is not initialised. The extension count (cExtensions) is some very high number. Then the first pExtensions has another valid pointer, which the library derefs. The first field in the WEBAUTHN_EXTENSION struct is pwszExtensionIdentifier (PCWSTR), which we try to deref as well... but that's set to 0.

By comparison, I believe using a non-platform credential, the memory where the WEBAUTHN_EXTENSIONS should be has cExtensions = 0, so doesn't try to convert any more of that struct.

The assumption the library made is that Windows would never try to give us an old WEBAUTHN_ASSERTION struct that was missing the Extensions field... but this only seems to be true on Windows 11. Unfortunately, I haven't mapped out enough of the Windows 10 version of webauthn.dll to see precisely which conditions it'll emit different struct versions.

Extensions are mostly unimplemented in webauthn-authenticator-rs right now anyways.

kanidm / webauthn-rs