I'm following these instructions to build a wdi-simple capable of installing a user-provided signed driver or the WinUSB driver.
wdi_create_list() appears to be crashing due to pfCM_Get_Device_IDA being NULL at libwdi.c:775.
I do not encounter this issue with changeset b3ba0e15237d6385f2971e40cf327a4efd40b484. Bisecting between there and master indicates that a61334522f42e58e8c0d0f4b142a6a0d963be044 introduces the change that results in this behavior.
Just a few observations from stepping through this with a debugger...
I see that pfCM_Get_Device_IDA appears to have a valid value after the wdi_prepare_driver's call to init_dlls() @ libwdi.c:1004.
However, I see that this is getting zeroed out by following the call to wdi_is_driver_supported() @ libwdi.c:1040. The memset call in wdi_is_driver_supported() @ libwdi.c:463 appears to be responsible for this.
Because I'm calling wdi-simple.exe with --type 3, I see that wdi_is_driver_supported() being called with &driver_version[3], which appears to be an out-of-bounds access, given that driver_version is defined as containing three elements. That would explain why that memset() call is clobbering the items that follow the driver_version, including the pfCM_Get_Device_IDA() function pointer.
Hopefully this is some sufficient amount of information. Apologies for not proposing a remediation; I'm a bit short on time for the next few days. However, I'll do my best to reply to requests for additional info, if needed.
This was all from a VS2013 64-bit build, with libusb-win32 and libusbK disabled, and a user-defined driver enabled in config.h.
I'm following these instructions to build a wdi-simple capable of installing a user-provided signed driver or the WinUSB driver.
wdi_create_list() appears to be crashing due to
pfCM_Get_Device_IDA
being NULL at libwdi.c:775.I do not encounter this issue with changeset b3ba0e15237d6385f2971e40cf327a4efd40b484. Bisecting between there and master indicates that a61334522f42e58e8c0d0f4b142a6a0d963be044 introduces the change that results in this behavior.
Just a few observations from stepping through this with a debugger...
I see that
pfCM_Get_Device_IDA
appears to have a valid value after thewdi_prepare_driver
's call toinit_dlls()
@ libwdi.c:1004.However, I see that this is getting zeroed out by following the call to
wdi_is_driver_supported()
@ libwdi.c:1040. Thememset
call in wdi_is_driver_supported() @ libwdi.c:463 appears to be responsible for this.Because I'm calling wdi-simple.exe with
--type 3
, I see thatwdi_is_driver_supported()
being called with&driver_version[3]
, which appears to be an out-of-bounds access, given thatdriver_version
is defined as containing three elements. That would explain why thatmemset()
call is clobbering the items that follow thedriver_version
, including thepfCM_Get_Device_IDA()
function pointer.Hopefully this is some sufficient amount of information. Apologies for not proposing a remediation; I'm a bit short on time for the next few days. However, I'll do my best to reply to requests for additional info, if needed.
This was all from a VS2013 64-bit build, with libusb-win32 and libusbK disabled, and a user-defined driver enabled in config.h.