search

winsiderss / systeminformer

A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. Brought to you by Winsider Seminars & Solutions, Inc. @ http://www.windows-internals.com
https://systeminformer.sourceforge.io
MIT License
10.93k stars 1.39k forks source link

Instant crash on starting another application #1709

Closed UserUnknownFactor closed 1 year ago

UserUnknownFactor commented 1 year ago

Brief description of your issue

Running a Godot-engine app with gdnative C++ code and embedded .pck file causes System Informer to insta-crash on each app start. This can be a security vulnerability, too.

Steps to reproduce (optional)

Run an .exe with a malformed icon data, maybe.

Expected behavior (optional)

No response

Actual behavior (optional)

Mini-dump content:

CONTEXT:  (.ecxr)
rax=0000000000007bbe rbx=0000000000009f4f rcx=0000000000000000
rdx=00000188e7521200 rsi=00000188e7521200 rdi=0000000000000000
rip=00007ff7b0c8d496 rsp=0000001138dff678 rbp=0000001138dff6e8
 r8=0000000000000000  r9=000000000000000e r10=0000000000000000
r11=00000188e755f000 r12=0000001138dff7a0 r13=00000188e7521200
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz ac po cy
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010297
SystemInformer!PhExtractIcon+0x156:
00007ff7`b0c8d496 418b0b          mov     ecx,dword ptr [r11] ds:00000188`e755f000=????????
Resetting default scope

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ff7b0c8d496 (SystemInformer!PhExtractIcon+0x0000000000000156)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 00000188e755f000
Attempt to read from address 00000188e755f000

PROCESS_NAME:  SystemInformer.exe
READ_ADDRESS:  00000188e755f000 
ERROR_CODE: (NTSTATUS) 0xc0000005
EXCEPTION_CODE_STR:  c0000005
EXCEPTION_PARAMETER1:  0000000000000000
EXCEPTION_PARAMETER2:  00000188e755f000

STACK_TEXT:  
SystemInformer!PhExtractIcon+0x156
SystemInformer!PhExtractIconEx+0x1f1
SystemInformer!PhImageListExtractIcon+0x125
SystemInformer!PhEnumProcessItems+0x44f
SystemInformer!PhGetStatisticsTimeString+0x21d9
SystemInformer!PhInitializeProviderThread+0x211
SystemInformer!PhAutoDereferenceObject+0x4ab
kernel32!BaseThreadInitThunk+0x14
ntdll!RtlUserThreadStart+0x21

STACK_COMMAND:  ~3s; .ecxr ; kb
SYMBOL_NAME:  SystemInformer+156
MODULE_NAME: SystemInformer
IMAGE_NAME:  SystemInformer.exe
FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_SystemInformer.exe!Unknown
OS_VERSION:  10.0.19041.1
BUILDLAB_STR:  vb_release
OSPLATFORM_TYPE:  x64
OSNAME:  Windows 10
IMAGE_VERSION:  3.0.11049.6522
FAILURE_ID_HASH:  {b271a9f9-efc9-ea7b-e213-bd1d4817e73e}
Followup:     MachineOwner

Environment (optional)

Key  : WER.OS.Version
Value: 10.0.19041.1

Key  : WER.Process.Version
Value: 3.0.11049.6522
dmex commented 1 year ago

This can be a security vulnerability, too. Run an .exe with a malformed icon data

This crash was caused by incorrect string concentration for system32 directories containing MUN resource redirection and was reported and fixed weeks ago. Malformed data cannot cause vulnerabilities because we're using commit sections for resource lookup and validate data unlike other software.

IMAGE_VERSION: 3.0.11049.6522

You're running an old version and need to update to r6550