question

Huoji-6212 avatar image
0 Votes"
Huoji-6212 asked XiaopoYang-MSFT answered

windows 21h1 kernel memory leaks in RtlCheckTokenCapability

callstack:
3: kd> k
# Child-SP RetAddr Call Site
00 ffffef85`756fed10 fffff802`441b51c4 nt!ExAllocateHeapPool+0x1b1381
01 ffffef85`756fee50 fffff802`43e9502c nt!ExAllocatePoolWithTag+0x64
02 ffffef85`756feea0 fffff802`43d83204 nt!SeQueryInformationToken+0xdc
03 ffffef85`756fefd0 fffff802`44112a29 nt!RtlCheckTokenCapability+0x194
04 ffffef85`756ff2e0 ffffaa93`883d46f9 nt!RtlCapabilityCheck+0x329
05 ffffef85`756ff450 ffffaa93`8877ea62 win32kbase!NtDCompositionCommitSynchronizationObject+0x59
06 ffffef85`756ff490 fffff802`43c0a8b5 win32k!NtDCompositionCommitSynchronizationObject+0x16
07 ffffef85`756ff4c0 00007ff7`f8f94299 nt!KiSystemServiceCopyEnd+0x25
08 000000de`7e1ff288 00007ff7`f8f915ed NtCall64+0x4299
09 000000de`7e1ff290 00007ff7`f8f919ab NtCall64+0x15ed
0a 000000de`7e1ffbe0 00007ffd`f2767034 NtCall64+0x19ab
0b 000000de`7e1ffc10 00007ffd`f3022651 KERNEL32!BaseThreadInitThunk+0x14
0c 000000de`7e1ffc40 00000000`00000000 ntdll!RtlUserThreadStart+0x21

in RtlCheckTokenCapability, this function call SeQueryInformationToken to get process token ,but its not free SeQueryInformationToken pool memory:
msdn :
8.png
at present:
7.png

poc of this memory leak:
9.png


windows-serverwindows-api
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RtlCheckTokenCapability is a undocumented API and Could you please show a minimal, reproducible sample without private information?

0 Votes 0 ·

try use https://github.com/hfiref0x/NtCall64

fuzz win32k!NtDCompositionCommitSynchronizationObject

the NtDCompositionCommitSynchronizationObject will call RtlCheckTokenCapability

0 Votes 0 ·

1 Answer

XiaopoYang-MSFT avatar image
0 Votes"
XiaopoYang-MSFT answered

You can issue a bug through Windows Feedback Hub.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.