Download presentation
Presentation is loading. Please wait.
1
Mario Hewardt Senior Development Lead Microsoft Corporation Daniel Pravat Senior Development Lead Microsoft Corporation …and we approve this message
6
Source: Coverity White Paper
12
Daniel Pravat
19
cs_DB1 cs_DB2 Thread 0 Thread 1 No progress = Deadlock Acquisition order is reversed The length may be different A,B,C = OK B,C = OK A,B = OK A,C = OK B,C,A = Deadlock
21
Test System Test Systems Remote client Symbols Sources Smart client Sources
22
Daniel Pravat
23
DisplayError calls Sleep Return address is saved Sleep calls SleepEx Return address is saved … … Return address is changed to X Execution starts at X There is another thread smashing the stack How to catch this async operation? What are the implications of this bug? Can the execution be controlled? Can this execution be prevented? Welcome NX bit
26
Daniel Pravat
27
Build a new version Extract public symbols Index symbols Publish symbols Use symbols
32
Build a new version Extract the source file list Store the information required to retrieve the file from SC Publish symbols Use the symbols
34
C:\>pdbstr –r –p:%_NT386TREE%\sym.pri\retail\exe\03sample.pdb –s:srcsrv SRCSRV: ini ------------------------ VERSION=1 INDEXVERSION=2 VERCTRL=Visual Source Safe DATETIME=Mon Jan 8 00:04:15 2007 SRCSRV: variables --------------------- SSDIR=C:\AWD\VSS SRCSRVENV=SSDIR=%AWD% VSSTRGDIR=%targ%\%var2%\%fnbksl%(%var3%)\%var4% VSS_EXTRACT_CMD=ss.exe get -GL”%vsstrgdir%” -GF- -I-Y -W “$/%var3%” - V”%var4%” VSS_EXTRACT_TARGET=%targ%\%var2%\%fnbksl%(%var3%)\%var4%\%fnfile%(%var1% ) AWD=C:\AWD\VSS SRCSRVTRG=%VSS_extract_target% SRCSRVCMD=%VSS_extract_cmd% SRCSRV: source files -------------------- c:\awd\chapter3\spydbg.cpp*AWD*chapter3/spydbg.cpp*VERSION1 SRCSRV: end ------------------------
45
EPROCESS Ref CountObj CountObject 11 11 31 Event WIN32 API Mutant Header CreateEvent( … …); CreateEvent( … …); User Kernel
46
HANDLE hFile=CreateFile( pWorkerData->pszFileName, FILE_READ_DATA, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); // Use file handle CloseHandle(hFile);
48
Leak? Type of resource Type of resource Initial Analysis Initial Analysis Use tools Avoidance Strategy Avoidance Strategy Done No
49
Mario Hewardt
53
Application Virtual Memory Manager Heap Manager Default Process Heap C Runtime Heap C Runtime Heap Other Heaps
54
BYTE* pMem=(BYTE*) HeapAlloc(GetProcessHeap(), 0, 100); // Use memory HeapFree(GetProcessHeap(), 0, pMem);
56
Mario Hewardt
63
Web client Web front-end Web front-end Middle tier Database back-end
67
0:000> !token 7bc -n TS Session ID: 0 User: S-1-5-21-1060284298-2111687655-1957994488-1003 (User: XP-SP2\TestAdmin) Groups: 00 S-1-5-21-1060284298-2111687655-1957994488-513 (Group: XP-SP2\None) Attributes - Mandatory Default Enabled 01 S-1-1-0 (Well Known Group: localhost\Everyone) Attributes - Mandatory Default Enabled 02 S-1-5-32-544 (Alias: BUILTIN\Administrators) Attributes - Mandatory Default Enabled Owner 03 S-1-5-32-545 (Alias: BUILTIN\Users) Attributes - Mandatory Default Enabled 04 S-1-5-4 (Well Known Group: NT AUTHORITY\INTERACTIVE) Attributes - Mandatory Default Enabled 05 S-1-5-11 (Well Known Group: NT AUTHORITY\Authenticated Users) Attributes - Mandatory Default Enabled 06 S-1-5-5-0-35778 (no name mapped) Attributes - Mandatory Default Enabled LogonId 07 S-1-2-0 (Well Known Group: localhost\LOCAL) Attributes - Mandatory Default Enabled Primary Group: S-1-5-21-1060284298-2111687655-1957994488-513 (Group: XP-SP2\None) Privs: 00 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default 01 0x000000008 SeSecurityPrivilege Attributes -... 17 0x000000009 SeTakeOwnershipPrivilege Attributes - 18 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default 19 0x00000001d SeImpersonatePrivilege Attributes - Enabled Default Auth ID: 0:1c3a8 Impersonation Level: Identification TokenType: Impersonation
69
0:000> !acl 000840ac ACL is: ACL is: ->AclRevision: 0x2 ACL is: ->Sbz1 : 0x0 ACL is: ->AclSize : 0x1c ACL is: ->AceCount : 0x1 ACL is: ->Sbz2 : 0x0 ACL is: ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE ACL is: ->Ace[0]: ->AceFlags: 0x0 ACL is: ->Ace[0]: ->AceSize: 0x14 ACL is: ->Ace[0]: ->Mask : 0x00120089 ACL is: ->Ace[0]: ->SID: S-1-1-0
![0:000> !acl ac ACL is: ACL is: ->AclRevision: 0x2 ACL is: ->Sbz1 : 0x0 ACL is: ->AclSize : 0x1c ACL is: ->AceCount : 0x1 ACL is: ->Sbz2 : 0x0 ACL is: ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE ACL is: ->Ace[0]: ->AceFlags: 0x0 ACL is: ->Ace[0]: ->AceSize: 0x14 ACL is: ->Ace[0]: ->Mask : 0x ACL is: ->Ace[0]: ->SID: S-1-1-0](http://images.slideplayer.com/13/4039612/slides/slide_69.jpg "0:000> !acl ac ACL is: ACL is: ->AclRevision: 0x2 ACL is: ->Sbz1 : 0x0 ACL is: ->AclSize : 0x1c ACL is: ->AceCount : 0x1 ACL is: ->Sbz2 : 0x0 ACL is: ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE ACL is: ->Ace[0]: ->AceFlags: 0x0 ACL is: ->Ace[0]: ->AceSize: 0x14 ACL is: ->Ace[0]: ->Mask : 0x ACL is: ->Ace[0]: ->SID: S-1-1-0")
70
kd> !sd 00084098 ->Revision: 0x1 ->Sbz1 : 0x0 ->Control : 0x8004 SE_DACL_PRESENT SE_SELF_RELATIVE ->Owner : S-1-5-18 ->Group : S-1-5-32-544 ->Dacl : ->Dacl : ->AclRevision: 0x2 ->Dacl : ->Sbz1 : 0x0 ->Dacl : ->AclSize : 0x1c ->Dacl : ->AceCount : 0x1 ->Dacl : ->Sbz2 : 0x0 ->Dacl : ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE ->Dacl : ->Ace[0]: ->AceFlags: 0x0 ->Dacl : ->Ace[0]: ->AceSize: 0x14 ->Dacl : ->Ace[0]: ->Mask : 0x00120089 ->Dacl : ->Ace[0]: ->SID: S-1-1-0 ->Sacl : is NULL
![kd> !sd >Revision: 0x1 ->Sbz1 : 0x0 ->Control : 0x8004 SE_DACL_PRESENT SE_SELF_RELATIVE ->Owner : S >Group : S >Dacl : ->Dacl : ->AclRevision: 0x2 ->Dacl : ->Sbz1 : 0x0 ->Dacl : ->AclSize : 0x1c ->Dacl : ->AceCount : 0x1 ->Dacl : ->Sbz2 : 0x0 ->Dacl : ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE ->Dacl : ->Ace[0]: ->AceFlags: 0x0 ->Dacl : ->Ace[0]: ->AceSize: 0x14 ->Dacl : ->Ace[0]: ->Mask : 0x >Dacl : ->Ace[0]: ->SID: S >Sacl : is NULL](http://images.slideplayer.com/13/4039612/slides/slide_70.jpg "kd> !sd >Revision: 0x1 ->Sbz1 : 0x0 ->Control : 0x8004 SE_DACL_PRESENT SE_SELF_RELATIVE ->Owner : S >Group : S >Dacl : ->Dacl : ->AclRevision: 0x2 ->Dacl : ->Sbz1 : 0x0 ->Dacl : ->AclSize : 0x1c ->Dacl : ->AceCount : 0x1 ->Dacl : ->Sbz2 : 0x0 ->Dacl : ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE ->Dacl : ->Ace[0]: ->AceFlags: 0x0 ->Dacl : ->Ace[0]: ->AceSize: 0x14 ->Dacl : ->Ace[0]: ->Mask : 0x >Dacl : ->Ace[0]: ->SID: S >Sacl : is NULL")
72
Daniel Pravat
73
void MTAClientCall() { COSERVERINFO si; MULTI_QI mqi;... if (SUCCEEDED(CoCreateInstanceEx( CLSID_Calculator, NULL, CLSCTX_LOCAL_SERVER | CLSCTX_REMOTE_SERVER, &si, 1, &mqi ))) { ICalculator * pCalculator = NULL; pCalculator = (ICalculator*)mqi.pItf; __int32 result = 0; wprintf(L"Calling SumSlow..."); pCalculator->SumSlow(1,2, &result); pCalculator->Release(); wprintf(L"done\n"); }
74
Remote client Remote client RPCSS Server DCOM server DCOM Launch HOST OS SCM DCOM client
75
Daniel Pravat
83
Application Virtual Memory Manager Heap Manager Default Process Heap C Runtime Heap C Runtime Heap Other Heaps
84
Look aside Table Unused 16 24 32 … 1024
85
Variable Size unused 16 24 … 1016 Free Lists 1 1 2 2 X X … Segment List
87
Busy Block Uncommitted range Free Block
89
Current Size Previous Size Seg Index Seg Index Flags Unused Tag Index Pre-allocation Metadata Post-allocation Metadata User accessible part Pre-allocation Metadata Suffix Bytes Fill Area (debug) Fill Area (debug) Heap Extra Post-allocation Metadata User accessible part
90
Allocation Size: 32 Allocation Size: 16 Allocation Size: 64
92
Mario Hewardt
100
Error Sent Dr. Watson Process Crash Process Crash Crash data over HTTPS Fault response over HTTPS Windows Error Reporting Service ISV Query Fault Data
101
Mario Hewardt
105
Daniel Pravat
109
Main() {... int operationCount = 0; for (; ; ) { operationCount++; HostInfo hi = HostInfo.GetDefault(hostAddress, userName, password); IWSManSession session = GetSession(hi); string response = session.Get("wmicimv2/Win32_OperatingSystem", 0); Console.Write("\rNumber of calls: " + operationCount); }... }
110
static public IWSManSession GetSession(HostInfo hi) { IWSManSession session = null; // Get a cached session string key = hi.GetKey(); if (!sessionCache.TryGetValue(key, out session)) { session = CreateSession(hi); sessionCache[key] = session; } return session; }
![static public IWSManSession GetSession(HostInfo hi) { IWSManSession session = null; // Get a cached session string key = hi.GetKey(); if (!sessionCache.TryGetValue(key, out session)) { session = CreateSession(hi); sessionCache[key] = session; } return session; }](http://images.slideplayer.com/13/4039612/slides/slide_110.jpg "static public IWSManSession GetSession(HostInfo hi) { IWSManSession session = null; // Get a cached session string key = hi.GetKey(); if (!sessionCache.TryGetValue(key, out session)) { session = CreateSession(hi); sessionCache[key] = session; } return session; }")
111
Daniel Pravat
118
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Similar presentations
