[BUG] Glasswire BSOD

Started by fixer, December 18, 2018, 07:23:23 PM

Previous topic - Next topic

fixer

If you have Glasswire installed and you're experiencing "blue screen of death" DPC Watchdog Violation with code 133, this blogpost is for you.

At first I'd like to say that ReHIPS has nothing to do with it. These are Glasswire bugs. Here are some that were found during our research.

1. They try to allocate memory in a cycle. If allocation failed, they allocate again. So if for some reason allocation can't succeed (like system is running out of memory or some parameter is wrong) it'll get into infinite cycle. No error checking, nothing, just infinite cycle. This'll lead to either hang thread (and probably system) or system crash (on high IRQL windows will detect too long DPC execution and will BSOD).

2. They don't properly check NET_BUFFER-s for inspection. They get NET_BUFFER_DATA with zero CurrentMdl, CurrentMdlOffset and NbDataLength and still try to call NdisAdvanceNetBufferDataStart without any checking. It leads to negative signed (or very big unsigned) NbDataLength value. So they try to allocate 0xfffffff5 bytes of memory, failing and entering infinite cycle.