[Bug] Misbehaving mstasks.dll and heap corruption

Started by fixer, May 30, 2017, 10:40:28 AM

Previous topic - Next topic

fixer

Just load DLL and unload it. What can possibly go wrong? Easy-peasy? Not quite, as it turns out. The problem with mstasks.dll is GetCurrentActCtx is called in DllMain when DLL is loaded. If something goes wrong later, it frees resources (calls ReleaseActCtx) and returns FALSE from DllMain meaning initialization failed. But they forgot one thing: If the return value is FALSE when DllMain is called because the process uses the LoadLibrary function, LoadLibrary returns NULL. (The system immediately calls your entry-point function with DLL_PROCESS_DETACH and unloads the DLL.). So DllMain with DLL_PROCESS_DETACH is called and it calls ReleaseActCtx again freeing the same context again. Best case scenario-it'll cause reference counter desynchronization, worst case scenario-context will be released, memory double-freed corrupting heap.

So beware not to spoil mstasks.dll loading, it'll corrupt your heap in revenge!

This issue was found several months ago, it wasn't fixed then. I haven't checked it since.