quibble icon indicating copy to clipboard operation
quibble copied to clipboard

Published 20 hours ago verified publisher icon maharmstone

Efforts to boot Win10 22H2

Open mochaaP opened this issue 8 months ago • 17 comments

Tracker for booting 19045.4xxx builds:

  • [x] Could not read CM_KEY_INDEX_ROOT
  • [ ] Hang/crash on KiSystemStartup
  • [ ] ???
Could not read CM_KEY_INDEX_ROOT

hive->EnumKeys reports EFI_INVALID_PARAMETER: fixed

diff --git a/src/reg.cpp b/src/reg.cpp
index 693fdfa..7268db4 100644
--- a/src/reg.cpp
+++ b/src/reg.cpp
@@ -150,6 +150,7 @@ static EFI_STATUS EFIAPI enum_keys(EFI_REGISTRY_HIVE* This, HKEY Key, UINT32 Ind
     CM_KEY_NODE* nk;
     CM_KEY_FAST_INDEX* lh;
     CM_KEY_NODE* nk2;
+    UINT32 _idx = Index;
     bool overflow = false;
 
     // FIXME - make sure no buffer overruns (here and elsewhere)
@@ -189,18 +190,40 @@ static EFI_STATUS EFIAPI enum_keys(EFI_REGISTRY_HIVE* This, HKEY Key, UINT32 Ind
 
     lh = (CM_KEY_FAST_INDEX*)((uint8_t*)h->data + 0x1000 + nk->SubKeyList + sizeof(int32_t));
 
-    if (lh->Signature != CM_KEY_HASH_LEAF && lh->Signature != CM_KEY_FAST_LEAF)
+    if (lh->Signature == CM_KEY_INDEX_ROOT) {
+        CM_KEY_INDEX* ri = (CM_KEY_INDEX*)lh;
+
+        for (size_t i = 0; i < ri->Count; i++) {
+            CM_KEY_FAST_INDEX* _lh = (CM_KEY_FAST_INDEX*)((uint8_t*)h->data + 0x1000 + ri->List[i] + sizeof(int32_t));
+            if (_lh->Signature == CM_KEY_INDEX_ROOT) {
+                // Do not recurse: CVE-2021-3622.
+                print_string("Reading nested index is not implemented yet\n");
+                return EFI_INVALID_PARAMETER;
+            } else if (_lh->Signature != CM_KEY_HASH_LEAF && _lh->Signature != CM_KEY_FAST_LEAF) {
+                return EFI_INVALID_PARAMETER;
+            }
+
+            if (_lh->Count > _idx) {
+                lh = _lh;
+                break;
+            }
+
+            _idx -= _lh->Count;
+        }
+    }
+
+    else if (lh->Signature != CM_KEY_HASH_LEAF && lh->Signature != CM_KEY_FAST_LEAF)
         return EFI_INVALID_PARAMETER;
 
     if ((uint32_t)size < sizeof(int32_t) + offsetof(CM_KEY_FAST_INDEX, List[0]) + (lh->Count * sizeof(CM_INDEX)))
         return EFI_INVALID_PARAMETER;
 
-    if (Index >= lh->Count)
+    if (_idx >= lh->Count)
         return EFI_INVALID_PARAMETER;
 
     // find child key node
 
-    size = -*(int32_t*)((uint8_t*)h->data + 0x1000 + lh->List[Index].Cell);
+    size = -*(int32_t*)((uint8_t*)h->data + 0x1000 + lh->List[_idx].Cell);
 
     if (size < 0)
         return EFI_NOT_FOUND;
@@ -208,7 +231,7 @@ static EFI_STATUS EFIAPI enum_keys(EFI_REGISTRY_HIVE* This, HKEY Key, UINT32 Ind
     if ((uint32_t)size < sizeof(int32_t) + offsetof(CM_KEY_NODE, Name[0]))
         return EFI_INVALID_PARAMETER;
 
-    nk2 = (CM_KEY_NODE*)((uint8_t*)h->data + 0x1000 + lh->List[Index].Cell + sizeof(int32_t));
+    nk2 = (CM_KEY_NODE*)((uint8_t*)h->data + 0x1000 + lh->List[_idx].Cell + sizeof(int32_t));
 
     if (nk2->Signature != CM_KEY_NODE_SIGNATURE)
         return EFI_INVALID_PARAMETER;
Hang/crash on KiSystemStartup

Hang on debug builds, crash on release builds.

TODO: attach windbg / gdb to QEMU?

mochaaP avatar Jun 20 '24 17:06 mochaaP