I have long assumed that this bug has been long reported to Microsoft, since I encountered it in the past on multiple occasions. While looking through my records now, however, I am not so sure anymore, so I'm filing it in case MS does decide to fix it.
It is a Denial of Service issue caused by an unhandled divide by zero exception triggered in the win32k.sys driver while processing malformed .FON fonts. We suspect feasible remote attack vectors might exist through GDI clients which pass non-validated fonts directly to the kernel for loading (Microsoft Office?). Most importantly, the crash is extremely easy to hit, which renders any dumb .FON fuzzing quite ineffective and may thus mask other, more serious vulnerabilities.
An example of a crash log excerpt generated after triggering the bug is shown below:
--- cut ---
UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000000, EXCEPTION_DIVIDED_BY_ZERO
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000
Debugging Details:
------------------
BUGCHECK_STR: 0x7f_0
TRAP_FRAME: a5b59884 -- (.trap 0xffffffffa5b59884)
ErrCode = 00000000
eax=000000c8 ebx=a5b599a4 ecx=000000c8 edx=00000000 esi=00000000 edi=00000e3d
eip=821daf4f esp=a5b598f8 ebp=a5b59910 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
win32k!MAPPER::bNearMatch+0x964:
821daf4f f7fe idiv eax,esi
Resetting default scope
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: reproduction_h
CURRENT_IRQL: 2
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
LAST_CONTROL_TRANSFER: from 828edd87 to 82889978
STACK_TEXT:
a5b5944c 828edd87 00000003 9ecd5d4e 00000065 nt!RtlpBreakWithStatusInstruction
a5b5949c 828ee885 00000003 821daf4f 00000000 nt!KiBugCheckDebugBreak+0x1c
a5b59864 8284cc1b 0000007f 00000000 00000000 nt!KeBugCheck2+0x68b
a5b59864 821daf4f 0000007f 00000000 00000000 nt!KiTrap00+0x8b
a5b59910 821db608 a5b5994c 00000000 fe931e04 win32k!MAPPER::bNearMatch+0x964
a5b59960 821db7a1 ffffffff 00000000 a5b59bb0 win32k!MAPPER::bFoundExactMatch+0x177
a5b59aa4 821d9e09 a5b59bdc fe995e98 fe995e54 win32k!ppfeGetAMatch+0xa3
a5b59b14 821f8563 a5b59bdc a5b59ba0 a5b59b7c win32k!LFONTOBJ::ppfeMapFont+0x26d
a5b59ba8 821f88d0 fe995d80 00000000 00000002 win32k!RFONTOBJ::bInit+0x1c2
a5b59bc0 822262d5 a5b59bdc 00000000 00000002 win32k!RFONTOBJ::vInit+0x16
a5b59bec 8222638e 00000000 00000000 27860d82 win32k!GreGetFontUnicodeRanges+0x2d
a5b59c24 8284bdc6 030104dd 00000000 0024f97c win32k!NtGdiGetFontUnicodeRanges+0x17
a5b59c24 77b86bf4 030104dd 00000000 0024f97c nt!KiSystemServicePostCall
0024f718 7609ffa0 00ae60e5 030104dd 00000000 ntdll!KiFastSystemCallRet
0024f71c 00ae60e5 030104dd 00000000 00000000 GDI32!NtGdiGetFontUnicodeRanges+0xc
WARNING: Stack unwind information not available. Following frames may be wrong.
0024f97c 00aeb66a 00000002 00466f60 00466fd8 reproduction_harness+0x60e5
0024f9c8 00aeb7bd 0024f9dc 77a6ef1c 7ffde000 reproduction_harness+0xb66a
0024f9d0 77a6ef1c 7ffde000 0024fa1c 77ba3648 reproduction_harness+0xb7bd
0024f9dc 77ba3648 7ffde000 77e845b6 00000000 kernel32!BaseThreadInitThunk+0xe
0024fa1c 77ba361b 00aeb7b0 7ffde000 00000000 ntdll!__RtlUserThreadStart+0x70
0024fa34 00000000 00aeb7b0 7ffde000 00000000 ntdll!_RtlUserThreadStart+0x1b
--- cut ---
The issue reproduces on Windows 7 and 8.1. Attached is an archive with three proof-of-concept mutated .FON files, together with a corresponding crash log from Windows 7 32-bit. In order to reproduce the crash, it might be necessary to use a special program exercising all glyphs in the font.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
