From 094cd203b66fb98b0b2eca7fbbb1417d6da6f1f1 Mon Sep 17 00:00:00 2001 From: Michael Bikovitsky Date: Sun, 5 May 2019 09:59:52 +0300 Subject: [PATCH 1/2] Fix user data alignment in MEMBLOCK Kernel memory allocations on Windows should be aligned on MEMORY_ALLOCATION_ALIGNMENT (16 bytes on x64 and 8 bytes on x86). --- contrib/windows_kernel/libc.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/contrib/windows_kernel/libc.cpp b/contrib/windows_kernel/libc.cpp index b5b7d5dcc2..ac4a4eb9b3 100644 --- a/contrib/windows_kernel/libc.cpp +++ b/contrib/windows_kernel/libc.cpp @@ -20,6 +20,7 @@ struct MEMBLOCK size_t size; #pragma warning(push) #pragma warning (disable : 4200) + __declspec(align(MEMORY_ALLOCATION_ALIGNMENT)) char data[0]; #pragma warning(pop) }; From 16cdf957416b9594c289c25ca3e692c07d761c6e Mon Sep 17 00:00:00 2001 From: Michael Bikovitsky Date: Wed, 8 May 2019 21:29:02 +0300 Subject: [PATCH 2/2] Fix user data alignment in CS_WINKERNEL_MEMBLOCK --- windows/winkernel_mm.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/winkernel_mm.c b/windows/winkernel_mm.c index ecdc1ca2d6..a9f87ce260 100644 --- a/windows/winkernel_mm.c +++ b/windows/winkernel_mm.c @@ -12,9 +12,9 @@ static const ULONG CS_WINKERNEL_POOL_TAG = 'kwsC'; // A structure to implement realloc() typedef struct _CS_WINKERNEL_MEMBLOCK { size_t size; // A number of bytes allocated - char data[1]; // An address returned to a caller + __declspec(align(MEMORY_ALLOCATION_ALIGNMENT)) + char data[ANYSIZE_ARRAY]; // An address returned to a caller } CS_WINKERNEL_MEMBLOCK; -C_ASSERT(sizeof(CS_WINKERNEL_MEMBLOCK) == sizeof(void *) * 2); // free() @@ -39,7 +39,7 @@ void * CAPSTONE_API cs_winkernel_malloc(size_t size) // A specially crafted size value can trigger the overflow. // If the sum in a value that overflows or underflows the capacity of the type, // the function returns NULL. - if (!NT_SUCCESS(RtlSizeTAdd(size, sizeof(CS_WINKERNEL_MEMBLOCK), &number_of_bytes))) { + if (!NT_SUCCESS(RtlSizeTAdd(size, FIELD_OFFSET(CS_WINKERNEL_MEMBLOCK, data), &number_of_bytes))) { return NULL; } block = (CS_WINKERNEL_MEMBLOCK *)ExAllocatePoolWithTag(