Back to home page

DOS ain't dead

Forum index page

Log in | Register

Back to the forum
Board view  Mix view

GPF's | buggy thing | "CreateProcessA" | ZERO'izing FS (DOSX)

posted by Japheth(R) Homepage, Germany (South), 28.12.2009, 16:37

> I wrote:
>
> > After "some" usage of LoadLibraryA (and a few other), a GPF
>
> ... maybe LoadLibraryA is not that badly needed to exploit this bug
> ... more likely CreateProcessA is the source of evil:
>
> - It uses FS. Regrettably it also ZERO'izes it after usage so one call is
> fine but the next one causes the GPF : "ip = Module 'kernel32.dll'+3084"
> If I preserve FS, the problem is fixed ... almost
>
> - now I can use CreateProcessA more than 1 time. But after 46 calls
> it GPF's again "ip = Module 'kernel32.dll'+243C" - same GPF on same
> instruction in other place inside DKRNL32, FS==0 :-(

There was a change in DPMILD32 v3.3.0: FS register is no longer used/modified.

Since OTOH the values of all segment registers are saved & restored when the DPMI-client switches to real-mode, the only case where FS might be changed outside of DKRNL32 is when another PE application is run in the very same client. Is this true here?

---
MS-DOS forever!

 

Complete thread:

Back to the forum
Board view  Mix view
15112 Postings in 1359 Threads, 249 registered users, 24 users online (0 registered, 24 guests)
DOS ain't dead | Admin contact
RSS Feed
powered by my little forum