request for comments: bug fix for win32k.sys/CreateXlateObject

[Start Me Up]

Hello Windows 2000/XP fans,
while I was working on a graphics driver, I noticed random crashes (blue screens) which were hard to reproduce. They don't happen often, but when using a display mode with 16 colors (for example 640x480x16 colors) they seem to happen more often than with other color depths.

Eventually I was able to narrow down the problem and came to the conclusion, that the root cause is a buffer overrun in the function "CreateXlateObject" in the file "win32k.sys". This buffer overrun sometimes caused a random crash. In the most cases it happened within win32k.sys.

I observed, that this issue is not fixed even in the newest version of win32k.sys from a Windows 2000 update from April 2016. An old version of win32k.sys from Windows XP has the same problem. I don't know which Windows XP update contains the newest version of win32k.sys for Windows XP, so I could not validate whether this issue was ever fixed - and if so: how.

So I thought about what to do and came up with the idea, to write a Windows update of my own to fix this bug.

So far I gathered necessary information and wrote a help file which contains most of what I know about the nature of this issue and how it can be fixed:
OTSKB.chm

There is some more auxilliary information available, which I do not plan to distribute among end users:
code.htm

Eventually, I fixed the win32k.sys from Windows 2000 manually with a hex editor to test the proposed solution:
5.00.2196.0001.zip

The update, which would do this automatically and then install the new file automatically, is not written, yet.

I would appreciate some feedback before I continue writing the update. Please let me know what you think. Maybe I just got it all wrong, don't know.

Edited May 8 by Start Me Up
links were not clickable

[windows2]

On 4/28/2025 at 3:21 AM, Start Me Up said:

Hello Windows 2000/XP fans,
while I was working on a graphics driver, I noticed random crashes (blue screens) which were hard to reproduce. They don't happen often, but when using a display mode with 16 colors (for example 640x480x16 colors) they seem to happen more often than with other color depths.

Eventually I was able to narrow down the problem and came to the conclusion, that the root cause is a buffer overrun in the function "CreateXlateObject" in the file "win32k.sys". This buffer overrun sometimes caused a random crash. In the most cases it happened within win32k.sys.

I observed, that this issue is not fixed even in the newest version of win32k.sys from a Windows 2000 update from April 2016. An old version of win32k.sys from Windows XP has the same problem. I don't know which Windows XP update contains the newest version of win32k.sys for Windows XP, so I could not validate whether this issue was ever fixed - and if so: how.

So I thought about what to do and came up with the idea, to write a Windows update of my own to fix this bug.

So far I gathered necessary information and wrote a help file which contains most of what I know about the nature of this issue and how it can be fixed:
OTSKB.chm

There is some more auxilliary information available, which I do not plan to distribute among end users:
code.htm

Eventually, I fixed the win32k.sys from Windows 2000 manually with a hex editor to test the proposed solution:
5.00.2196.0001.zip

The update, which would do this automatically and then install the new file automatically, is not written, yet. However, this test win32k.sys can be manually installed with the instructions in the help file.

I would appreciate some feedback before I continue writing the update. Please let me know what you think. Maybe I just got it all wrong, don't know.

You are on the right track, keep going. Edit : I notice also OTSKB.chm in Windows 10 require right click >> properties >> unblock to show the contains

Edited April 29 by windows2

[Start Me Up]

On 4/28/2025 at 11:33 PM, windows2 said:

I notice also OTSKB.chm in Windows 10 require right click >> properties >> unblock to show the contains

Thanks for the feedback. I read that this happens when the file is stored on a network drive or opened with an UNC path but it is supposed to work from a local disc.

Anyway, it's just a few htm files and 1 css file compressed into a single chm file. It doesn't even contain java script or anything fancy.

Todo: New Damage X (新DamageX) pointed out, that this issue could be related to ZDI-19-982. If this is true, then someone has found a way to exploit this issue to compromise security. Also, it would mean that there might be an official bug fix for newer versions of Windows out there which can be analysed to improve this update. I will check this soon.

Edit: ZDI-19-982 leads to KB4525239

Edited April 30 by Start Me Up

[Start Me Up]

There are some news on this topic.

-------

The list of affected operating systems is now available in the help file:

affected_operating_systems.png

-------

I created the first prototype of an updater. It is capable of installing a new version of win32.sys and deinstalling it again:

updater.png

It comes in 24 languages, however, the end user will only see the language of the installed operating system.

-------

First tests with the version 5.00.2196.0001V1 have shown, that the proposed solution is flawed. I documented my findings in the help file in the topic "version history" in the subtopic "version 1".

-------

I have extracted 3 versions of win32k.sys from Windows Server 2008:

• Version 6.0.6002.18005 should contain a non fixed version of the function CreateXlateObject
• Version 6.0.6003.20665 should contain Microsoft's first attempt to fix the function CreateXlateObject
• Version 6.0.6003.20785 should contain Microsoft's second and final attempt to fix the function CreateXlateObject

-------

My new suggestion would be to do a side-by-side comparison to figure out how Microsoft fixed this issue. There is a new version of code.htm online with some space to document the analysis. However, the cells are still empty.

-------

That's all I got so far.

Edited May 8 by Start Me Up