nt!NtQueryInformationProcess System Call Discloses Uninitialized Kernel Memory
The nt!NtQueryInformationProcess system call invoked with the ProcessImageFileName (0x1B) information class discloses uninitialized kernel memory to user-mode clients. The vulnerability affects 64-bit versions of Windows 7 to 10. According to the ZwQueryInformationProcess function documentation, the ProcessImageFileName information class returns a UNICODE_STRING structure containing the name of the image file for the specific process. On x64 builds, the compiler introduces 4 bytes of padding between the 'MaximumLength' and 'Buffer' fields, in order to align the 'Buffer' pointer to an 8-byte boundary. These padding bytes are never initialized in the kernel's local copy of the structure, and so they are returned to the user-mode caller in this form. The problem is best illustrated by running the attached proof-of-concept program, which invokes the nt!NtQuerySystemInformation syscall with the affected information class and prints the contents of the output buffer on the screen.