windows 21h1 kernel memory leaks in RtlCheckTokenCapability

Huoji 1 Reputation point
2021-10-14T07:36:16.287+00:00

callstack:
3: kd> k

Child-SP RetAddr Call Site

00 ffffef85756fed10 fffff802441b51c4 nt!ExAllocateHeapPool+0x1b1381
01 ffffef85756fee50 fffff80243e9502c nt!ExAllocatePoolWithTag+0x64
02 ffffef85756feea0 fffff80243d83204 nt!SeQueryInformationToken+0xdc
03 ffffef85756fefd0 fffff80244112a29 nt!RtlCheckTokenCapability+0x194
04 ffffef85756ff2e0 ffffaa93883d46f9 nt!RtlCapabilityCheck+0x329
05 ffffef85756ff450 ffffaa938877ea62 win32kbase!NtDCompositionCommitSynchronizationObject+0x59
06 ffffef85756ff490 fffff80243c0a8b5 win32k!NtDCompositionCommitSynchronizationObject+0x16
07 ffffef85756ff4c0 00007ff7f8f94299 nt!KiSystemServiceCopyEnd+0x25
08 000000de7e1ff288 00007ff7f8f915ed NtCall64+0x4299
09 000000de7e1ff290 00007ff7f8f919ab NtCall64+0x15ed
0a 000000de7e1ffbe0 00007ffdf2767034 NtCall64+0x19ab
0b 000000de7e1ffc10 00007ffdf3022651 KERNEL32!BaseThreadInitThunk+0x14
0c 000000de7e1ffc40 0000000000000000 ntdll!RtlUserThreadStart+0x21

in RtlCheckTokenCapability, this function call SeQueryInformationToken to get process token ,but its not free SeQueryInformationToken pool memory:
msdn :
8.png
at present:
7.png

poc of this memory leak:
9.png

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,081 questions
Windows API - Win32
Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
2,411 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Xiaopo Yang - MSFT 11,256 Reputation points Microsoft Vendor
    2021-10-18T02:17:09.923+00:00

    You can issue a bug through Windows Feedback Hub.

    0 comments