20 Jul 2024
Admin
Analysis: The Cause Behind Crowdstrike's Meltdown Today
Crowdstrike's recent meltdown can be traced back to a NULL pointer issue stemming from the memory-unsafe C++ language.
In computers, memory is organized as a large array of numbers, often represented in hexadecimal (base 16) for convenience. The problematic area here involves the computer attempting to read memory address 0x9c (or 156 in decimal).
Why is This Problematic?
Memory address 0x9c is invalid for any program. Any attempt to read from this region is immediately halted by Windows, resulting in the stack dump observed.
The Root Cause: Programmer Error
Crowdstrike uses C++, which designates address 0x0 as a special value indicating "there's nothing here." Programmers are supposed to check for this condition by verifying if the pointer is NULL.
For example:
string* p = get_name();
if (p == NULL) {
print("Could not get name");
}
In this snippet, `string*` indicates a pointer to the start of the string. If it's NULL, it signifies there's no valid data to access.
Understanding Pointers and Addresses
Consider a generic object:
struct Obj {
int a;
int b;
};
Obj* obj = new Obj();
Suppose the starting address is 0x9030. The addresses would be:
- `obj` is 0x9030
- `obj->a` is 0x9030 + 0x4
- `obj->b` is 0x9030 + 0x8
Now, if the object is NULL:
Obj* obj = NULL;
The addresses would then be:
- `obj` is 0
- `obj->a` is 0 + 4
- `obj->b` is 0 + 8
Attempting to access `obj->a` when `obj` is NULL results in the program attempting to read an invalid memory location, causing a stack dump. In this case, the memory address 0x9c (156) is invalid.
Impact of the Error
This particular error involves a system driver with privileged access, which means the operating system must crash immediately to prevent further issues. This results in the infamous blue screen of death (BSOD). While non-privileged code crashes can be managed by terminating the program, system driver crashes typically cause the entire computer to crash.
Prevention
Had the programmer included a NULL check or used modern tools that catch such errors, this issue could have been avoided. Unfortunately, this oversight made it into production and was distributed via a forced update by Crowdstrike, leading to the widespread problem.
