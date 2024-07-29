Code Block 4: FSRegObject::Release can be called twice from FSRendezvousServer::Close

In general, more dereferences than there are references on an object is not the only way a use after free can occur. However in this case, we can be sure that if an FSRegObject has been freed, its reference count has dropped to zero. The last time a valid FSRegObject is accessed during the IRP_MJ_CLEANUP/CLOSE IRP requests is in a call to FSRegObject::Release . So, if a use-after-free is possible, a call to FSRegObject::Release will always occur after the object has already been freed. During the call, the object will be once again dereferenced. For that reason, counting the number of dereferences is a good heuristic to find use-after-frees for this particular case.

The only thing left to do was to trace out the possible states of the program, taking note of when the object is freed and accessed. I did this by mentally emulating the program logic during IRP_MJ_CLEANUP/CLOSE requests, each beginning with the corresponding Dispatch functions (Code Block 2), for each of the possible cases.