

Liberation fonts causing Windows 7 SP1 to BSOD - chris_wot
https://bugs.freedesktop.org/show_bug.cgi?id=62764

======
tobiasu
Why does Windows render(?) glyphs in the kernel? What's the technical
justification for doing something this complex and error-prone in kernel
space?

Btw, this attachment seems to contain the real meat (STACK TEXT):
<https://bugs.freedesktop.org/attachment.cgi?id=77055>

~~~
jrabone
Some of the Win32 GDI functions have been kernel-mode since NT4 for
performance reasons (closer to the graphics driver).

As for the font problem, the on-going saga of KB2753842 may be to blame:
<http://support.microsoft.com/kb/2753842>

It looks like MS have had a few attempts at tightening up the potential for
security exploits caused by executing what can effectively be untrusted code
(the glyph program) in kernel space. This is why fonts are considered system
components - they are code, not data, executing on a VM.

If you like MS conspiracy theories of course, you can pretend that it's a
deliberate ploy to break LibreOffice, but personally I think that's tin-foil
hat territory. Most likely there's a bug in the GDI code triggered by an
unusual glyph in the font (perhaps in turn generated by a bug in whatever font
design software was used). Complexity + poor choice of performance
optimisation = fail. At least the kernel bug check is working as designed - if
only all OSes were so robust in the face of memory corruption.

~~~
wbl
We have a crash caused by memory writes in the kernel. What part of this
doesn't suggest kernel mode exploitation via a cleverly-crafted font that can
be embedded into a web page or PDF? Font bugs should result in errors, not
BSODs. Untrusted code on a VM is easy to secure: make the VM do nothing more
then draw some glyphs, and check every access!

~~~
yuhong
Assuming the rest of the code is perfect. Remember Duqu?

------
chris_wot
I should note that I had the darndest time trying to install the Winows
debugging tools on my laptop - not least because I believe that Windows caches
all the fonts and was bug checking every time I did so.

Eventually, I discovered someone else had repackaged them here:
<http://www.codemachine.com/resources.html> Thanks, whoever that person is!

~~~
hp50g
Google windows SDK. Download, install. Sorted. What's hard about that?

~~~
chris_wot
Your assumptions make you look foolish. I did indeed Google for the installer,
I then attempted to install it. Here's where the difficulties were:

Firstly, it's massive. Recall that I said that every 45 minties or so my
laptop would BSOD. Secondly, when I tried to install it the install failed
with obscure Windows installer errors.

~~~
hp50g
I've installed it hundreds of times with no problems. Its also not huge - it
only downloads the parts you need which includes just the debuggers if you
want.

What obscure msi errors?

Just to add, when windows crashes it leaves a minidump on disk. Usual practice
is to get this on another host and debug there. If you're out or away from
such a facility, that's what system restore is for.

~~~
chris_wot
Thanks for the lecture. System restore, for a variety of reasons, wasn't going
to help me here. I was able to troubleshoot and restore my system to normal
without system restore. Not to mention had I installed LibreOffice again, the
issue would have reappeared - system restore would not have helped.

------
chris_wot
Looks like an issue for Mathematica users also:

[http://mathematica.stackexchange.com/questions/15456/version...](http://mathematica.stackexchange.com/questions/15456/version-9-blue-
screen-or-self-test-error-on-windows-7-64-bit)

Mathematica even had to release an update for it:

<http://support.wolfram.com/kb/11160>

~~~
sblom
I don't know that they _had_ to release an update, but as a Mathematica user
who was seeing WordPad (yes, WordPad) bluescreen my computer, I was really
happy that Wolfram fixed it for me so I didn't have to wait for Windows to.

~~~
yuhong
Hope they also reported the BSoDing fonts to MSRC too.

------
sp332
Can a malicious (or unfortunate) webpage bluescreen your computer, just by
serving this font as a web-font to render a page?

~~~
chris_wot
I've considered this. I don't believe that Microsoft loads ttf fonts directly
from webpages. I also don't believe that IE uses the Win32 API for font
rendering, but uses it's own engine.

Someone may want to correct me on these points!

~~~
yuhong
That is not true. IE do load EOT and later WOFF fonts from webpages and pass
them to the OS engine. Even the other web browsers still uses the OS engine,
they just sanitize the font using OTS before doing so. Hence if reproducible
yes this should be sent to MSRC.

~~~
yuhong
chris_wot: Just did so, check your mailbox.

------
ferongr
FWIW I just updated LibreOffice to 4.0.1.2 from 4.0.0 and cannot reproduce the
issue with the steps in the bugzilla link so there may be some additional
requirement for the bug to surface. Possibly a GPU from a specific
manufacturer?

~~~
chris_wot
What happens if you copy in the fonts into your fonts directory?

~~~
ferongr
Obviously, they already are. The LO installer places them into %windir%\Fonts
during installation

~~~
chris_wot
Strange. Don't have an answer for that, you can see the full setup in the bug
report.

------
Samuel_Michon
_“It's not a bug, it’s an undocumented feature!”_

~~~
chris_wot
Reboots to Linux?

------
driverdan
I don't understand how this could be a bug with the fonts. Fonts should
_never_ be able to BSOD a system.

~~~
ChuckMcM
Fonts are rendered by the kernel (architecture bug explained above), fonts
have "code" in the form of hints which directs the rendering. Bad data in the
fonts and/or hinting leads to the rendering algorithm overwriting
memory/stack. Since we're in kernel mode it doesn't generate a fault and
instead corrupts the kernel. Blam! BSOD.

No doubt there are zero day exploits in there as well.

~~~
qb45
Actually, even without hints or any other "code" parsing nontrivial formats
provides opportunities for bugs causing buffer overflows or other memory
corruptions. This simply shouldn't be done in the kernel, period.

However, twenty years ago (when this code likely has been written) security in
the PC world was pretty much nonexistent and nobody cared about such issues.

~~~
yuhong
AFAIK MS's own web browser did not support embedded fonts until IE4 in 1997.

------
darkchasma
This is poetic.

~~~
smosher
Is that commentary on Windows or on the Liberation fonts? (I'm cool either
way.)

------
jmvoodoo
Seems like this is a possible vector for font based kernel exploits. Didn't
Gauss have some mystery font?

Edit: It was Gauss, not Flame, that has the font.

