Bug in cmkd.dll


Once when I was doing debugging using WinDbg, it suddenly stopped responding. After a while I ran another instance and began investigation.

0:000> !runaway
 User Mode Time
  Thread       Time
   1:5d0       0 days 0:10:44.190
   0:c64       0 days 0:00:00.140
   6:ef0       0 days 0:00:00.000
   5:f1c       0 days 0:00:00.000
   4:10d0      0 days 0:00:00.000
   3:930       0 days 0:00:00.000
   2:754       0 days 0:00:00.000
0:000> ~1s
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for cmkd.dll - 
cmkd!help+0x3f02:
000007fe`f67ee906 8b842450010000  mov     eax,dword ptr [rsp+150h] ss:00000000`034e2df0=000000d5
0:001> kf
  Memory  Child-SP          RetAddr           Call Site
          00000000`034e2ca0 000007fe`f67ee745 cmkd!help+0x3f02
     11c0 00000000`034e3e60 000007fe`f67ea746 cmkd!help+0x3d41
     98a0 00000000`034ed700 00000000`6f3c32bd cmkd!DebugExtensionInitialize+0x376
       e0 00000000`034ed7e0 00000000`6f3c5078 dbgeng!ExtensionInfo::Load+0x64d
      2f0 00000000`034edad0 00000000`6f3c24cb dbgeng!ExtensionInfo::CheckAdd+0x78
       50 00000000`034edb20 00000000`6f419457 dbgeng!ParseBangCmd+0x36b
      4e0 00000000`034ee000 00000000`6f41aae0 dbgeng!ProcessCommands+0x547
      110 00000000`034ee110 00000000`6f327134 dbgeng!ProcessCommandsAndCatch+0x20
       50 00000000`034ee160 00000000`6f327420 dbgeng!Execute+0x2b4
      4c0 00000000`034ee620 00000001`3fd93c4b dbgeng!DebugClient::ExecuteWide+0x90
       60 00000000`034ee680 00000001`3fd942eb windbg!ProcessCommand+0x1fb
      140 00000000`034ee7c0 00000001`3fd96d35 windbg!ProcessEngineCommands+0xcb
     1070 00000000`034ef830 00000000`771f652d windbg!EngineLoop+0x3e5
       40 00000000`034ef870 00000000`7778c521 kernel32!BaseThreadInitThunk+0xd
       30 00000000`034ef8a0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
0:001> dpa 00000000`034e3e60
00000000`034e3e60  00000000`034e46a0 "<HEAD><TITLE>Connection refused</TITLE></HEAD>.<BODY BG"
00000000`034e3e68  00000000`000000d5
00000000`034e3e70  00000000`034e56a0 ""
00000000`034e3e78  000007fe`00008000
00000000`034e3e80  00000000`034ed780 ""
00000000`034e3e88  00000000`00000040
00000000`034e3e90  00000000`000000d5
00000000`034e3e98  00000000`00000000
00000000`034e3ea0  772f2f3a`70747468
00000000`034e3ea8  6d65646f`632e7777
00000000`034e3eb0  632e656e`69686361
00000000`034e3eb8  2e646b6d`632f6d6f
00000000`034e3ec0  73726576`3f706870
00000000`034e3ec8  74387545`3d6e6f69
00000000`034e3ed0  2f52316d`754c6e34
00000000`034e3ed8  5a324934`5337434e
0:001> da 00000000`034e46a0
00000000`034e46a0  "<HEAD><TITLE>Connection refused<"
00000000`034e46c0  "/TITLE></HEAD>.<BODY BGCOLOR="wh"
00000000`034e46e0  "ite" FGCOLOR="black">.<FONT FACE"
00000000`034e4700  "="Helvetica,Arial"><B>. Connecti"
00000000`034e4720  "on refused</B></FONT>..<!-- defa"
00000000`034e4740  "ult "Connection refused" respons"
00000000`034e4760  "e (502) -->.</BODY>."

From the stack we can see that the problem is in cmkd.dll (debugger extension DLL from www.codemachine.com), and the string on the stack doesn't look so good.

0:001> u
cmkd!help+0x3f02:
000007fe`f67ee906 8b842450010000  mov     eax,dword ptr [rsp+150h]
000007fe`f67ee90d 39842440010000  cmp     dword ptr [rsp+140h],eax
000007fe`f67ee914 7352            jae     cmkd!help+0x3f64 (000007fe`f67ee968)
000007fe`f67ee916 488d4c2440      lea     rcx,[rsp+40h]
000007fe`f67ee91b e8c4010000      call    cmkd!help+0x40e0 (000007fe`f67eeae4)
000007fe`f67ee920 488bf0          mov     rsi,rax
000007fe`f67ee923 4885c0          test    rax,rax
000007fe`f67ee926 743c            je      cmkd!help+0x3f60 (000007fe`f67ee964)
0:001> 
cmkd!help+0x3f24:
000007fe`f67ee928 4883c9ff        or      rcx,0FFFFFFFFFFFFFFFFh
000007fe`f67ee92c 33c0            xor     eax,eax
000007fe`f67ee92e 488bfe          mov     rdi,rsi
000007fe`f67ee931 f2ae            repne scas byte ptr [rdi]
000007fe`f67ee933 8bd3            mov     edx,ebx
000007fe`f67ee935 48f7d1          not     rcx
000007fe`f67ee938 488d79ff        lea     rdi,[rcx-1]
000007fe`f67ee93c 85db            test    ebx,ebx
0:001> 
cmkd!help+0x3f3a:
000007fe`f67ee93e 0f8450010000    je      cmkd!help+0x4090 (000007fe`f67eea94)
000007fe`f67ee944 83ea01          sub     edx,1
000007fe`f67ee947 0f84f3000000    je      cmkd!help+0x403c (000007fe`f67eea40)
000007fe`f67ee94d 83ea01          sub     edx,1
000007fe`f67ee950 0f849e000000    je      cmkd!help+0x3ff0 (000007fe`f67ee9f4)
000007fe`f67ee956 83ea01          sub     edx,1
000007fe`f67ee959 7447            je      cmkd!help+0x3f9e (000007fe`f67ee9a2)
000007fe`f67ee95b 83fa01          cmp     edx,1
0:001> u 000007fe`f67eea94
cmkd!help+0x4090:
000007fe`f67eea94 488d0d614dffff  lea     rcx,[cmkd+0x37fc (000007fe`f67e37fc)]
000007fe`f67eea9b 488bd6          mov     rdx,rsi
000007fe`f67eea9e ff158426ffff    call    qword ptr [cmkd+0x1128 (000007fe`f67e1128)]
000007fe`f67eeaa4 85c0            test    eax,eax
000007fe`f67eeaa6 7506            jne     cmkd!help+0x40aa (000007fe`f67eeaae)
000007fe`f67eeaa8 41b401          mov     r12b,1
000007fe`f67eeaab 8d5801          lea     ebx,[rax+1]
000007fe`f67eeaae 8b4c2420        mov     ecx,dword ptr [rsp+20h]
0:001> u
cmkd!help+0x40ae:
000007fe`f67eeab2 e94ffeffff      jmp     cmkd!help+0x3f02 (000007fe`f67ee906)
0:001> dq 000007fe`f67e1128 l1
000007fe`f67e1128  000007fe`ff4c1690
0:001> ln 000007fe`ff4c1690
(000007fe`ff4c1690)   msvcrt!stricmp   |  (000007fe`ff526258)   msvcrt!strcoll_l
Exact matches:
        msvcrt!stricmp = <no type information>
0:001> da 000007fe`f67e37fc
000007fe`f67e37fc  "<html>"
0:001> da @rsi;		*RSI register is not changed through the loop
00000000`034e2df8  ""

After debugging for a while, I found out that the function parses the string mentioned above. The function tries to find <html> tag, but can't, since the string does not have any <html> tag and even when the string ends continues to run.

So I sent the bug report to www.codemachine.com, and in a few days the error was fixed.