Implement SDL /GS crash detection and analysis tooling

Copilot · anupriya13 · Copilot · commit b32301bbda67 · 2025-10-14T08:02:42.000Z
Co-authored-by: anupriya13 &lt;54227869+anupriya13@users.noreply.github.com&gt;
diff --git a/docs/sdl-gs-crash-monitoring.md b/docs/sdl-gs-crash-monitoring.md
@@ -0,0 +1,169 @@
+# SDL Policy: /GS Stack Buffer Overrun Crash Monitoring
+
+## Overview
+
+This document describes the process for monitoring, analyzing, and fixing /GS (stack buffer overrun) crashes in React Native Windows, in accordance with Microsoft's Security Development Lifecycle (SDL) policy requirements.
+
+## What is a /GS Crash?
+
+A /GS crash occurs when the `/GS` compiler flag detects stack buffer corruption. The `/GS` flag adds security checks (stack cookies) to detect buffer overruns. When a mismatch is detected, the application is terminated with exception code **0xc0000409** (`STATUS_STACK_BUFFER_OVERRUN`).
+
+## SDL Policy Requirements
+
+Per Microsoft SDL policy:
+
+1. **All high-confidence /GS crashes must be analyzed and fixed when appropriate**
+2. **A monitoring plan must be in place to analyze future /GS failures within 60 days** of being reported to Watson
+3. **Teams must investigate all crashes that are not false-positives** (`GS_FALSE_POSITIVE_*`)
+4. **Fix identified stack buffer overruns** to prevent potential security vulnerabilities
+
+## /GS Crash Classifications
+
+Watson automatically classifies /GS crashes using the `!gs` debugger extension:
+
+- **GS_POSITIVE**: High-confidence stack buffer overrun. **MUST be fixed immediately.**
+- **GS_SUSPECT**: Suspected stack buffer overrun. Should be investigated.
+- **GS_FALSE_POSITIVE**: False positive due to process corruption. Can be safely ignored.
+
+## Monitoring Process
+
+### 1. Finding /GS Crashes in Watson
+
+1. Go to [Watson](https://aka.ms/watson)
+2. Select "Buffer Overruns" under "Enter ANY of the following to see matching BUCKET(s)"
+3. Enter the application name (szAppName) or DLL name (szModName)
+4. Click "Show Crash/Hang Buckets"
+5. Filter for crashes with exception code `0xc0000409`
+
+### 2. Analyzing /GS Crashes
+
+Use the provided `Analyze-Crash.ps1` script to analyze crash dumps:
+
+```powershell
+# Analyze a specific dump file
+.\vnext\Scripts\Analyze-Crash.ps1 -DumpFilePath "path\to\crash.dmp"
+
+# Or configure automatic dump collection for an exe
+.\vnext\Scripts\Analyze-Crash.ps1 -ExeName "YourApp"
+```
+
+The script will:
+- Detect if the crash is a /GS crash (0xc0000409)
+- Run the `!gs` debugger extension for detailed analysis
+- Classify the crash (GS_POSITIVE, GS_SUSPECT, or GS_FALSE_POSITIVE)
+- Provide actionable guidance based on the classification
+
+### 3. Triage and Response Timeline
+
+| Classification | Priority | Action Required | Timeline |
+|---------------|----------|----------------|----------|
+| GS_POSITIVE | Critical | Analyze, fix, and test | Within 60 days of Watson report |
+| GS_SUSPECT | High | Investigate and determine if real | Within 90 days |
+| GS_FALSE_POSITIVE | Low | No action required | N/A |
+
+### 4. Fixing /GS Crashes
+
+When a real stack buffer overrun is identified:
+
+1. **Review the crash analysis**
+   - Check the `!gs` output in the analysis log
+   - Identify the function with the buffer overrun
+   - Locate the source of the overrun (strcpy, sprintf, etc.)
+
+2. **Implement the fix**
+   - Replace unsafe functions with safe alternatives:
+     - `strcpy` → `strcpy_s`
+     - `strcat` → `strcat_s`
+     - `sprintf` → `sprintf_s` or `snprintf`
+     - `gets` → `fgets` or `gets_s`
+   - Add bounds checking to array operations
+   - Validate input sizes before copying
+
+3. **Test the fix**
+   - Reproduce the original crash scenario
+   - Verify the crash no longer occurs
+   - Run existing tests to ensure no regressions
+
+4. **Document the fix**
+   - Include CVE information if applicable
+   - Document the root cause and fix in commit message
+   - Update security documentation if needed
+
+## Common Vulnerable Patterns
+
+Watch out for these common patterns that can lead to stack buffer overruns:
+
+```cpp
+// UNSAFE: No bounds checking
+char buffer[100];
+strcpy(buffer, userInput);  // ❌
+
+// SAFE: Use safe alternative with size
+char buffer[100];
+strcpy_s(buffer, sizeof(buffer), userInput);  // ✅
+
+// UNSAFE: sprintf without size limit
+char buffer[50];
+sprintf(buffer, "Value: %s", userInput);  // ❌
+
+// SAFE: Use snprintf with size limit
+char buffer[50];
+snprintf(buffer, sizeof(buffer), "Value: %s", userInput);  // ✅
+
+// UNSAFE: Array access without bounds check
+void ProcessArray(int* data, int count) {
+  int localArray[10];
+  for (int i = 0; i < count; i++) {  // ❌ count could be > 10
+    localArray[i] = data[i];
+  }
+}
+
+// SAFE: Add bounds checking
+void ProcessArray(int* data, int count) {
+  int localArray[10];
+  int safeCount = std::min(count, 10);
+  for (int i = 0; i < safeCount; i++) {  // ✅
+    localArray[i] = data[i];
+  }
+}
+```
+
+## Reporting Security Issues
+
+If a /GS crash is determined to be a security vulnerability:
+
+1. **Do NOT create a public GitHub issue**
+2. Report to Microsoft Security Response Center (MSRC):
+   - Online: https://msrc.microsoft.com/create-report
+   - Email: secure@microsoft.com
+3. Include:
+   - Type of issue (stack buffer overrun)
+   - Full paths of affected source files
+   - Steps to reproduce
+   - Crash dump and analysis (if safe to share)
+   - Potential security impact
+
+See [.github/security.md](../.github/security.md) for full security reporting guidelines.
+
+## Tools and Resources
+
+- **Analyze-Crash.ps1**: Automated crash analysis script with /GS detection
+- **Watson**: https://aka.ms/watson - Microsoft crash reporting system
+- **!gs debugger extension**: Built into Windows debuggers, analyzes /GS crashes
+- **!analyze -v**: Verbose crash analysis including !gs output
+
+## Regular Monitoring Schedule
+
+To comply with SDL requirements:
+
+1. **Weekly**: Check Watson for new /GS crashes
+2. **Monthly**: Review and triage all open /GS issues
+3. **Quarterly**: Audit codebase for unsafe string/buffer operations
+4. **Before Release**: Ensure no open GS_POSITIVE crashes remain
+
+## Questions?
+
+For questions about /GS crashes or SDL policy:
+- Internal: Contact your team's security champion
+- External: File an issue in the repository (for non-security questions)
+- Security issues: Follow the reporting process in [.github/security.md](../.github/security.md)
diff --git a/vnext/Scripts/Analyze-Crash.ps1 b/vnext/Scripts/Analyze-Crash.ps1
@@ -67,7 +67,28 @@ if ($ExeName) {
 }
 
 Write-Host Analyzing crash dump $DumpFilePath
-& $cdb -z "$DumpFilePath" -c ".lines; !analyze -v; .ecxr; kP; q" > $logfile
+
+# First, do a quick check to see if this is a /GS crash (STATUS_STACK_BUFFER_OVERRUN, 0xc0000409)
+$gsCheckLogfile = "$env:TEMP\gs_check.log"
+& $cdb -z "$DumpFilePath" -c ".lastevent; q" > $gsCheckLogfile 2>&1
+$isGSCrash = $false
+if (Test-Path $gsCheckLogfile) {
+  $content = Get-Content $gsCheckLogfile -Raw
+  if ($content -match "c0000409|STATUS_STACK_BUFFER_OVERRUN") {
+    $isGSCrash = $true
+    Write-Host -ForegroundColor Yellow "`n*** DETECTED /GS STACK BUFFER OVERRUN CRASH (0xc0000409) ***"
+    Write-Host -ForegroundColor Yellow "This is a security-related crash that requires immediate attention.`n"
+  }
+  Remove-Item $gsCheckLogfile -ErrorAction SilentlyContinue
+}
+
+# Run analysis with !gs extension for /GS crashes
+if ($isGSCrash) {
+  Write-Host "Running detailed /GS crash analysis..."
+  & $cdb -z "$DumpFilePath" -c ".lines; !analyze -v; !gs; .ecxr; kP; q" > $logfile
+} else {
+  & $cdb -z "$DumpFilePath" -c ".lines; !analyze -v; .ecxr; kP; q" > $logfile
+}
 
 if ($LASTEXITCODE -ne 0) {
   Write-Output "Failed to analyze the crash dump. Exiting"
@@ -82,26 +103,89 @@ if (!(Test-Path $logfile)) {
   exit 4
 }
 
+# Check for /GS crash indicators in the analysis
+$analysisContent = Get-Content $logfile -Raw
+$gsClassification = "Unknown"
+
+if ($analysisContent -match "GS_POSITIVE") {
+  $gsClassification = "GS_POSITIVE (High-confidence stack buffer overrun)"
+  Write-Host -ForegroundColor Red "`n*** HIGH-CONFIDENCE /GS CRASH DETECTED ***"
+  Write-Host -ForegroundColor Red "Problem Class: GS_POSITIVE"
+  Write-Host -ForegroundColor Red "This is a confirmed stack buffer overrun that MUST be fixed immediately."
+  Write-Host -ForegroundColor Red "Per SDL policy, this must be analyzed and fixed within 60 days.`n"
+} elseif ($analysisContent -match "GS_SUSPECT") {
+  $gsClassification = "GS_SUSPECT (Suspected stack buffer overrun)"
+  Write-Host -ForegroundColor Yellow "`n*** SUSPECTED /GS CRASH DETECTED ***"
+  Write-Host -ForegroundColor Yellow "Problem Class: GS_SUSPECT"
+  Write-Host -ForegroundColor Yellow "This is a suspected stack buffer overrun that should be investigated.`n"
+} elseif ($analysisContent -match "GS_FALSE_POSITIVE") {
+  $gsClassification = "GS_FALSE_POSITIVE (Can be safely ignored)"
+  Write-Host -ForegroundColor Green "`n/GS False Positive Detected"
+  Write-Host -ForegroundColor Green "Problem Class: GS_FALSE_POSITIVE - This can be safely ignored.`n"
+} elseif ($isGSCrash) {
+  Write-Host -ForegroundColor Yellow "`n/GS crash detected but classification not determined."
+  Write-Host -ForegroundColor Yellow "Manual review of the crash dump is recommended.`n"
+}
+
 Get-Content $logfile | & "${env:SystemRoot}\System32\clip.exe"
 
 Write-Host "
 Written analysis to $PWD\$logfile
+/GS Classification: $gsClassification
 
 The contents have been copied to the clipboard.
 If you wish to file a bug, please paste its contents in inside of a <details>...</details> tag.
 You may also upload the file $DumpFilePath and associated .pdb symbol files to your OneDrive or other cloud provider and share a link in the bug description.
 
 "
 
+if ($gsClassification -eq "GS_POSITIVE (High-confidence stack buffer overrun)") {
+  Write-Host -ForegroundColor Red @"
+
+===============================================================================
+SDL POLICY REQUIREMENT: HIGH-CONFIDENCE /GS CRASH
+===============================================================================
+Per Microsoft SDL policy, this crash MUST be:
+1. Analyzed and triaged immediately
+2. Fixed within 60 days of being reported to Watson
+3. Reported as a security vulnerability if exploitable
+
+Action Items:
+- Review the !gs analysis output in $logfile
+- Identify the buffer overrun location and root cause
+- File a security bug if this is exploitable
+- Implement and test a fix
+
+For more information, see: https://aka.ms/watson
+===============================================================================
+
+"@
+}
+
+
 Write-Warning "Note: the contents of $logfile, crash dump, and symbol files, might contain personally identifiable information. Please carefully review these contents before sharing them."
 
 start notepad.exe $logfile
 
 function FileIssue {
   # We can't populate the !analyze output because the URL ends up being too long and GitHub rejects it. Following up internally but at least we can prepopulate the <details> tags etc.
-  $title = [uri]::EscapeUriString("[Crash] ENTER TITLE HERE")
+  
+  $issueTitle = "[Crash] ENTER TITLE HERE"
+  $labels = "bug"
+  
+  if ($gsClassification -eq "GS_POSITIVE (High-confidence stack buffer overrun)") {
+    $issueTitle = "[Security] /GS High-Confidence Stack Buffer Overrun"
+    $labels = "bug,security"
+  } elseif ($gsClassification -eq "GS_SUSPECT (Suspected stack buffer overrun)") {
+    $issueTitle = "[Security] /GS Suspected Stack Buffer Overrun"
+    $labels = "bug,security"
+  }
+  
+  $title = [uri]::EscapeUriString($issueTitle)
   $body = [uri]::EscapeUriString("ENTER YOUR ISSUE DESCRIPTION HERE
 
+/GS Classification: $gsClassification
+
 <details>
 
 ``````
@@ -110,7 +194,7 @@ function FileIssue {
 </details>
 ")
 
-  start "https://github.com/$Repo/issues/new?title=$title&body=$body&labels=bug"
+  start "https://github.com/$Repo/issues/new?title=$title&body=$body&labels=$labels"
 }
 
 FileIssue
