2002-07-15 15:37:33 +00:00
|
|
|
/*
|
|
|
|
|
* ReactOS kernel
|
2003-01-17 18:51:13 +00:00
|
|
|
* Copyright (C) 2002,2003 ReactOS Team
|
2002-07-15 15:37:33 +00:00
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
|
|
|
* (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, write to the Free Software
|
2008-03-08 21:45:51 +00:00
|
|
|
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
|
2002-07-15 15:37:33 +00:00
|
|
|
*
|
|
|
|
|
* COPYRIGHT: See COPYING in the top level directory
|
|
|
|
|
* PROJECT: ReactOS kernel
|
2008-02-10 11:20:29 +00:00
|
|
|
* FILE: drivers/filesystem/ntfs/attrib.c
|
2002-07-15 15:37:33 +00:00
|
|
|
* PURPOSE: NTFS filesystem driver
|
2014-11-02 22:56:38 +00:00
|
|
|
* PROGRAMMERS: Eric Kohl
|
|
|
|
|
* Valentin Verkhovsky
|
|
|
|
|
* Hervé Poussineau (hpoussin@reactos.org)
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
* Pierre Schweitzer (pierre@reactos.org)
|
2002-07-15 15:37:33 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/* INCLUDES *****************************************************************/
|
|
|
|
|
|
2005-07-20 02:52:52 +00:00
|
|
|
#include "ntfs.h"
|
2003-08-07 11:47:33 +00:00
|
|
|
|
2003-11-12 15:30:21 +00:00
|
|
|
#define NDEBUG
|
2002-07-15 15:37:33 +00:00
|
|
|
#include <debug.h>
|
|
|
|
|
|
|
|
|
|
/* FUNCTIONS ****************************************************************/
|
|
|
|
|
|
2017-04-16 00:17:07 +00:00
|
|
|
/**
|
|
|
|
|
* @name AddData
|
|
|
|
|
* @implemented
|
|
|
|
|
*
|
|
|
|
|
* Adds a $DATA attribute to a given FileRecord.
|
|
|
|
|
*
|
|
|
|
|
* @param FileRecord
|
|
|
|
|
* Pointer to a complete file record to add the attribute to. Caller is responsible for
|
|
|
|
|
* ensuring FileRecord is large enough to contain $DATA.
|
|
|
|
|
*
|
|
|
|
|
* @param AttributeAddress
|
|
|
|
|
* Pointer to the region of memory that will receive the $DATA attribute.
|
|
|
|
|
* This address must reside within FileRecord. Must be aligned to an 8-byte boundary (relative to FileRecord).
|
|
|
|
|
*
|
|
|
|
|
* @return
|
|
|
|
|
* STATUS_SUCCESS on success. STATUS_NOT_IMPLEMENTED if target address isn't at the end
|
|
|
|
|
* of the given file record.
|
|
|
|
|
*
|
|
|
|
|
* @remarks
|
|
|
|
|
* Only adding the attribute to the end of the file record is supported; AttributeAddress must
|
|
|
|
|
* be of type AttributeEnd.
|
|
|
|
|
* As it's implemented, this function is only intended to assist in creating new file records. It
|
|
|
|
|
* could be made more general-purpose by considering file records with an $ATTRIBUTE_LIST.
|
|
|
|
|
* It's the caller's responsibility to ensure the given file record has enough memory allocated
|
|
|
|
|
* for the attribute.
|
|
|
|
|
*/
|
|
|
|
|
NTSTATUS
|
|
|
|
|
AddData(PFILE_RECORD_HEADER FileRecord,
|
|
|
|
|
PNTFS_ATTR_RECORD AttributeAddress)
|
|
|
|
|
{
|
|
|
|
|
ULONG ResidentHeaderLength = FIELD_OFFSET(NTFS_ATTR_RECORD, Resident.Reserved) + sizeof(UCHAR);
|
|
|
|
|
ULONG FileRecordEnd = AttributeAddress->Length;
|
|
|
|
|
|
|
|
|
|
if (AttributeAddress->Type != AttributeEnd)
|
|
|
|
|
{
|
|
|
|
|
DPRINT1("FIXME: Can only add $DATA attribute to the end of a file record.\n");
|
|
|
|
|
return STATUS_NOT_IMPLEMENTED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
AttributeAddress->Type = AttributeData;
|
|
|
|
|
AttributeAddress->Length = ResidentHeaderLength;
|
|
|
|
|
AttributeAddress->Length = ALIGN_UP_BY(AttributeAddress->Length, 8);
|
|
|
|
|
AttributeAddress->Resident.ValueLength = 0;
|
|
|
|
|
AttributeAddress->Resident.ValueOffset = ResidentHeaderLength;
|
|
|
|
|
|
|
|
|
|
// for unnamed $DATA attributes, NameOffset equals header length
|
|
|
|
|
AttributeAddress->NameOffset = ResidentHeaderLength;
|
|
|
|
|
AttributeAddress->Instance = FileRecord->NextAttributeNumber++;
|
|
|
|
|
|
|
|
|
|
// move the attribute-end and file-record-end markers to the end of the file record
|
|
|
|
|
AttributeAddress = (PNTFS_ATTR_RECORD)((ULONG_PTR)AttributeAddress + AttributeAddress->Length);
|
|
|
|
|
SetFileRecordEnd(FileRecord, AttributeAddress, FileRecordEnd);
|
|
|
|
|
|
|
|
|
|
return STATUS_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @name AddFileName
|
|
|
|
|
* @implemented
|
|
|
|
|
*
|
|
|
|
|
* Adds a $FILE_NAME attribute to a given FileRecord.
|
|
|
|
|
*
|
|
|
|
|
* @param FileRecord
|
|
|
|
|
* Pointer to a complete file record to add the attribute to. Caller is responsible for
|
|
|
|
|
* ensuring FileRecord is large enough to contain $FILE_NAME.
|
|
|
|
|
*
|
|
|
|
|
* @param AttributeAddress
|
|
|
|
|
* Pointer to the region of memory that will receive the $FILE_NAME attribute.
|
|
|
|
|
* This address must reside within FileRecord. Must be aligned to an 8-byte boundary (relative to FileRecord).
|
|
|
|
|
*
|
|
|
|
|
* @param DeviceExt
|
|
|
|
|
* Points to the target disk's DEVICE_EXTENSION.
|
|
|
|
|
*
|
|
|
|
|
* @param FileObject
|
|
|
|
|
* Pointer to the FILE_OBJECT which represents the new name.
|
|
|
|
|
* This parameter is used to determine the filename and parent directory.
|
|
|
|
|
*
|
2017-06-09 03:14:30 +00:00
|
|
|
* @param ParentMftIndex
|
|
|
|
|
* Pointer to a ULONGLONG which will receive the index of the parent directory.
|
|
|
|
|
*
|
2017-04-16 00:17:07 +00:00
|
|
|
* @return
|
|
|
|
|
* STATUS_SUCCESS on success. STATUS_NOT_IMPLEMENTED if target address isn't at the end
|
|
|
|
|
* of the given file record.
|
|
|
|
|
*
|
|
|
|
|
* @remarks
|
|
|
|
|
* Only adding the attribute to the end of the file record is supported; AttributeAddress must
|
|
|
|
|
* be of type AttributeEnd.
|
|
|
|
|
* As it's implemented, this function is only intended to assist in creating new file records. It
|
|
|
|
|
* could be made more general-purpose by considering file records with an $ATTRIBUTE_LIST.
|
|
|
|
|
* It's the caller's responsibility to ensure the given file record has enough memory allocated
|
|
|
|
|
* for the attribute.
|
|
|
|
|
*/
|
|
|
|
|
NTSTATUS
|
|
|
|
|
AddFileName(PFILE_RECORD_HEADER FileRecord,
|
|
|
|
|
PNTFS_ATTR_RECORD AttributeAddress,
|
|
|
|
|
PDEVICE_EXTENSION DeviceExt,
|
2017-06-09 03:14:30 +00:00
|
|
|
PFILE_OBJECT FileObject,
|
|
|
|
|
PULONGLONG ParentMftIndex)
|
2017-04-16 00:17:07 +00:00
|
|
|
{
|
|
|
|
|
ULONG ResidentHeaderLength = FIELD_OFFSET(NTFS_ATTR_RECORD, Resident.Reserved) + sizeof(UCHAR);
|
|
|
|
|
PFILENAME_ATTRIBUTE FileNameAttribute;
|
|
|
|
|
LARGE_INTEGER SystemTime;
|
|
|
|
|
ULONG FileRecordEnd = AttributeAddress->Length;
|
|
|
|
|
ULONGLONG CurrentMFTIndex = NTFS_FILE_ROOT;
|
2017-06-09 03:14:30 +00:00
|
|
|
UNICODE_STRING Current, Remaining, FilenameNoPath;
|
2017-04-16 00:17:07 +00:00
|
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
|
|
|
ULONG FirstEntry = 0;
|
2017-06-09 03:14:30 +00:00
|
|
|
WCHAR Buffer[MAX_PATH];
|
2017-04-16 00:17:07 +00:00
|
|
|
|
|
|
|
|
if (AttributeAddress->Type != AttributeEnd)
|
|
|
|
|
{
|
|
|
|
|
DPRINT1("FIXME: Can only add $FILE_NAME attribute to the end of a file record.\n");
|
|
|
|
|
return STATUS_NOT_IMPLEMENTED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
AttributeAddress->Type = AttributeFileName;
|
|
|
|
|
AttributeAddress->Instance = FileRecord->NextAttributeNumber++;
|
|
|
|
|
|
|
|
|
|
FileNameAttribute = (PFILENAME_ATTRIBUTE)((LONG_PTR)AttributeAddress + ResidentHeaderLength);
|
|
|
|
|
|
|
|
|
|
// set timestamps
|
|
|
|
|
KeQuerySystemTime(&SystemTime);
|
|
|
|
|
FileNameAttribute->CreationTime = SystemTime.QuadPart;
|
|
|
|
|
FileNameAttribute->ChangeTime = SystemTime.QuadPart;
|
|
|
|
|
FileNameAttribute->LastWriteTime = SystemTime.QuadPart;
|
|
|
|
|
FileNameAttribute->LastAccessTime = SystemTime.QuadPart;
|
|
|
|
|
|
|
|
|
|
FileNameAttribute->FileAttributes = NTFS_FILE_TYPE_ARCHIVE;
|
|
|
|
|
|
|
|
|
|
// we need to extract the filename from the path
|
|
|
|
|
DPRINT1("Pathname: %wZ\n", &FileObject->FileName);
|
|
|
|
|
|
2017-06-09 03:14:30 +00:00
|
|
|
RtlZeroMemory(&FilenameNoPath, sizeof(UNICODE_STRING));
|
|
|
|
|
FilenameNoPath.Buffer = Buffer;
|
|
|
|
|
FilenameNoPath.MaximumLength = MAX_PATH;
|
|
|
|
|
|
2017-04-16 00:17:07 +00:00
|
|
|
FsRtlDissectName(FileObject->FileName, &Current, &Remaining);
|
|
|
|
|
|
|
|
|
|
while (Current.Length != 0)
|
|
|
|
|
{
|
|
|
|
|
DPRINT1("Current: %wZ\n", &Current);
|
|
|
|
|
|
2017-06-09 03:14:30 +00:00
|
|
|
if(Remaining.Length != 0)
|
|
|
|
|
RtlCopyUnicodeString(&FilenameNoPath, &Remaining);
|
|
|
|
|
|
2017-04-16 00:17:07 +00:00
|
|
|
Status = NtfsFindMftRecord(DeviceExt, CurrentMFTIndex, &Current, &FirstEntry, FALSE, &CurrentMFTIndex);
|
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
|
|
|
break;
|
|
|
|
|
|
2017-06-09 03:14:30 +00:00
|
|
|
if (Remaining.Length == 0 )
|
|
|
|
|
{
|
|
|
|
|
if(Current.Length != 0)
|
|
|
|
|
RtlCopyUnicodeString(&FilenameNoPath, &Current);
|
2017-04-16 00:17:07 +00:00
|
|
|
break;
|
2017-06-09 03:14:30 +00:00
|
|
|
}
|
2017-04-16 00:17:07 +00:00
|
|
|
|
|
|
|
|
FsRtlDissectName(Current, &Current, &Remaining);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DPRINT1("MFT Index of parent: %I64u\n", CurrentMFTIndex);
|
|
|
|
|
|
|
|
|
|
// set reference to parent directory
|
|
|
|
|
FileNameAttribute->DirectoryFileReferenceNumber = CurrentMFTIndex;
|
2017-06-09 03:14:30 +00:00
|
|
|
*ParentMftIndex = CurrentMFTIndex;
|
|
|
|
|
|
|
|
|
|
DPRINT1("SequenceNumber: 0x%02x\n", FileRecord->SequenceNumber);
|
2017-04-16 00:17:07 +00:00
|
|
|
|
|
|
|
|
// The highest 2 bytes should be the sequence number, unless the parent happens to be root
|
|
|
|
|
if (CurrentMFTIndex == NTFS_FILE_ROOT)
|
|
|
|
|
FileNameAttribute->DirectoryFileReferenceNumber |= (ULONGLONG)NTFS_FILE_ROOT << 48;
|
|
|
|
|
else
|
|
|
|
|
FileNameAttribute->DirectoryFileReferenceNumber |= (ULONGLONG)FileRecord->SequenceNumber << 48;
|
|
|
|
|
|
2017-06-09 03:14:30 +00:00
|
|
|
DPRINT1("FileNameAttribute->DirectoryFileReferenceNumber: 0x%016I64x\n", FileNameAttribute->DirectoryFileReferenceNumber);
|
2017-04-16 00:17:07 +00:00
|
|
|
|
2017-06-09 03:14:30 +00:00
|
|
|
FileNameAttribute->NameLength = FilenameNoPath.Length / 2;
|
2017-04-16 00:17:07 +00:00
|
|
|
// TODO: Get proper nametype, add DOS links as needed
|
|
|
|
|
FileNameAttribute->NameType = NTFS_FILE_NAME_WIN32_AND_DOS;
|
2017-06-09 03:14:30 +00:00
|
|
|
RtlCopyMemory(FileNameAttribute->Name, FilenameNoPath.Buffer, FilenameNoPath.Length);
|
2017-04-16 00:17:07 +00:00
|
|
|
FileRecord->LinkCount++;
|
|
|
|
|
|
|
|
|
|
AttributeAddress->Length = ResidentHeaderLength +
|
2017-06-09 03:14:30 +00:00
|
|
|
FIELD_OFFSET(FILENAME_ATTRIBUTE, Name) + FilenameNoPath.Length;
|
2017-04-16 00:17:07 +00:00
|
|
|
AttributeAddress->Length = ALIGN_UP_BY(AttributeAddress->Length, 8);
|
|
|
|
|
|
2017-06-09 03:14:30 +00:00
|
|
|
AttributeAddress->Resident.ValueLength = FIELD_OFFSET(FILENAME_ATTRIBUTE, Name) + FilenameNoPath.Length;
|
2017-04-16 00:17:07 +00:00
|
|
|
AttributeAddress->Resident.ValueOffset = ResidentHeaderLength;
|
|
|
|
|
AttributeAddress->Resident.Flags = 1; // indexed
|
|
|
|
|
|
|
|
|
|
// move the attribute-end and file-record-end markers to the end of the file record
|
|
|
|
|
AttributeAddress = (PNTFS_ATTR_RECORD)((ULONG_PTR)AttributeAddress + AttributeAddress->Length);
|
|
|
|
|
SetFileRecordEnd(FileRecord, AttributeAddress, FileRecordEnd);
|
|
|
|
|
|
|
|
|
|
return Status;
|
|
|
|
|
}
|
|
|
|
|
|
2016-07-14 15:20:48 +00:00
|
|
|
/**
|
|
|
|
|
* @name AddRun
|
|
|
|
|
* @implemented
|
|
|
|
|
*
|
|
|
|
|
* Adds a run of allocated clusters to a non-resident attribute.
|
|
|
|
|
*
|
|
|
|
|
* @param Vcb
|
|
|
|
|
* Pointer to an NTFS_VCB for the destination volume.
|
|
|
|
|
*
|
|
|
|
|
* @param AttrContext
|
|
|
|
|
* Pointer to an NTFS_ATTR_CONTEXT describing the destination attribute.
|
|
|
|
|
*
|
|
|
|
|
* @param AttrOffset
|
|
|
|
|
* Byte offset of the destination attribute relative to its file record.
|
|
|
|
|
*
|
|
|
|
|
* @param FileRecord
|
|
|
|
|
* Pointer to a complete copy of the file record containing the destination attribute. Must be at least
|
|
|
|
|
* Vcb->NtfsInfo.BytesPerFileRecord bytes long.
|
|
|
|
|
*
|
|
|
|
|
* @param NextAssignedCluster
|
|
|
|
|
* Logical cluster number of the start of the data run being added.
|
|
|
|
|
*
|
|
|
|
|
* @param RunLength
|
|
|
|
|
* How many clusters are in the data run being added. Can't be 0.
|
|
|
|
|
*
|
|
|
|
|
* @return
|
|
|
|
|
* STATUS_SUCCESS on success. STATUS_INVALID_PARAMETER if AttrContext describes a resident attribute.
|
2016-08-22 08:11:12 +00:00
|
|
|
* STATUS_INSUFFICIENT_RESOURCES if ConvertDataRunsToLargeMCB() fails or if we fail to allocate a
|
|
|
|
|
* buffer for the new data runs.
|
|
|
|
|
* STATUS_INSUFFICIENT_RESOURCES or STATUS_UNSUCCESSFUL if FsRtlAddLargeMcbEntry() fails.
|
2016-07-14 15:20:48 +00:00
|
|
|
* STATUS_BUFFER_TOO_SMALL if ConvertLargeMCBToDataRuns() fails.
|
|
|
|
|
* STATUS_NOT_IMPLEMENTED if we need to migrate the attribute to an attribute list (TODO).
|
|
|
|
|
*
|
|
|
|
|
* @remarks
|
|
|
|
|
* Clusters should have been allocated previously with NtfsAllocateClusters().
|
|
|
|
|
*
|
|
|
|
|
*
|
|
|
|
|
*/
|
2016-06-29 16:35:36 +00:00
|
|
|
NTSTATUS
|
2016-07-14 15:20:48 +00:00
|
|
|
AddRun(PNTFS_VCB Vcb,
|
|
|
|
|
PNTFS_ATTR_CONTEXT AttrContext,
|
|
|
|
|
ULONG AttrOffset,
|
|
|
|
|
PFILE_RECORD_HEADER FileRecord,
|
2016-06-29 16:35:36 +00:00
|
|
|
ULONGLONG NextAssignedCluster,
|
|
|
|
|
ULONG RunLength)
|
|
|
|
|
{
|
2016-07-14 15:20:48 +00:00
|
|
|
NTSTATUS Status;
|
|
|
|
|
int DataRunMaxLength;
|
|
|
|
|
PNTFS_ATTR_RECORD DestinationAttribute = (PNTFS_ATTR_RECORD)((ULONG_PTR)FileRecord + AttrOffset);
|
|
|
|
|
ULONG NextAttributeOffset = AttrOffset + AttrContext->Record.Length;
|
2017-05-12 22:16:20 +00:00
|
|
|
ULONGLONG NextVBN = 0;
|
2016-07-14 15:20:48 +00:00
|
|
|
|
2016-07-15 15:27:04 +00:00
|
|
|
PUCHAR RunBuffer;
|
2017-05-12 22:16:20 +00:00
|
|
|
ULONG RunBufferSize;
|
2016-06-29 16:35:36 +00:00
|
|
|
|
|
|
|
|
if (!AttrContext->Record.IsNonResident)
|
|
|
|
|
return STATUS_INVALID_PARAMETER;
|
|
|
|
|
|
2017-05-12 22:16:20 +00:00
|
|
|
if (AttrContext->Record.NonResident.AllocatedSize != 0)
|
|
|
|
|
NextVBN = AttrContext->Record.NonResident.HighestVCN + 1;
|
2016-07-14 15:20:48 +00:00
|
|
|
|
|
|
|
|
// Add newly-assigned clusters to mcb
|
2016-07-15 15:27:04 +00:00
|
|
|
_SEH2_TRY{
|
2017-05-12 22:16:20 +00:00
|
|
|
if (!FsRtlAddLargeMcbEntry(&AttrContext->DataRunsMCB,
|
2016-07-17 14:04:01 +00:00
|
|
|
NextVBN,
|
2016-07-15 15:27:04 +00:00
|
|
|
NextAssignedCluster,
|
|
|
|
|
RunLength))
|
|
|
|
|
{
|
2016-08-22 08:11:12 +00:00
|
|
|
ExRaiseStatus(STATUS_UNSUCCESSFUL);
|
2016-07-15 15:27:04 +00:00
|
|
|
}
|
|
|
|
|
} _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) {
|
2016-08-22 08:11:12 +00:00
|
|
|
_SEH2_YIELD(_SEH2_GetExceptionCode());
|
2016-07-15 15:27:04 +00:00
|
|
|
} _SEH2_END;
|
|
|
|
|
|
2017-05-12 22:16:20 +00:00
|
|
|
RunBuffer = ExAllocatePoolWithTag(NonPagedPool, Vcb->NtfsInfo.BytesPerFileRecord, TAG_NTFS);
|
|
|
|
|
if (!RunBuffer)
|
|
|
|
|
{
|
|
|
|
|
DPRINT1("ERROR: Couldn't allocate memory for data runs!\n");
|
|
|
|
|
return STATUS_INSUFFICIENT_RESOURCES;
|
|
|
|
|
}
|
2016-07-14 15:20:48 +00:00
|
|
|
|
|
|
|
|
// Convert the map control block back to encoded data runs
|
2017-05-12 22:16:20 +00:00
|
|
|
ConvertLargeMCBToDataRuns(&AttrContext->DataRunsMCB, RunBuffer, Vcb->NtfsInfo.BytesPerCluster, &RunBufferSize);
|
2016-07-14 15:20:48 +00:00
|
|
|
|
|
|
|
|
// Get the amount of free space between the start of the of the first data run and the attribute end
|
|
|
|
|
DataRunMaxLength = AttrContext->Record.Length - AttrContext->Record.NonResident.MappingPairsOffset;
|
|
|
|
|
|
|
|
|
|
// Do we need to extend the attribute (or convert to attribute list)?
|
2017-05-12 22:16:20 +00:00
|
|
|
if (DataRunMaxLength < RunBufferSize)
|
2016-07-14 15:20:48 +00:00
|
|
|
{
|
|
|
|
|
PNTFS_ATTR_RECORD NextAttribute = (PNTFS_ATTR_RECORD)((ULONG_PTR)FileRecord + NextAttributeOffset);
|
|
|
|
|
DataRunMaxLength += Vcb->NtfsInfo.BytesPerFileRecord - NextAttributeOffset - (sizeof(ULONG) * 2);
|
|
|
|
|
|
|
|
|
|
// Can we move the end of the attribute?
|
2017-05-12 22:16:20 +00:00
|
|
|
if (NextAttribute->Type != AttributeEnd || DataRunMaxLength < RunBufferSize - 1)
|
2016-07-14 15:20:48 +00:00
|
|
|
{
|
|
|
|
|
DPRINT1("FIXME: Need to create attribute list! Max Data Run Length available: %d\n", DataRunMaxLength);
|
|
|
|
|
if (NextAttribute->Type != AttributeEnd)
|
|
|
|
|
DPRINT1("There's another attribute after this one with type %0xlx\n", NextAttribute->Type);
|
|
|
|
|
ExFreePoolWithTag(RunBuffer, TAG_NTFS);
|
|
|
|
|
return STATUS_NOT_IMPLEMENTED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// calculate position of end markers
|
2017-05-12 22:16:20 +00:00
|
|
|
NextAttributeOffset = AttrOffset + AttrContext->Record.NonResident.MappingPairsOffset + RunBufferSize;
|
2016-07-14 15:20:48 +00:00
|
|
|
NextAttributeOffset = ALIGN_UP_BY(NextAttributeOffset, 8);
|
|
|
|
|
|
|
|
|
|
// Update the length
|
|
|
|
|
DestinationAttribute->Length = NextAttributeOffset - AttrOffset;
|
|
|
|
|
AttrContext->Record.Length = DestinationAttribute->Length;
|
|
|
|
|
|
2017-05-12 22:16:20 +00:00
|
|
|
// End the file record
|
|
|
|
|
NextAttribute = (PNTFS_ATTR_RECORD)((ULONG_PTR)FileRecord + NextAttributeOffset);
|
|
|
|
|
SetFileRecordEnd(FileRecord, NextAttribute, FILE_RECORD_END);
|
2016-07-14 15:20:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Update HighestVCN
|
|
|
|
|
DestinationAttribute->NonResident.HighestVCN =
|
2017-05-12 22:16:20 +00:00
|
|
|
AttrContext->Record.NonResident.HighestVCN = max(NextVBN - 1 + RunLength,
|
2016-07-14 15:20:48 +00:00
|
|
|
AttrContext->Record.NonResident.HighestVCN);
|
|
|
|
|
|
|
|
|
|
// Write data runs to destination attribute
|
|
|
|
|
RtlCopyMemory((PVOID)((ULONG_PTR)DestinationAttribute + DestinationAttribute->NonResident.MappingPairsOffset),
|
|
|
|
|
RunBuffer,
|
2017-05-12 22:16:20 +00:00
|
|
|
RunBufferSize);
|
2016-07-14 15:20:48 +00:00
|
|
|
|
|
|
|
|
// Update the file record
|
|
|
|
|
Status = UpdateFileRecord(Vcb, AttrContext->FileMFTIndex, FileRecord);
|
|
|
|
|
|
|
|
|
|
ExFreePoolWithTag(RunBuffer, TAG_NTFS);
|
|
|
|
|
|
|
|
|
|
NtfsDumpDataRuns((PUCHAR)((ULONG_PTR)DestinationAttribute + DestinationAttribute->NonResident.MappingPairsOffset), 0);
|
|
|
|
|
|
|
|
|
|
return Status;
|
|
|
|
|
}
|
|
|
|
|
|
2017-04-16 00:17:07 +00:00
|
|
|
/**
|
|
|
|
|
* @name AddStandardInformation
|
|
|
|
|
* @implemented
|
|
|
|
|
*
|
|
|
|
|
* Adds a $STANDARD_INFORMATION attribute to a given FileRecord.
|
|
|
|
|
*
|
|
|
|
|
* @param FileRecord
|
|
|
|
|
* Pointer to a complete file record to add the attribute to. Caller is responsible for
|
|
|
|
|
* ensuring FileRecord is large enough to contain $STANDARD_INFORMATION.
|
|
|
|
|
*
|
|
|
|
|
* @param AttributeAddress
|
|
|
|
|
* Pointer to the region of memory that will receive the $STANDARD_INFORMATION attribute.
|
|
|
|
|
* This address must reside within FileRecord. Must be aligned to an 8-byte boundary (relative to FileRecord).
|
|
|
|
|
*
|
|
|
|
|
* @return
|
|
|
|
|
* STATUS_SUCCESS on success. STATUS_NOT_IMPLEMENTED if target address isn't at the end
|
|
|
|
|
* of the given file record.
|
|
|
|
|
*
|
|
|
|
|
* @remarks
|
|
|
|
|
* Only adding the attribute to the end of the file record is supported; AttributeAddress must
|
|
|
|
|
* be of type AttributeEnd.
|
|
|
|
|
* As it's implemented, this function is only intended to assist in creating new file records. It
|
|
|
|
|
* could be made more general-purpose by considering file records with an $ATTRIBUTE_LIST.
|
|
|
|
|
* It's the caller's responsibility to ensure the given file record has enough memory allocated
|
|
|
|
|
* for the attribute.
|
|
|
|
|
*/
|
|
|
|
|
NTSTATUS
|
|
|
|
|
AddStandardInformation(PFILE_RECORD_HEADER FileRecord,
|
|
|
|
|
PNTFS_ATTR_RECORD AttributeAddress)
|
|
|
|
|
{
|
|
|
|
|
ULONG ResidentHeaderLength = FIELD_OFFSET(NTFS_ATTR_RECORD, Resident.Reserved) + sizeof(UCHAR);
|
|
|
|
|
PSTANDARD_INFORMATION StandardInfo = (PSTANDARD_INFORMATION)((LONG_PTR)AttributeAddress + ResidentHeaderLength);
|
|
|
|
|
LARGE_INTEGER SystemTime;
|
|
|
|
|
ULONG FileRecordEnd = AttributeAddress->Length;
|
|
|
|
|
|
|
|
|
|
if (AttributeAddress->Type != AttributeEnd)
|
|
|
|
|
{
|
|
|
|
|
DPRINT1("FIXME: Can only add $STANDARD_INFORMATION attribute to the end of a file record.\n");
|
|
|
|
|
return STATUS_NOT_IMPLEMENTED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
AttributeAddress->Type = AttributeStandardInformation;
|
|
|
|
|
AttributeAddress->Length = sizeof(STANDARD_INFORMATION) + ResidentHeaderLength;
|
|
|
|
|
AttributeAddress->Length = ALIGN_UP_BY(AttributeAddress->Length, 8);
|
|
|
|
|
AttributeAddress->Resident.ValueLength = sizeof(STANDARD_INFORMATION);
|
|
|
|
|
AttributeAddress->Resident.ValueOffset = ResidentHeaderLength;
|
|
|
|
|
AttributeAddress->Instance = FileRecord->NextAttributeNumber++;
|
|
|
|
|
|
|
|
|
|
// set dates and times
|
|
|
|
|
KeQuerySystemTime(&SystemTime);
|
|
|
|
|
StandardInfo->CreationTime = SystemTime.QuadPart;
|
|
|
|
|
StandardInfo->ChangeTime = SystemTime.QuadPart;
|
|
|
|
|
StandardInfo->LastWriteTime = SystemTime.QuadPart;
|
|
|
|
|
StandardInfo->LastAccessTime = SystemTime.QuadPart;
|
|
|
|
|
StandardInfo->FileAttribute = NTFS_FILE_TYPE_ARCHIVE;
|
|
|
|
|
|
|
|
|
|
// move the attribute-end and file-record-end markers to the end of the file record
|
|
|
|
|
AttributeAddress = (PNTFS_ATTR_RECORD)((ULONG_PTR)AttributeAddress + AttributeAddress->Length);
|
|
|
|
|
SetFileRecordEnd(FileRecord, AttributeAddress, FileRecordEnd);
|
|
|
|
|
|
|
|
|
|
return STATUS_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
2016-07-14 15:20:48 +00:00
|
|
|
/**
|
|
|
|
|
* @name ConvertDataRunsToLargeMCB
|
|
|
|
|
* @implemented
|
|
|
|
|
*
|
|
|
|
|
* Converts binary data runs to a map control block.
|
|
|
|
|
*
|
|
|
|
|
* @param DataRun
|
|
|
|
|
* Pointer to the run data
|
|
|
|
|
*
|
|
|
|
|
* @param DataRunsMCB
|
|
|
|
|
* Pointer to an unitialized LARGE_MCB structure.
|
|
|
|
|
*
|
|
|
|
|
* @return
|
2016-08-22 08:11:12 +00:00
|
|
|
* STATUS_SUCCESS on success, STATUS_INSUFFICIENT_RESOURCES or STATUS_UNSUCCESSFUL if we fail to
|
2016-07-14 15:20:48 +00:00
|
|
|
* initialize the mcb or add an entry.
|
|
|
|
|
*
|
|
|
|
|
* @remarks
|
|
|
|
|
* Initializes the LARGE_MCB pointed to by DataRunsMCB. If this function succeeds, you
|
|
|
|
|
* need to call FsRtlUninitializeLargeMcb() when you're done with DataRunsMCB. This
|
|
|
|
|
* function will ensure the LargeMCB has been unitialized in case of failure.
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
NTSTATUS
|
|
|
|
|
ConvertDataRunsToLargeMCB(PUCHAR DataRun,
|
|
|
|
|
PLARGE_MCB DataRunsMCB,
|
|
|
|
|
PULONGLONG pNextVBN)
|
|
|
|
|
{
|
|
|
|
|
LONGLONG DataRunOffset;
|
|
|
|
|
ULONGLONG DataRunLength;
|
|
|
|
|
LONGLONG DataRunStartLCN;
|
|
|
|
|
ULONGLONG LastLCN = 0;
|
|
|
|
|
|
|
|
|
|
// Initialize the MCB, potentially catch an exception
|
|
|
|
|
_SEH2_TRY{
|
|
|
|
|
FsRtlInitializeLargeMcb(DataRunsMCB, NonPagedPool);
|
|
|
|
|
} _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) {
|
2016-08-22 08:11:12 +00:00
|
|
|
_SEH2_YIELD(return _SEH2_GetExceptionCode());
|
2016-07-14 15:20:48 +00:00
|
|
|
} _SEH2_END;
|
|
|
|
|
|
|
|
|
|
while (*DataRun != 0)
|
|
|
|
|
{
|
|
|
|
|
DataRun = DecodeRun(DataRun, &DataRunOffset, &DataRunLength);
|
|
|
|
|
|
|
|
|
|
if (DataRunOffset != -1)
|
|
|
|
|
{
|
|
|
|
|
// Normal data run.
|
|
|
|
|
DataRunStartLCN = LastLCN + DataRunOffset;
|
|
|
|
|
LastLCN = DataRunStartLCN;
|
|
|
|
|
|
|
|
|
|
_SEH2_TRY{
|
|
|
|
|
if (!FsRtlAddLargeMcbEntry(DataRunsMCB,
|
|
|
|
|
*pNextVBN,
|
|
|
|
|
DataRunStartLCN,
|
|
|
|
|
DataRunLength))
|
|
|
|
|
{
|
2016-08-22 08:11:12 +00:00
|
|
|
ExRaiseStatus(STATUS_UNSUCCESSFUL);
|
2016-07-14 15:20:48 +00:00
|
|
|
}
|
|
|
|
|
} _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) {
|
|
|
|
|
FsRtlUninitializeLargeMcb(DataRunsMCB);
|
2016-08-22 08:11:12 +00:00
|
|
|
_SEH2_YIELD(return _SEH2_GetExceptionCode());
|
2016-07-14 15:20:48 +00:00
|
|
|
} _SEH2_END;
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*pNextVBN += DataRunLength;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return STATUS_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @name ConvertLargeMCBToDataRuns
|
|
|
|
|
* @implemented
|
|
|
|
|
*
|
|
|
|
|
* Converts a map control block to a series of encoded data runs (used by non-resident attributes).
|
|
|
|
|
*
|
|
|
|
|
* @param DataRunsMCB
|
|
|
|
|
* Pointer to a LARGE_MCB structure describing the data runs.
|
|
|
|
|
*
|
|
|
|
|
* @param RunBuffer
|
|
|
|
|
* Pointer to the buffer that will receive the encoded data runs.
|
|
|
|
|
*
|
|
|
|
|
* @param MaxBufferSize
|
|
|
|
|
* Size of RunBuffer, in bytes.
|
|
|
|
|
*
|
|
|
|
|
* @param UsedBufferSize
|
|
|
|
|
* Pointer to a ULONG that will receive the size of the data runs in bytes. Can't be NULL.
|
|
|
|
|
*
|
|
|
|
|
* @return
|
|
|
|
|
* STATUS_SUCCESS on success, STATUS_BUFFER_TOO_SMALL if RunBuffer is too small to contain the
|
|
|
|
|
* complete output.
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
NTSTATUS
|
|
|
|
|
ConvertLargeMCBToDataRuns(PLARGE_MCB DataRunsMCB,
|
|
|
|
|
PUCHAR RunBuffer,
|
|
|
|
|
ULONG MaxBufferSize,
|
|
|
|
|
PULONG UsedBufferSize)
|
|
|
|
|
{
|
|
|
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
|
|
|
ULONG RunBufferOffset = 0;
|
|
|
|
|
LONGLONG DataRunOffset;
|
|
|
|
|
ULONGLONG LastLCN = 0;
|
|
|
|
|
LONGLONG Vbn, Lbn, Count;
|
2016-08-22 08:11:12 +00:00
|
|
|
ULONG i;
|
2016-07-14 15:20:48 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
DPRINT("\t[Vbn, Lbn, Count]\n");
|
|
|
|
|
|
|
|
|
|
// convert each mcb entry to a data run
|
2016-07-17 14:04:01 +00:00
|
|
|
for (i = 0; FsRtlGetNextLargeMcbEntry(DataRunsMCB, i, &Vbn, &Lbn, &Count); i++)
|
2016-07-14 15:20:48 +00:00
|
|
|
{
|
|
|
|
|
UCHAR DataRunOffsetSize = 0;
|
|
|
|
|
UCHAR DataRunLengthSize = 0;
|
|
|
|
|
UCHAR ControlByte = 0;
|
|
|
|
|
|
|
|
|
|
// [vbn, lbn, count]
|
|
|
|
|
DPRINT("\t[%I64d, %I64d,%I64d]\n", Vbn, Lbn, Count);
|
|
|
|
|
|
|
|
|
|
// TODO: check for holes and convert to sparse runs
|
|
|
|
|
DataRunOffset = Lbn - LastLCN;
|
|
|
|
|
LastLCN = Lbn;
|
|
|
|
|
|
|
|
|
|
// now we need to determine how to represent DataRunOffset with the minimum number of bytes
|
|
|
|
|
DPRINT("Determining how many bytes needed to represent %I64x\n", DataRunOffset);
|
|
|
|
|
DataRunOffsetSize = GetPackedByteCount(DataRunOffset, TRUE);
|
|
|
|
|
DPRINT("%d bytes needed.\n", DataRunOffsetSize);
|
|
|
|
|
|
|
|
|
|
// determine how to represent DataRunLengthSize with the minimum number of bytes
|
|
|
|
|
DPRINT("Determining how many bytes needed to represent %I64x\n", Count);
|
|
|
|
|
DataRunLengthSize = GetPackedByteCount(Count, TRUE);
|
|
|
|
|
DPRINT("%d bytes needed.\n", DataRunLengthSize);
|
|
|
|
|
|
2017-05-12 22:16:20 +00:00
|
|
|
// ensure the next data run + end marker would be <= Max buffer size
|
2016-07-14 15:20:48 +00:00
|
|
|
if (RunBufferOffset + 2 + DataRunLengthSize + DataRunOffsetSize > MaxBufferSize)
|
|
|
|
|
{
|
|
|
|
|
Status = STATUS_BUFFER_TOO_SMALL;
|
|
|
|
|
DPRINT1("FIXME: Ran out of room in buffer for data runs!\n");
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// pack and copy the control byte
|
|
|
|
|
ControlByte = (DataRunOffsetSize << 4) + DataRunLengthSize;
|
|
|
|
|
RunBuffer[RunBufferOffset++] = ControlByte;
|
|
|
|
|
|
|
|
|
|
// copy DataRunLength
|
|
|
|
|
RtlCopyMemory(RunBuffer + RunBufferOffset, &Count, DataRunLengthSize);
|
|
|
|
|
RunBufferOffset += DataRunLengthSize;
|
|
|
|
|
|
|
|
|
|
// copy DataRunOffset
|
|
|
|
|
RtlCopyMemory(RunBuffer + RunBufferOffset, &DataRunOffset, DataRunOffsetSize);
|
|
|
|
|
RunBufferOffset += DataRunOffsetSize;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// End of data runs
|
|
|
|
|
RunBuffer[RunBufferOffset++] = 0;
|
|
|
|
|
|
|
|
|
|
*UsedBufferSize = RunBufferOffset;
|
|
|
|
|
DPRINT("New Size of DataRuns: %ld\n", *UsedBufferSize);
|
|
|
|
|
|
|
|
|
|
return Status;
|
2016-06-29 16:35:36 +00:00
|
|
|
}
|
|
|
|
|
|
2014-09-26 13:57:29 +00:00
|
|
|
PUCHAR
|
|
|
|
|
DecodeRun(PUCHAR DataRun,
|
|
|
|
|
LONGLONG *DataRunOffset,
|
|
|
|
|
ULONGLONG *DataRunLength)
|
2003-09-15 16:01:16 +00:00
|
|
|
{
|
2014-09-26 13:57:29 +00:00
|
|
|
UCHAR DataRunOffsetSize;
|
|
|
|
|
UCHAR DataRunLengthSize;
|
|
|
|
|
CHAR i;
|
|
|
|
|
|
|
|
|
|
DataRunOffsetSize = (*DataRun >> 4) & 0xF;
|
|
|
|
|
DataRunLengthSize = *DataRun & 0xF;
|
|
|
|
|
*DataRunOffset = 0;
|
|
|
|
|
*DataRunLength = 0;
|
|
|
|
|
DataRun++;
|
|
|
|
|
for (i = 0; i < DataRunLengthSize; i++)
|
|
|
|
|
{
|
|
|
|
|
*DataRunLength += ((ULONG64)*DataRun) << (i * 8);
|
|
|
|
|
DataRun++;
|
|
|
|
|
}
|
2003-09-15 16:01:16 +00:00
|
|
|
|
2014-09-26 13:57:29 +00:00
|
|
|
/* NTFS 3+ sparse files */
|
|
|
|
|
if (DataRunOffsetSize == 0)
|
|
|
|
|
{
|
|
|
|
|
*DataRunOffset = -1;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
for (i = 0; i < DataRunOffsetSize - 1; i++)
|
|
|
|
|
{
|
|
|
|
|
*DataRunOffset += ((ULONG64)*DataRun) << (i * 8);
|
|
|
|
|
DataRun++;
|
|
|
|
|
}
|
|
|
|
|
/* The last byte contains sign so we must process it different way. */
|
|
|
|
|
*DataRunOffset = ((LONG64)(CHAR)(*(DataRun++)) << (i * 8)) + *DataRunOffset;
|
|
|
|
|
}
|
2003-09-15 16:01:16 +00:00
|
|
|
|
2014-09-26 13:57:29 +00:00
|
|
|
DPRINT("DataRunOffsetSize: %x\n", DataRunOffsetSize);
|
|
|
|
|
DPRINT("DataRunLengthSize: %x\n", DataRunLengthSize);
|
|
|
|
|
DPRINT("DataRunOffset: %x\n", *DataRunOffset);
|
|
|
|
|
DPRINT("DataRunLength: %x\n", *DataRunLength);
|
2003-09-15 16:01:16 +00:00
|
|
|
|
2014-09-26 13:57:29 +00:00
|
|
|
return DataRun;
|
2003-09-15 16:01:16 +00:00
|
|
|
}
|
|
|
|
|
|
2003-11-12 15:30:21 +00:00
|
|
|
BOOLEAN
|
2014-09-26 13:57:29 +00:00
|
|
|
FindRun(PNTFS_ATTR_RECORD NresAttr,
|
2013-06-16 12:15:06 +00:00
|
|
|
ULONGLONG vcn,
|
|
|
|
|
PULONGLONG lcn,
|
|
|
|
|
PULONGLONG count)
|
2003-11-12 15:30:21 +00:00
|
|
|
{
|
2014-09-26 13:57:29 +00:00
|
|
|
if (vcn < NresAttr->NonResident.LowestVCN || vcn > NresAttr->NonResident.HighestVCN)
|
2013-06-16 12:15:06 +00:00
|
|
|
return FALSE;
|
2003-11-12 15:30:21 +00:00
|
|
|
|
2014-09-26 13:57:29 +00:00
|
|
|
DecodeRun((PUCHAR)((ULONG_PTR)NresAttr + NresAttr->NonResident.MappingPairsOffset), (PLONGLONG)lcn, count);
|
2013-06-16 12:15:06 +00:00
|
|
|
|
2014-09-26 13:57:29 +00:00
|
|
|
return TRUE;
|
2003-11-12 15:30:21 +00:00
|
|
|
}
|
|
|
|
|
|
2016-07-19 15:31:22 +00:00
|
|
|
/**
|
|
|
|
|
* @name FreeClusters
|
|
|
|
|
* @implemented
|
|
|
|
|
*
|
|
|
|
|
* Shrinks the allocation size of a non-resident attribute by a given number of clusters.
|
|
|
|
|
* Frees the clusters from the volume's $BITMAP file as well as the attribute's data runs.
|
|
|
|
|
*
|
|
|
|
|
* @param Vcb
|
|
|
|
|
* Pointer to an NTFS_VCB for the destination volume.
|
|
|
|
|
*
|
|
|
|
|
* @param AttrContext
|
|
|
|
|
* Pointer to an NTFS_ATTR_CONTEXT describing the attribute from which the clusters will be freed.
|
|
|
|
|
*
|
|
|
|
|
* @param AttrOffset
|
|
|
|
|
* Byte offset of the destination attribute relative to its file record.
|
|
|
|
|
*
|
|
|
|
|
* @param FileRecord
|
|
|
|
|
* Pointer to a complete copy of the file record containing the attribute. Must be at least
|
|
|
|
|
* Vcb->NtfsInfo.BytesPerFileRecord bytes long.
|
|
|
|
|
*
|
|
|
|
|
* @param ClustersToFree
|
|
|
|
|
* Number of clusters that should be freed from the end of the data stream. Must be no more
|
|
|
|
|
* Than the number of clusters assigned to the attribute (HighestVCN + 1).
|
|
|
|
|
*
|
|
|
|
|
* @return
|
|
|
|
|
* STATUS_SUCCESS on success. STATUS_INVALID_PARAMETER if AttrContext describes a resident attribute,
|
|
|
|
|
* or if the caller requested more clusters be freed than the attribute has been allocated.
|
2016-08-22 08:11:12 +00:00
|
|
|
* STATUS_INSUFFICIENT_RESOURCES if allocating a buffer for the data runs fails or
|
|
|
|
|
* if ConvertDataRunsToLargeMCB() fails.
|
2016-07-19 15:31:22 +00:00
|
|
|
* STATUS_BUFFER_TOO_SMALL if ConvertLargeMCBToDataRuns() fails.
|
|
|
|
|
*
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
NTSTATUS
|
|
|
|
|
FreeClusters(PNTFS_VCB Vcb,
|
|
|
|
|
PNTFS_ATTR_CONTEXT AttrContext,
|
|
|
|
|
ULONG AttrOffset,
|
|
|
|
|
PFILE_RECORD_HEADER FileRecord,
|
|
|
|
|
ULONG ClustersToFree)
|
|
|
|
|
{
|
|
|
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
|
|
|
ULONG ClustersLeftToFree = ClustersToFree;
|
|
|
|
|
|
|
|
|
|
PNTFS_ATTR_RECORD DestinationAttribute = (PNTFS_ATTR_RECORD)((ULONG_PTR)FileRecord + AttrOffset);
|
|
|
|
|
ULONG NextAttributeOffset = AttrOffset + AttrContext->Record.Length;
|
|
|
|
|
PNTFS_ATTR_RECORD NextAttribute = (PNTFS_ATTR_RECORD)((ULONG_PTR)FileRecord + NextAttributeOffset);
|
|
|
|
|
|
2016-08-22 08:11:12 +00:00
|
|
|
PUCHAR RunBuffer;
|
2017-05-12 22:16:20 +00:00
|
|
|
ULONG RunBufferSize = 0;
|
2016-07-19 15:31:22 +00:00
|
|
|
|
|
|
|
|
PFILE_RECORD_HEADER BitmapRecord;
|
|
|
|
|
PNTFS_ATTR_CONTEXT DataContext;
|
|
|
|
|
ULONGLONG BitmapDataSize;
|
|
|
|
|
PUCHAR BitmapData;
|
|
|
|
|
RTL_BITMAP Bitmap;
|
|
|
|
|
ULONG LengthWritten;
|
|
|
|
|
|
|
|
|
|
if (!AttrContext->Record.IsNonResident)
|
|
|
|
|
{
|
|
|
|
|
return STATUS_INVALID_PARAMETER;
|
|
|
|
|
}
|
|
|
|
|
|
2017-05-12 22:16:20 +00:00
|
|
|
// Read the $Bitmap file
|
2016-07-19 15:31:22 +00:00
|
|
|
BitmapRecord = ExAllocatePoolWithTag(NonPagedPool,
|
|
|
|
|
Vcb->NtfsInfo.BytesPerFileRecord,
|
|
|
|
|
TAG_NTFS);
|
|
|
|
|
if (BitmapRecord == NULL)
|
|
|
|
|
{
|
|
|
|
|
DPRINT1("Error: Unable to allocate memory for bitmap file record!\n");
|
|
|
|
|
return STATUS_NO_MEMORY;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Status = ReadFileRecord(Vcb, NTFS_FILE_BITMAP, BitmapRecord);
|
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
|
|
|
{
|
|
|
|
|
DPRINT1("Error: Unable to read file record for bitmap!\n");
|
|
|
|
|
ExFreePoolWithTag(BitmapRecord, TAG_NTFS);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Status = FindAttribute(Vcb, BitmapRecord, AttributeData, L"", 0, &DataContext, NULL);
|
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
|
|
|
{
|
|
|
|
|
DPRINT1("Error: Unable to find data attribute for bitmap file!\n");
|
|
|
|
|
ExFreePoolWithTag(BitmapRecord, TAG_NTFS);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
BitmapDataSize = AttributeDataLength(&DataContext->Record);
|
|
|
|
|
BitmapDataSize = min(BitmapDataSize, 0xffffffff);
|
|
|
|
|
ASSERT((BitmapDataSize * 8) >= Vcb->NtfsInfo.ClusterCount);
|
|
|
|
|
BitmapData = ExAllocatePoolWithTag(NonPagedPool, ROUND_UP(BitmapDataSize, Vcb->NtfsInfo.BytesPerSector), TAG_NTFS);
|
|
|
|
|
if (BitmapData == NULL)
|
|
|
|
|
{
|
|
|
|
|
DPRINT1("Error: Unable to allocate memory for bitmap file data!\n");
|
|
|
|
|
ReleaseAttributeContext(DataContext);
|
|
|
|
|
ExFreePoolWithTag(BitmapRecord, TAG_NTFS);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ReadAttribute(Vcb, DataContext, 0, (PCHAR)BitmapData, (ULONG)BitmapDataSize);
|
|
|
|
|
|
|
|
|
|
RtlInitializeBitMap(&Bitmap, (PULONG)BitmapData, Vcb->NtfsInfo.ClusterCount);
|
|
|
|
|
|
|
|
|
|
// free clusters in $BITMAP file
|
|
|
|
|
while (ClustersLeftToFree > 0)
|
|
|
|
|
{
|
|
|
|
|
LONGLONG LargeVbn, LargeLbn;
|
|
|
|
|
|
2017-05-12 22:16:20 +00:00
|
|
|
if (!FsRtlLookupLastLargeMcbEntry(&AttrContext->DataRunsMCB, &LargeVbn, &LargeLbn))
|
2016-07-19 15:31:22 +00:00
|
|
|
{
|
|
|
|
|
Status = STATUS_INVALID_PARAMETER;
|
|
|
|
|
DPRINT1("DRIVER ERROR: FreeClusters called to free %lu clusters, which is %lu more clusters than are assigned to attribute!",
|
|
|
|
|
ClustersToFree,
|
|
|
|
|
ClustersLeftToFree);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if( LargeLbn != -1)
|
|
|
|
|
{
|
|
|
|
|
// deallocate this cluster
|
|
|
|
|
RtlClearBits(&Bitmap, LargeLbn, 1);
|
|
|
|
|
}
|
2017-05-12 22:16:20 +00:00
|
|
|
FsRtlTruncateLargeMcb(&AttrContext->DataRunsMCB, AttrContext->Record.NonResident.HighestVCN);
|
|
|
|
|
|
|
|
|
|
// decrement HighestVCN, but don't let it go below 0
|
2016-07-19 15:31:22 +00:00
|
|
|
AttrContext->Record.NonResident.HighestVCN = min(AttrContext->Record.NonResident.HighestVCN, AttrContext->Record.NonResident.HighestVCN - 1);
|
|
|
|
|
ClustersLeftToFree--;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// update $BITMAP file on disk
|
|
|
|
|
Status = WriteAttribute(Vcb, DataContext, 0, BitmapData, (ULONG)BitmapDataSize, &LengthWritten);
|
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
|
|
|
{
|
|
|
|
|
ReleaseAttributeContext(DataContext);
|
|
|
|
|
ExFreePoolWithTag(BitmapData, TAG_NTFS);
|
|
|
|
|
ExFreePoolWithTag(BitmapRecord, TAG_NTFS);
|
|
|
|
|
return Status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ReleaseAttributeContext(DataContext);
|
|
|
|
|
ExFreePoolWithTag(BitmapData, TAG_NTFS);
|
|
|
|
|
ExFreePoolWithTag(BitmapRecord, TAG_NTFS);
|
2017-05-12 22:16:20 +00:00
|
|
|
|
|
|
|
|
// Save updated data runs to file record
|
|
|
|
|
|
|
|
|
|
// Allocate some memory for a new RunBuffer
|
|
|
|
|
RunBuffer = ExAllocatePoolWithTag(NonPagedPool, Vcb->NtfsInfo.BytesPerFileRecord, TAG_NTFS);
|
|
|
|
|
if (!RunBuffer)
|
|
|
|
|
{
|
|
|
|
|
DPRINT1("ERROR: Couldn't allocate memory for data runs!\n");
|
|
|
|
|
return STATUS_INSUFFICIENT_RESOURCES;
|
|
|
|
|
}
|
2016-07-19 15:31:22 +00:00
|
|
|
|
|
|
|
|
// Convert the map control block back to encoded data runs
|
2017-05-12 22:16:20 +00:00
|
|
|
ConvertLargeMCBToDataRuns(&AttrContext->DataRunsMCB, RunBuffer, Vcb->NtfsInfo.BytesPerCluster, &RunBufferSize);
|
2016-07-19 15:31:22 +00:00
|
|
|
|
|
|
|
|
// Update HighestVCN
|
|
|
|
|
DestinationAttribute->NonResident.HighestVCN = AttrContext->Record.NonResident.HighestVCN;
|
|
|
|
|
|
|
|
|
|
// Write data runs to destination attribute
|
|
|
|
|
RtlCopyMemory((PVOID)((ULONG_PTR)DestinationAttribute + DestinationAttribute->NonResident.MappingPairsOffset),
|
|
|
|
|
RunBuffer,
|
2017-05-12 22:16:20 +00:00
|
|
|
RunBufferSize);
|
2016-07-19 15:31:22 +00:00
|
|
|
|
2017-05-12 22:16:20 +00:00
|
|
|
// Is DestinationAttribute the last attribute in the file record?
|
2016-07-19 15:31:22 +00:00
|
|
|
if (NextAttribute->Type == AttributeEnd)
|
|
|
|
|
{
|
|
|
|
|
// update attribute length
|
2017-05-12 22:16:20 +00:00
|
|
|
AttrContext->Record.Length = ALIGN_UP_BY(AttrContext->Record.NonResident.MappingPairsOffset + RunBufferSize, 8);
|
2016-07-19 15:31:22 +00:00
|
|
|
DestinationAttribute->Length = AttrContext->Record.Length;
|
|
|
|
|
|
|
|
|
|
// write end markers
|
|
|
|
|
NextAttribute = (PNTFS_ATTR_RECORD)((ULONG_PTR)DestinationAttribute + DestinationAttribute->Length);
|
2017-05-12 22:16:20 +00:00
|
|
|
SetFileRecordEnd(FileRecord, NextAttribute, FILE_RECORD_END);
|
2016-07-19 15:31:22 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Update the file record
|
|
|
|
|
Status = UpdateFileRecord(Vcb, AttrContext->FileMFTIndex, FileRecord);
|
|
|
|
|
|
|
|
|
|
ExFreePoolWithTag(RunBuffer, TAG_NTFS);
|
|
|
|
|
|
|
|
|
|
NtfsDumpDataRuns((PUCHAR)((ULONG_PTR)DestinationAttribute + DestinationAttribute->NonResident.MappingPairsOffset), 0);
|
|
|
|
|
|
|
|
|
|
return Status;
|
|
|
|
|
}
|
|
|
|
|
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
static
|
|
|
|
|
NTSTATUS
|
|
|
|
|
InternalReadNonResidentAttributes(PFIND_ATTR_CONTXT Context)
|
|
|
|
|
{
|
|
|
|
|
ULONGLONG ListSize;
|
|
|
|
|
PNTFS_ATTR_RECORD Attribute;
|
|
|
|
|
PNTFS_ATTR_CONTEXT ListContext;
|
|
|
|
|
|
|
|
|
|
DPRINT("InternalReadNonResidentAttributes(%p)\n", Context);
|
|
|
|
|
|
|
|
|
|
Attribute = Context->CurrAttr;
|
|
|
|
|
ASSERT(Attribute->Type == AttributeAttributeList);
|
|
|
|
|
|
|
|
|
|
if (Context->OnlyResident)
|
|
|
|
|
{
|
|
|
|
|
Context->NonResidentStart = NULL;
|
|
|
|
|
Context->NonResidentEnd = NULL;
|
|
|
|
|
return STATUS_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (Context->NonResidentStart != NULL)
|
|
|
|
|
{
|
|
|
|
|
return STATUS_FILE_CORRUPT_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ListContext = PrepareAttributeContext(Attribute);
|
|
|
|
|
ListSize = AttributeDataLength(&ListContext->Record);
|
|
|
|
|
if (ListSize > 0xFFFFFFFF)
|
|
|
|
|
{
|
|
|
|
|
ReleaseAttributeContext(ListContext);
|
|
|
|
|
return STATUS_BUFFER_OVERFLOW;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Context->NonResidentStart = ExAllocatePoolWithTag(NonPagedPool, (ULONG)ListSize, TAG_NTFS);
|
|
|
|
|
if (Context->NonResidentStart == NULL)
|
|
|
|
|
{
|
|
|
|
|
ReleaseAttributeContext(ListContext);
|
|
|
|
|
return STATUS_INSUFFICIENT_RESOURCES;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ReadAttribute(Context->Vcb, ListContext, 0, (PCHAR)Context->NonResidentStart, (ULONG)ListSize) != ListSize)
|
|
|
|
|
{
|
|
|
|
|
ExFreePoolWithTag(Context->NonResidentStart, TAG_NTFS);
|
|
|
|
|
Context->NonResidentStart = NULL;
|
|
|
|
|
ReleaseAttributeContext(ListContext);
|
|
|
|
|
return STATUS_FILE_CORRUPT_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ReleaseAttributeContext(ListContext);
|
|
|
|
|
Context->NonResidentEnd = (PNTFS_ATTR_RECORD)((PCHAR)Context->NonResidentStart + ListSize);
|
|
|
|
|
return STATUS_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static
|
|
|
|
|
PNTFS_ATTR_RECORD
|
|
|
|
|
InternalGetNextAttribute(PFIND_ATTR_CONTXT Context)
|
|
|
|
|
{
|
2016-06-22 21:20:50 +00:00
|
|
|
PNTFS_ATTR_RECORD NextAttribute;
|
|
|
|
|
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
if (Context->CurrAttr == (PVOID)-1)
|
|
|
|
|
{
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (Context->CurrAttr >= Context->FirstAttr &&
|
|
|
|
|
Context->CurrAttr < Context->LastAttr)
|
|
|
|
|
{
|
|
|
|
|
if (Context->CurrAttr->Length == 0)
|
|
|
|
|
{
|
|
|
|
|
DPRINT1("Broken length!\n");
|
|
|
|
|
Context->CurrAttr = (PVOID)-1;
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2016-06-22 21:20:50 +00:00
|
|
|
NextAttribute = (PNTFS_ATTR_RECORD)((ULONG_PTR)Context->CurrAttr + Context->CurrAttr->Length);
|
2016-07-12 09:57:16 +00:00
|
|
|
|
|
|
|
|
if (NextAttribute > Context->LastAttr || NextAttribute < Context->FirstAttr)
|
|
|
|
|
{
|
|
|
|
|
DPRINT1("Broken length: 0x%lx!\n", Context->CurrAttr->Length);
|
|
|
|
|
Context->CurrAttr = (PVOID)-1;
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2016-06-22 21:20:50 +00:00
|
|
|
Context->Offset += ((ULONG_PTR)NextAttribute - (ULONG_PTR)Context->CurrAttr);
|
|
|
|
|
Context->CurrAttr = NextAttribute;
|
|
|
|
|
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
if (Context->CurrAttr < Context->LastAttr &&
|
|
|
|
|
Context->CurrAttr->Type != AttributeEnd)
|
|
|
|
|
{
|
|
|
|
|
return Context->CurrAttr;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (Context->NonResidentStart == NULL)
|
|
|
|
|
{
|
|
|
|
|
Context->CurrAttr = (PVOID)-1;
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (Context->CurrAttr < Context->NonResidentStart ||
|
|
|
|
|
Context->CurrAttr >= Context->NonResidentEnd)
|
|
|
|
|
{
|
|
|
|
|
Context->CurrAttr = Context->NonResidentStart;
|
|
|
|
|
}
|
|
|
|
|
else if (Context->CurrAttr->Length != 0)
|
|
|
|
|
{
|
2016-06-22 21:20:50 +00:00
|
|
|
NextAttribute = (PNTFS_ATTR_RECORD)((ULONG_PTR)Context->CurrAttr + Context->CurrAttr->Length);
|
|
|
|
|
Context->Offset += ((ULONG_PTR)NextAttribute - (ULONG_PTR)Context->CurrAttr);
|
|
|
|
|
Context->CurrAttr = NextAttribute;
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
DPRINT1("Broken length!\n");
|
|
|
|
|
Context->CurrAttr = (PVOID)-1;
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (Context->CurrAttr < Context->NonResidentEnd &&
|
|
|
|
|
Context->CurrAttr->Type != AttributeEnd)
|
|
|
|
|
{
|
|
|
|
|
return Context->CurrAttr;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Context->CurrAttr = (PVOID)-1;
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
|
|
|
|
FindFirstAttribute(PFIND_ATTR_CONTXT Context,
|
|
|
|
|
PDEVICE_EXTENSION Vcb,
|
|
|
|
|
PFILE_RECORD_HEADER FileRecord,
|
|
|
|
|
BOOLEAN OnlyResident,
|
|
|
|
|
PNTFS_ATTR_RECORD * Attribute)
|
|
|
|
|
{
|
|
|
|
|
NTSTATUS Status;
|
|
|
|
|
|
|
|
|
|
DPRINT("FindFistAttribute(%p, %p, %p, %p, %u, %p)\n", Context, Vcb, FileRecord, OnlyResident, Attribute);
|
|
|
|
|
|
|
|
|
|
Context->Vcb = Vcb;
|
|
|
|
|
Context->OnlyResident = OnlyResident;
|
|
|
|
|
Context->FirstAttr = (PNTFS_ATTR_RECORD)((ULONG_PTR)FileRecord + FileRecord->AttributeOffset);
|
|
|
|
|
Context->CurrAttr = Context->FirstAttr;
|
|
|
|
|
Context->LastAttr = (PNTFS_ATTR_RECORD)((ULONG_PTR)FileRecord + FileRecord->BytesInUse);
|
|
|
|
|
Context->NonResidentStart = NULL;
|
|
|
|
|
Context->NonResidentEnd = NULL;
|
2016-06-22 21:20:50 +00:00
|
|
|
Context->Offset = FileRecord->AttributeOffset;
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
|
|
|
|
|
if (Context->FirstAttr->Type == AttributeEnd)
|
|
|
|
|
{
|
|
|
|
|
Context->CurrAttr = (PVOID)-1;
|
|
|
|
|
return STATUS_END_OF_FILE;
|
|
|
|
|
}
|
|
|
|
|
else if (Context->FirstAttr->Type == AttributeAttributeList)
|
|
|
|
|
{
|
|
|
|
|
Status = InternalReadNonResidentAttributes(Context);
|
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
|
|
|
{
|
|
|
|
|
return Status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*Attribute = InternalGetNextAttribute(Context);
|
|
|
|
|
if (*Attribute == NULL)
|
|
|
|
|
{
|
|
|
|
|
return STATUS_END_OF_FILE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
*Attribute = Context->CurrAttr;
|
2016-06-22 21:20:50 +00:00
|
|
|
Context->Offset = (UCHAR*)Context->CurrAttr - (UCHAR*)FileRecord;
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return STATUS_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
|
|
|
|
FindNextAttribute(PFIND_ATTR_CONTXT Context,
|
|
|
|
|
PNTFS_ATTR_RECORD * Attribute)
|
|
|
|
|
{
|
|
|
|
|
NTSTATUS Status;
|
|
|
|
|
|
|
|
|
|
DPRINT("FindNextAttribute(%p, %p)\n", Context, Attribute);
|
|
|
|
|
|
|
|
|
|
*Attribute = InternalGetNextAttribute(Context);
|
|
|
|
|
if (*Attribute == NULL)
|
|
|
|
|
{
|
|
|
|
|
return STATUS_END_OF_FILE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (Context->CurrAttr->Type != AttributeAttributeList)
|
|
|
|
|
{
|
|
|
|
|
return STATUS_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Status = InternalReadNonResidentAttributes(Context);
|
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
|
|
|
{
|
|
|
|
|
return Status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*Attribute = InternalGetNextAttribute(Context);
|
|
|
|
|
if (*Attribute == NULL)
|
|
|
|
|
{
|
|
|
|
|
return STATUS_END_OF_FILE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return STATUS_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
VOID
|
|
|
|
|
FindCloseAttribute(PFIND_ATTR_CONTXT Context)
|
|
|
|
|
{
|
|
|
|
|
if (Context->NonResidentStart != NULL)
|
|
|
|
|
{
|
|
|
|
|
ExFreePoolWithTag(Context->NonResidentStart, TAG_NTFS);
|
|
|
|
|
Context->NonResidentStart = NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
2003-11-12 15:30:21 +00:00
|
|
|
|
2013-06-16 12:15:06 +00:00
|
|
|
static
|
|
|
|
|
VOID
|
2014-09-26 13:57:29 +00:00
|
|
|
NtfsDumpFileNameAttribute(PNTFS_ATTR_RECORD Attribute)
|
2003-01-17 18:51:13 +00:00
|
|
|
{
|
2013-06-16 12:15:06 +00:00
|
|
|
PFILENAME_ATTRIBUTE FileNameAttr;
|
2003-01-17 18:51:13 +00:00
|
|
|
|
2013-06-16 12:15:06 +00:00
|
|
|
DbgPrint(" $FILE_NAME ");
|
2003-01-17 18:51:13 +00:00
|
|
|
|
2014-09-26 13:57:29 +00:00
|
|
|
// DbgPrint(" Length %lu Offset %hu ", Attribute->Resident.ValueLength, Attribute->Resident.ValueOffset);
|
2003-01-17 18:51:13 +00:00
|
|
|
|
2014-09-26 13:57:29 +00:00
|
|
|
FileNameAttr = (PFILENAME_ATTRIBUTE)((ULONG_PTR)Attribute + Attribute->Resident.ValueOffset);
|
2014-12-08 18:44:29 +00:00
|
|
|
DbgPrint(" (%x) '%.*S' ", FileNameAttr->NameType, FileNameAttr->NameLength, FileNameAttr->Name);
|
2016-06-22 21:20:50 +00:00
|
|
|
DbgPrint(" '%x' \n", FileNameAttr->FileAttributes);
|
|
|
|
|
DbgPrint(" AllocatedSize: %I64u\nDataSize: %I64u\n", FileNameAttr->AllocatedSize, FileNameAttr->DataSize);
|
2017-06-09 03:14:30 +00:00
|
|
|
DbgPrint(" File reference: 0x%016I64x\n", FileNameAttr->DirectoryFileReferenceNumber);
|
2014-12-08 18:44:29 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static
|
|
|
|
|
VOID
|
|
|
|
|
NtfsDumpStandardInformationAttribute(PNTFS_ATTR_RECORD Attribute)
|
|
|
|
|
{
|
|
|
|
|
PSTANDARD_INFORMATION StandardInfoAttr;
|
|
|
|
|
|
|
|
|
|
DbgPrint(" $STANDARD_INFORMATION ");
|
|
|
|
|
|
|
|
|
|
// DbgPrint(" Length %lu Offset %hu ", Attribute->Resident.ValueLength, Attribute->Resident.ValueOffset);
|
|
|
|
|
|
|
|
|
|
StandardInfoAttr = (PSTANDARD_INFORMATION)((ULONG_PTR)Attribute + Attribute->Resident.ValueOffset);
|
|
|
|
|
DbgPrint(" '%x' ", StandardInfoAttr->FileAttribute);
|
2003-01-17 18:51:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2013-06-16 12:15:06 +00:00
|
|
|
static
|
|
|
|
|
VOID
|
2014-09-26 13:57:29 +00:00
|
|
|
NtfsDumpVolumeNameAttribute(PNTFS_ATTR_RECORD Attribute)
|
2003-01-17 18:51:13 +00:00
|
|
|
{
|
2013-06-16 12:15:06 +00:00
|
|
|
PWCHAR VolumeName;
|
2003-01-17 18:51:13 +00:00
|
|
|
|
2013-06-16 12:15:06 +00:00
|
|
|
DbgPrint(" $VOLUME_NAME ");
|
2003-01-17 18:51:13 +00:00
|
|
|
|
2014-09-26 13:57:29 +00:00
|
|
|
// DbgPrint(" Length %lu Offset %hu ", Attribute->Resident.ValueLength, Attribute->Resident.ValueOffset);
|
2003-01-17 18:51:13 +00:00
|
|
|
|
2014-09-26 13:57:29 +00:00
|
|
|
VolumeName = (PWCHAR)((ULONG_PTR)Attribute + Attribute->Resident.ValueOffset);
|
|
|
|
|
DbgPrint(" '%.*S' ", Attribute->Resident.ValueLength / sizeof(WCHAR), VolumeName);
|
2003-01-17 18:51:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2013-06-16 12:15:06 +00:00
|
|
|
static
|
|
|
|
|
VOID
|
2014-09-26 13:57:29 +00:00
|
|
|
NtfsDumpVolumeInformationAttribute(PNTFS_ATTR_RECORD Attribute)
|
2003-01-17 18:51:13 +00:00
|
|
|
{
|
2013-06-16 12:15:06 +00:00
|
|
|
PVOLINFO_ATTRIBUTE VolInfoAttr;
|
2003-01-17 18:51:13 +00:00
|
|
|
|
2013-06-16 12:15:06 +00:00
|
|
|
DbgPrint(" $VOLUME_INFORMATION ");
|
2003-01-17 18:51:13 +00:00
|
|
|
|
2014-09-26 13:57:29 +00:00
|
|
|
// DbgPrint(" Length %lu Offset %hu ", Attribute->Resident.ValueLength, Attribute->Resident.ValueOffset);
|
2003-01-17 18:51:13 +00:00
|
|
|
|
2014-09-26 13:57:29 +00:00
|
|
|
VolInfoAttr = (PVOLINFO_ATTRIBUTE)((ULONG_PTR)Attribute + Attribute->Resident.ValueOffset);
|
2013-06-16 12:15:06 +00:00
|
|
|
DbgPrint(" NTFS Version %u.%u Flags 0x%04hx ",
|
|
|
|
|
VolInfoAttr->MajorVersion,
|
|
|
|
|
VolInfoAttr->MinorVersion,
|
|
|
|
|
VolInfoAttr->Flags);
|
2003-01-17 18:51:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2014-09-22 19:59:45 +00:00
|
|
|
static
|
|
|
|
|
VOID
|
2014-09-26 13:57:29 +00:00
|
|
|
NtfsDumpIndexRootAttribute(PNTFS_ATTR_RECORD Attribute)
|
2014-09-22 19:59:45 +00:00
|
|
|
{
|
|
|
|
|
PINDEX_ROOT_ATTRIBUTE IndexRootAttr;
|
2017-06-09 03:14:30 +00:00
|
|
|
ULONG currentOffset;
|
|
|
|
|
ULONG currentNode;
|
2014-09-22 19:59:45 +00:00
|
|
|
|
2014-09-26 13:57:29 +00:00
|
|
|
IndexRootAttr = (PINDEX_ROOT_ATTRIBUTE)((ULONG_PTR)Attribute + Attribute->Resident.ValueOffset);
|
2014-09-22 19:59:45 +00:00
|
|
|
|
|
|
|
|
if (IndexRootAttr->AttributeType == AttributeFileName)
|
|
|
|
|
ASSERT(IndexRootAttr->CollationRule == COLLATION_FILE_NAME);
|
|
|
|
|
|
2017-06-09 03:14:30 +00:00
|
|
|
DbgPrint(" $INDEX_ROOT (%u bytes per index record, %u clusters) ", IndexRootAttr->SizeOfEntry, IndexRootAttr->ClustersPerIndexRecord);
|
2014-09-22 20:26:21 +00:00
|
|
|
|
|
|
|
|
if (IndexRootAttr->Header.Flags == INDEX_ROOT_SMALL)
|
|
|
|
|
{
|
2017-06-09 03:14:30 +00:00
|
|
|
DbgPrint(" (small)\n");
|
2014-09-22 20:26:21 +00:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
ASSERT(IndexRootAttr->Header.Flags == INDEX_ROOT_LARGE);
|
2017-06-09 03:14:30 +00:00
|
|
|
DbgPrint(" (large)\n");
|
2014-09-22 20:26:21 +00:00
|
|
|
}
|
2017-06-09 03:14:30 +00:00
|
|
|
|
|
|
|
|
DbgPrint(" Offset to first index: 0x%lx\n Total size of index entries: 0x%lx\n Allocated size of node: 0x%lx\n",
|
|
|
|
|
IndexRootAttr->Header.FirstEntryOffset,
|
|
|
|
|
IndexRootAttr->Header.TotalSizeOfEntries,
|
|
|
|
|
IndexRootAttr->Header.AllocatedSize);
|
|
|
|
|
currentOffset = IndexRootAttr->Header.FirstEntryOffset;
|
|
|
|
|
currentNode = 0;
|
|
|
|
|
// print details of every node in the index
|
|
|
|
|
while (currentOffset < IndexRootAttr->Header.TotalSizeOfEntries)
|
|
|
|
|
{
|
|
|
|
|
PINDEX_ENTRY_ATTRIBUTE currentIndexExtry = (PINDEX_ENTRY_ATTRIBUTE)((ULONG_PTR)IndexRootAttr + 0x10 + currentOffset);
|
|
|
|
|
DbgPrint(" Index Node Entry %u", currentNode++);
|
|
|
|
|
if (currentIndexExtry->Flags & NTFS_INDEX_ENTRY_NODE)
|
|
|
|
|
DbgPrint(" (Branch)");
|
|
|
|
|
else
|
|
|
|
|
DbgPrint(" (Leaf)");
|
|
|
|
|
if((currentIndexExtry->Flags & NTFS_INDEX_ENTRY_END))
|
|
|
|
|
{
|
|
|
|
|
DbgPrint(" (Dummy Key)");
|
|
|
|
|
}
|
|
|
|
|
DbgPrint("\n File Reference: 0x%016I64x\n", currentIndexExtry->Data.Directory.IndexedFile);
|
|
|
|
|
DbgPrint(" Index Entry Length: 0x%x\n", currentIndexExtry->Length);
|
|
|
|
|
DbgPrint(" Index Key Length: 0x%x\n", currentIndexExtry->KeyLength);
|
|
|
|
|
|
|
|
|
|
// if this isn't the final (dummy) node, print info about the key (Filename attribute)
|
|
|
|
|
if (!(currentIndexExtry->Flags & NTFS_INDEX_ENTRY_END))
|
|
|
|
|
{
|
|
|
|
|
UNICODE_STRING Name;
|
|
|
|
|
DbgPrint(" Parent File Reference: 0x%016I64x\n", currentIndexExtry->FileName.DirectoryFileReferenceNumber);
|
|
|
|
|
DbgPrint(" $FILENAME indexed: ");
|
|
|
|
|
Name.Length = currentIndexExtry->FileName.NameLength * sizeof(WCHAR);
|
|
|
|
|
Name.MaximumLength = Name.Length;
|
|
|
|
|
Name.Buffer = currentIndexExtry->FileName.Name;
|
|
|
|
|
DbgPrint("'%wZ'\n", &Name);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// if this node has a sub-node beneath it
|
|
|
|
|
if (currentIndexExtry->Flags & NTFS_INDEX_ENTRY_NODE)
|
|
|
|
|
{
|
|
|
|
|
// Print the VCN of the sub-node
|
|
|
|
|
PULONGLONG SubNodeVCN = (PULONGLONG)((ULONG_PTR)currentIndexExtry + currentIndexExtry->Length - 8);
|
|
|
|
|
DbgPrint(" VCN of sub-node: 0x%llx\n", *SubNodeVCN);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
currentOffset += currentIndexExtry->Length;
|
|
|
|
|
ASSERT(currentIndexExtry->Length);
|
|
|
|
|
}
|
|
|
|
|
|
2014-09-22 19:59:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2015-06-27 15:06:25 +00:00
|
|
|
static
|
|
|
|
|
VOID
|
|
|
|
|
NtfsDumpAttribute(PDEVICE_EXTENSION Vcb,
|
|
|
|
|
PNTFS_ATTR_RECORD Attribute)
|
2002-07-15 15:37:33 +00:00
|
|
|
{
|
2013-06-16 12:15:06 +00:00
|
|
|
UNICODE_STRING Name;
|
2003-11-12 15:30:21 +00:00
|
|
|
|
2013-06-16 12:15:06 +00:00
|
|
|
ULONGLONG lcn = 0;
|
|
|
|
|
ULONGLONG runcount = 0;
|
2002-07-15 15:37:33 +00:00
|
|
|
|
2014-09-26 13:57:29 +00:00
|
|
|
switch (Attribute->Type)
|
2002-07-15 15:37:33 +00:00
|
|
|
{
|
2013-06-16 12:15:06 +00:00
|
|
|
case AttributeFileName:
|
|
|
|
|
NtfsDumpFileNameAttribute(Attribute);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case AttributeStandardInformation:
|
2014-12-08 18:44:29 +00:00
|
|
|
NtfsDumpStandardInformationAttribute(Attribute);
|
2013-06-16 12:15:06 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case AttributeObjectId:
|
|
|
|
|
DbgPrint(" $OBJECT_ID ");
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case AttributeSecurityDescriptor:
|
|
|
|
|
DbgPrint(" $SECURITY_DESCRIPTOR ");
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case AttributeVolumeName:
|
|
|
|
|
NtfsDumpVolumeNameAttribute(Attribute);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case AttributeVolumeInformation:
|
|
|
|
|
NtfsDumpVolumeInformationAttribute(Attribute);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case AttributeData:
|
|
|
|
|
DbgPrint(" $DATA ");
|
|
|
|
|
//DataBuf = ExAllocatePool(NonPagedPool,AttributeLengthAllocated(Attribute));
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case AttributeIndexRoot:
|
2014-09-22 19:59:45 +00:00
|
|
|
NtfsDumpIndexRootAttribute(Attribute);
|
2013-06-16 12:15:06 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case AttributeIndexAllocation:
|
|
|
|
|
DbgPrint(" $INDEX_ALLOCATION ");
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case AttributeBitmap:
|
|
|
|
|
DbgPrint(" $BITMAP ");
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case AttributeReparsePoint:
|
|
|
|
|
DbgPrint(" $REPARSE_POINT ");
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case AttributeEAInformation:
|
|
|
|
|
DbgPrint(" $EA_INFORMATION ");
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case AttributeEA:
|
|
|
|
|
DbgPrint(" $EA ");
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case AttributePropertySet:
|
|
|
|
|
DbgPrint(" $PROPERTY_SET ");
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case AttributeLoggedUtilityStream:
|
|
|
|
|
DbgPrint(" $LOGGED_UTILITY_STREAM ");
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
DbgPrint(" Attribute %lx ",
|
2014-09-26 13:57:29 +00:00
|
|
|
Attribute->Type);
|
2013-06-16 12:15:06 +00:00
|
|
|
break;
|
2002-07-15 15:37:33 +00:00
|
|
|
}
|
|
|
|
|
|
2015-06-27 15:06:25 +00:00
|
|
|
if (Attribute->Type != AttributeAttributeList)
|
2002-07-15 15:37:33 +00:00
|
|
|
{
|
2015-06-27 15:06:25 +00:00
|
|
|
if (Attribute->NameLength != 0)
|
|
|
|
|
{
|
|
|
|
|
Name.Length = Attribute->NameLength * sizeof(WCHAR);
|
|
|
|
|
Name.MaximumLength = Name.Length;
|
|
|
|
|
Name.Buffer = (PWCHAR)((ULONG_PTR)Attribute + Attribute->NameOffset);
|
2002-07-15 15:37:33 +00:00
|
|
|
|
2015-06-27 15:06:25 +00:00
|
|
|
DbgPrint("'%wZ' ", &Name);
|
|
|
|
|
}
|
2002-07-15 15:37:33 +00:00
|
|
|
|
2015-06-27 15:06:25 +00:00
|
|
|
DbgPrint("(%s)\n",
|
|
|
|
|
Attribute->IsNonResident ? "non-resident" : "resident");
|
2002-07-15 15:37:33 +00:00
|
|
|
|
2015-06-27 15:06:25 +00:00
|
|
|
if (Attribute->IsNonResident)
|
|
|
|
|
{
|
|
|
|
|
FindRun(Attribute,0,&lcn, &runcount);
|
2002-07-15 15:37:33 +00:00
|
|
|
|
2016-06-22 21:20:50 +00:00
|
|
|
DbgPrint(" AllocatedSize %I64u DataSize %I64u InitilizedSize %I64u\n",
|
|
|
|
|
Attribute->NonResident.AllocatedSize, Attribute->NonResident.DataSize, Attribute->NonResident.InitializedSize);
|
2015-06-27 15:06:25 +00:00
|
|
|
DbgPrint(" logical clusters: %I64u - %I64u\n",
|
|
|
|
|
lcn, lcn + runcount - 1);
|
|
|
|
|
}
|
2016-07-05 07:00:43 +00:00
|
|
|
else
|
|
|
|
|
DbgPrint(" %u bytes of data\n", Attribute->Resident.ValueLength);
|
2003-11-12 15:30:21 +00:00
|
|
|
}
|
|
|
|
|
}
|
2003-09-15 16:01:16 +00:00
|
|
|
|
|
|
|
|
|
2016-07-13 11:51:16 +00:00
|
|
|
VOID NtfsDumpDataRunData(PUCHAR DataRun)
|
|
|
|
|
{
|
|
|
|
|
UCHAR DataRunOffsetSize;
|
|
|
|
|
UCHAR DataRunLengthSize;
|
|
|
|
|
CHAR i;
|
|
|
|
|
|
|
|
|
|
DbgPrint("%02x ", *DataRun);
|
|
|
|
|
|
|
|
|
|
if (*DataRun == 0)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
DataRunOffsetSize = (*DataRun >> 4) & 0xF;
|
|
|
|
|
DataRunLengthSize = *DataRun & 0xF;
|
|
|
|
|
|
|
|
|
|
DataRun++;
|
|
|
|
|
for (i = 0; i < DataRunLengthSize; i++)
|
|
|
|
|
{
|
|
|
|
|
DbgPrint("%02x ", *DataRun);
|
|
|
|
|
DataRun++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < DataRunOffsetSize; i++)
|
|
|
|
|
{
|
|
|
|
|
DbgPrint("%02x ", *DataRun);
|
|
|
|
|
DataRun++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
NtfsDumpDataRunData(DataRun);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
VOID
|
|
|
|
|
NtfsDumpDataRuns(PVOID StartOfRun,
|
|
|
|
|
ULONGLONG CurrentLCN)
|
|
|
|
|
{
|
|
|
|
|
PUCHAR DataRun = StartOfRun;
|
|
|
|
|
LONGLONG DataRunOffset;
|
|
|
|
|
ULONGLONG DataRunLength;
|
|
|
|
|
|
|
|
|
|
if (CurrentLCN == 0)
|
|
|
|
|
{
|
|
|
|
|
DPRINT1("Dumping data runs.\n\tData:\n\t\t");
|
|
|
|
|
NtfsDumpDataRunData(StartOfRun);
|
|
|
|
|
DbgPrint("\n\tRuns:\n\t\tOff\t\tLCN\t\tLength\n");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DataRun = DecodeRun(DataRun, &DataRunOffset, &DataRunLength);
|
|
|
|
|
|
|
|
|
|
if (DataRunOffset != -1)
|
|
|
|
|
CurrentLCN += DataRunOffset;
|
|
|
|
|
|
|
|
|
|
DbgPrint("\t\t%I64d\t", DataRunOffset);
|
|
|
|
|
if (DataRunOffset < 99999)
|
|
|
|
|
DbgPrint("\t");
|
|
|
|
|
DbgPrint("%I64u\t", CurrentLCN);
|
|
|
|
|
if (CurrentLCN < 99999)
|
|
|
|
|
DbgPrint("\t");
|
|
|
|
|
DbgPrint("%I64u\n", DataRunLength);
|
|
|
|
|
|
|
|
|
|
if (*DataRun == 0)
|
|
|
|
|
DbgPrint("\t\t00\n");
|
|
|
|
|
else
|
|
|
|
|
NtfsDumpDataRuns(DataRun, CurrentLCN);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2003-11-12 15:30:21 +00:00
|
|
|
VOID
|
2015-06-27 15:06:25 +00:00
|
|
|
NtfsDumpFileAttributes(PDEVICE_EXTENSION Vcb,
|
|
|
|
|
PFILE_RECORD_HEADER FileRecord)
|
2003-11-12 15:30:21 +00:00
|
|
|
{
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
NTSTATUS Status;
|
|
|
|
|
FIND_ATTR_CONTXT Context;
|
2014-09-26 13:57:29 +00:00
|
|
|
PNTFS_ATTR_RECORD Attribute;
|
2003-09-15 16:01:16 +00:00
|
|
|
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
Status = FindFirstAttribute(&Context, Vcb, FileRecord, FALSE, &Attribute);
|
|
|
|
|
while (NT_SUCCESS(Status))
|
2003-11-12 15:30:21 +00:00
|
|
|
{
|
2015-06-27 15:06:25 +00:00
|
|
|
NtfsDumpAttribute(Vcb, Attribute);
|
2002-07-15 15:37:33 +00:00
|
|
|
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
Status = FindNextAttribute(&Context, &Attribute);
|
2003-11-12 15:30:21 +00:00
|
|
|
}
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
|
|
|
|
|
FindCloseAttribute(&Context);
|
2002-07-15 15:37:33 +00:00
|
|
|
}
|
|
|
|
|
|
2014-10-08 19:12:48 +00:00
|
|
|
PFILENAME_ATTRIBUTE
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
GetFileNameFromRecord(PDEVICE_EXTENSION Vcb,
|
|
|
|
|
PFILE_RECORD_HEADER FileRecord,
|
|
|
|
|
UCHAR NameType)
|
2014-10-08 19:12:48 +00:00
|
|
|
{
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
FIND_ATTR_CONTXT Context;
|
2014-10-08 19:12:48 +00:00
|
|
|
PNTFS_ATTR_RECORD Attribute;
|
2014-10-26 19:10:17 +00:00
|
|
|
PFILENAME_ATTRIBUTE Name;
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
NTSTATUS Status;
|
2014-10-08 19:12:48 +00:00
|
|
|
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
Status = FindFirstAttribute(&Context, Vcb, FileRecord, FALSE, &Attribute);
|
|
|
|
|
while (NT_SUCCESS(Status))
|
2014-10-08 19:12:48 +00:00
|
|
|
{
|
|
|
|
|
if (Attribute->Type == AttributeFileName)
|
2014-10-26 19:10:17 +00:00
|
|
|
{
|
|
|
|
|
Name = (PFILENAME_ATTRIBUTE)((ULONG_PTR)Attribute + Attribute->Resident.ValueOffset);
|
|
|
|
|
if (Name->NameType == NameType ||
|
|
|
|
|
(Name->NameType == NTFS_FILE_NAME_WIN32_AND_DOS && NameType == NTFS_FILE_NAME_WIN32) ||
|
|
|
|
|
(Name->NameType == NTFS_FILE_NAME_WIN32_AND_DOS && NameType == NTFS_FILE_NAME_DOS))
|
|
|
|
|
{
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
FindCloseAttribute(&Context);
|
2014-10-26 19:10:17 +00:00
|
|
|
return Name;
|
|
|
|
|
}
|
|
|
|
|
}
|
2014-10-08 19:12:48 +00:00
|
|
|
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
Status = FindNextAttribute(&Context, &Attribute);
|
2014-10-08 19:12:48 +00:00
|
|
|
}
|
|
|
|
|
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
FindCloseAttribute(&Context);
|
2014-10-08 19:12:48 +00:00
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2016-07-13 11:51:16 +00:00
|
|
|
/**
|
|
|
|
|
* GetPackedByteCount
|
|
|
|
|
* Returns the minimum number of bytes needed to represent the value of a
|
|
|
|
|
* 64-bit number. Used to encode data runs.
|
|
|
|
|
*/
|
|
|
|
|
UCHAR
|
|
|
|
|
GetPackedByteCount(LONGLONG NumberToPack,
|
|
|
|
|
BOOLEAN IsSigned)
|
|
|
|
|
{
|
|
|
|
|
int bytes = 0;
|
|
|
|
|
if (!IsSigned)
|
|
|
|
|
{
|
|
|
|
|
if (NumberToPack >= 0x0100000000000000)
|
|
|
|
|
return 8;
|
|
|
|
|
if (NumberToPack >= 0x0001000000000000)
|
|
|
|
|
return 7;
|
|
|
|
|
if (NumberToPack >= 0x0000010000000000)
|
|
|
|
|
return 6;
|
|
|
|
|
if (NumberToPack >= 0x0000000100000000)
|
|
|
|
|
return 5;
|
|
|
|
|
if (NumberToPack >= 0x0000000001000000)
|
|
|
|
|
return 4;
|
|
|
|
|
if (NumberToPack >= 0x0000000000010000)
|
|
|
|
|
return 3;
|
|
|
|
|
if (NumberToPack >= 0x0000000000000100)
|
|
|
|
|
return 2;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (NumberToPack > 0)
|
|
|
|
|
{
|
|
|
|
|
// we have to make sure the number that gets encoded won't be interpreted as negative
|
|
|
|
|
if (NumberToPack >= 0x0080000000000000)
|
|
|
|
|
return 8;
|
|
|
|
|
if (NumberToPack >= 0x0000800000000000)
|
|
|
|
|
return 7;
|
|
|
|
|
if (NumberToPack >= 0x0000008000000000)
|
|
|
|
|
return 6;
|
|
|
|
|
if (NumberToPack >= 0x0000000080000000)
|
|
|
|
|
return 5;
|
|
|
|
|
if (NumberToPack >= 0x0000000000800000)
|
|
|
|
|
return 4;
|
|
|
|
|
if (NumberToPack >= 0x0000000000008000)
|
|
|
|
|
return 3;
|
|
|
|
|
if (NumberToPack >= 0x0000000000000080)
|
|
|
|
|
return 2;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
// negative number
|
|
|
|
|
if (NumberToPack <= 0xff80000000000000)
|
|
|
|
|
return 8;
|
|
|
|
|
if (NumberToPack <= 0xffff800000000000)
|
|
|
|
|
return 7;
|
|
|
|
|
if (NumberToPack <= 0xffffff8000000000)
|
|
|
|
|
return 6;
|
|
|
|
|
if (NumberToPack <= 0xffffffff80000000)
|
|
|
|
|
return 5;
|
|
|
|
|
if (NumberToPack <= 0xffffffffff800000)
|
|
|
|
|
return 4;
|
|
|
|
|
if (NumberToPack <= 0xffffffffffff8000)
|
|
|
|
|
return 3;
|
|
|
|
|
if (NumberToPack <= 0xffffffffffffff80)
|
|
|
|
|
return 2;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
return bytes;
|
|
|
|
|
}
|
|
|
|
|
|
2016-06-29 16:35:36 +00:00
|
|
|
NTSTATUS
|
|
|
|
|
GetLastClusterInDataRun(PDEVICE_EXTENSION Vcb, PNTFS_ATTR_RECORD Attribute, PULONGLONG LastCluster)
|
|
|
|
|
{
|
|
|
|
|
LONGLONG DataRunOffset;
|
|
|
|
|
ULONGLONG DataRunLength;
|
|
|
|
|
LONGLONG DataRunStartLCN;
|
|
|
|
|
|
|
|
|
|
ULONGLONG LastLCN = 0;
|
|
|
|
|
PUCHAR DataRun = (PUCHAR)Attribute + Attribute->NonResident.MappingPairsOffset;
|
|
|
|
|
|
|
|
|
|
if (!Attribute->IsNonResident)
|
|
|
|
|
return STATUS_INVALID_PARAMETER;
|
|
|
|
|
|
|
|
|
|
while (1)
|
|
|
|
|
{
|
|
|
|
|
DataRun = DecodeRun(DataRun, &DataRunOffset, &DataRunLength);
|
|
|
|
|
|
2016-07-08 11:59:25 +00:00
|
|
|
if (DataRunOffset != -1)
|
2016-06-29 16:35:36 +00:00
|
|
|
{
|
|
|
|
|
// Normal data run.
|
|
|
|
|
DataRunStartLCN = LastLCN + DataRunOffset;
|
|
|
|
|
LastLCN = DataRunStartLCN;
|
2016-07-08 11:59:25 +00:00
|
|
|
*LastCluster = LastLCN + DataRunLength - 1;
|
2016-06-29 16:35:36 +00:00
|
|
|
}
|
|
|
|
|
|
2016-07-08 11:59:25 +00:00
|
|
|
if (*DataRun == 0)
|
2016-06-29 16:35:36 +00:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return STATUS_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
2014-12-08 19:19:30 +00:00
|
|
|
PSTANDARD_INFORMATION
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
GetStandardInformationFromRecord(PDEVICE_EXTENSION Vcb,
|
|
|
|
|
PFILE_RECORD_HEADER FileRecord)
|
2014-12-08 19:19:30 +00:00
|
|
|
{
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
NTSTATUS Status;
|
|
|
|
|
FIND_ATTR_CONTXT Context;
|
2014-12-08 19:19:30 +00:00
|
|
|
PNTFS_ATTR_RECORD Attribute;
|
|
|
|
|
PSTANDARD_INFORMATION StdInfo;
|
|
|
|
|
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
Status = FindFirstAttribute(&Context, Vcb, FileRecord, FALSE, &Attribute);
|
|
|
|
|
while (NT_SUCCESS(Status))
|
2014-12-08 19:19:30 +00:00
|
|
|
{
|
|
|
|
|
if (Attribute->Type == AttributeStandardInformation)
|
|
|
|
|
{
|
|
|
|
|
StdInfo = (PSTANDARD_INFORMATION)((ULONG_PTR)Attribute + Attribute->Resident.ValueOffset);
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
FindCloseAttribute(&Context);
|
2014-12-08 19:19:30 +00:00
|
|
|
return StdInfo;
|
|
|
|
|
}
|
|
|
|
|
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
Status = FindNextAttribute(&Context, &Attribute);
|
2014-12-08 19:19:30 +00:00
|
|
|
}
|
|
|
|
|
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
FindCloseAttribute(&Context);
|
2014-12-08 19:19:30 +00:00
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2014-11-23 14:07:08 +00:00
|
|
|
PFILENAME_ATTRIBUTE
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
GetBestFileNameFromRecord(PDEVICE_EXTENSION Vcb,
|
|
|
|
|
PFILE_RECORD_HEADER FileRecord)
|
2014-11-23 14:07:08 +00:00
|
|
|
{
|
|
|
|
|
PFILENAME_ATTRIBUTE FileName;
|
|
|
|
|
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
FileName = GetFileNameFromRecord(Vcb, FileRecord, NTFS_FILE_NAME_POSIX);
|
2014-11-23 14:07:08 +00:00
|
|
|
if (FileName == NULL)
|
|
|
|
|
{
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
FileName = GetFileNameFromRecord(Vcb, FileRecord, NTFS_FILE_NAME_WIN32);
|
2014-11-23 14:07:08 +00:00
|
|
|
if (FileName == NULL)
|
|
|
|
|
{
|
[NTFS]
Totally rewrite the way MFT records attributes are handled.
Up to now, we were having really similar loops, only looking at the resident part of the attribute list, not really caring about how the loop was going.
This was leading to some issues:
- In case the attribute we were looking for was stored in the non-resident part of the attribute list, we would miss it (excepted in the case of FindAttribute() which was properly browsing the whole attribute list).
- In the specific case of FindAttribute(), one would have been able to setup a broken MFT record with the resident attribute list pointing on the non resident attribute list which itself would point to the resident attribute list. In such case, the driver would loop forever caught on the loop, allocating tones of memory. It was possible to trigger this by user space, from a non-privileged user, just by browsing the right directory entry.
- In the case of the other loops (non FindAttribute()), another issue (other than missing attributes) was present, one would have been able to setup a broken MFT record with an attribute of null-length. This would have caused the driver to loop forever on the attribute list. This could be triggered from usermode too. And could be triggered by a non-privileged user.
This commit introduces a new set of functions for attributes browsing: FindFirstAttribute(), FindNextAttribute(), FindCloseAttribute(). It allows safely browsing attributes and handles broken cases. It also performs reading of the attribute list when present and makes sure there's only one read. This method should be the only one to use to browse the attributes.
The whole NTFS code base has been converted to use this newly set of functions. This really simplifies the implementation of FindAttribute(), and prevent unsafe code duplication.
CORE-10037 #resolve #comment Fixed with r68829
svn path=/trunk/; revision=68829
2015-08-26 18:20:04 +00:00
|
|
|
FileName = GetFileNameFromRecord(Vcb, FileRecord, NTFS_FILE_NAME_DOS);
|
2014-11-23 14:07:08 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return FileName;
|
|
|
|
|
}
|
|
|
|
|
|
2002-07-15 15:37:33 +00:00
|
|
|
/* EOF */
|