From 06e01c8968fe7ca25d0449b0021d7ed055f6082c Mon Sep 17 00:00:00 2001 From: James Tabor Date: Thu, 18 Jun 2020 11:06:31 -0500 Subject: [PATCH] [NtUser] Fix Crash in Win32k Use strict thread and desktop verifying. See CORE-15092 and CORE-17133. --- win32ss/user/ntuser/misc.c | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/win32ss/user/ntuser/misc.c b/win32ss/user/ntuser/misc.c index 72706fa7f84..196ea416e79 100644 --- a/win32ss/user/ntuser/misc.c +++ b/win32ss/user/ntuser/misc.c @@ -377,8 +377,7 @@ NtUserGetGUIThreadInfo( GUITHREADINFO SafeGui; PDESKTOP Desktop; PUSER_MESSAGE_QUEUE MsgQueue; - PTHREADINFO W32Thread; - PETHREAD Thread = NULL; + PTHREADINFO W32Thread, pti; DECLARE_RETURN(BOOLEAN); @@ -400,23 +399,26 @@ NtUserGetGUIThreadInfo( if (idThread) { - Status = PsLookupThreadByThreadId((HANDLE)(DWORD_PTR)idThread, &Thread); - if(!NT_SUCCESS(Status)) + pti = PsGetCurrentThreadWin32Thread(); + + // Validate Tread ID + W32Thread = IntTID2PTI((HANDLE)idThread); + + if ( !W32Thread ) { - EngSetLastError(ERROR_ACCESS_DENIED); - RETURN( FALSE); + EngSetLastError(ERROR_ACCESS_DENIED); + RETURN( FALSE); } - W32Thread = (PTHREADINFO)Thread->Tcb.Win32Thread; + Desktop = W32Thread->rpdesk; - if (!Thread || !Desktop ) + // Check Desktop and it must be the same as current. + if ( !Desktop || Desktop != pti->rpdesk ) { - if(Thread) - ObDereferenceObject(Thread); - EngSetLastError(ERROR_ACCESS_DENIED); - RETURN( FALSE); + EngSetLastError(ERROR_ACCESS_DENIED); + RETURN( FALSE); } - + if ( W32Thread->MessageQueue ) MsgQueue = W32Thread->MessageQueue; else @@ -480,9 +482,6 @@ NtUserGetGUIThreadInfo( SafeGui.rcCaret.right = SafeGui.rcCaret.left + CaretInfo->Size.cx; SafeGui.rcCaret.bottom = SafeGui.rcCaret.top + CaretInfo->Size.cy; - if (idThread) - ObDereferenceObject(Thread); - Status = MmCopyToCaller(lpgui, &SafeGui, sizeof(GUITHREADINFO)); if(!NT_SUCCESS(Status)) {