Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-12-29 02:25:17 +00:00
Code Issues Projects Releases Packages Wiki Activity

- use inlined probing macros for basic types

Browse source 
- documented dozens of vulnerabilities in NtOpenThread, NtCreateThread and NtOpenProcess (owner may fix them)

svn path=/trunk/; revision=17462
This commit is contained in:
Thomas Bluemel 2005-08-21 15:38:47 +00:00
parent 6e74d05c08
commit 10cd89fb4e
7 changed files with 129 additions and 78 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
reactos/ntoskrnl/ps/job.c
View file

@ -216,10 +216,7 @@ NtCreateJobObject (
{ {
_SEH_TRY _SEH_TRY
{ {
/* probe with 32bit alignment */ ProbeForWriteHandle(JobHandle);
ProbeForWrite(JobHandle,
sizeof(HANDLE),
sizeof(ULONG));
} }
_SEH_HANDLE _SEH_HANDLE
{ {
@ -389,10 +386,7 @@ NtOpenJobObject (
{ {
_SEH_TRY _SEH_TRY
{ {
/* probe with 32bit alignment */ ProbeForWriteHandle(JobHandle);
ProbeForWrite(JobHandle,
sizeof(HANDLE),
sizeof(ULONG));
} }
_SEH_HANDLE _SEH_HANDLE
{ {

113
reactos/ntoskrnl/ps/locale.c
View file

@ -199,28 +199,40 @@ NTSTATUS STDCALL
NtQueryDefaultLocale(IN BOOLEAN UserProfile, NtQueryDefaultLocale(IN BOOLEAN UserProfile,
OUT PLCID DefaultLocaleId) OUT PLCID DefaultLocaleId)
{ {
PAGED_CODE(); NTSTATUS Status = STATUS_SUCCESS;
if (DefaultLocaleId == NULL) PAGED_CODE();
return STATUS_UNSUCCESSFUL;
if (UserProfile) _SEH_TRY
{ {
if (!PsDefaultThreadLocaleInitialized) if (KeGetPreviousMode() != KernelMode)
{ {
PiInitThreadLocale(); ProbeForWriteLangid(DefaultLocaleId);
} }
if (UserProfile)
{
if (!PsDefaultThreadLocaleInitialized)
{
PiInitThreadLocale();
}
/* set thread locale */ /* set thread locale */
*DefaultLocaleId = PsDefaultThreadLocaleId; *DefaultLocaleId = PsDefaultThreadLocaleId;
}
else
{
/* set system locale */
*DefaultLocaleId = PsDefaultSystemLocaleId;
}
} }
else _SEH_EXCEPT(_SEH_ExSystemExceptionFilter)
{ {
/* set system locale */ Status = _SEH_GetExceptionCode();
*DefaultLocaleId = PsDefaultSystemLocaleId;
} }
_SEH_END;
return STATUS_SUCCESS; return Status;
} }
@ -353,16 +365,36 @@ NtQueryDefaultUILanguage(OUT PLANGID LanguageId)
ULONG Value; ULONG Value;
HANDLE UserKey; HANDLE UserKey;
HANDLE KeyHandle; HANDLE KeyHandle;
NTSTATUS Status; NTSTATUS Status = STATUS_SUCCESS;
PAGED_CODE(); PAGED_CODE();
_SEH_TRY
{
if (KeGetPreviousMode() != KernelMode)
{
ProbeForWriteLangid(LanguageId);
}
*LanguageId = PsInstallUILanguageId;
}
_SEH_EXCEPT(_SEH_ExSystemExceptionFilter)
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
return Status;
}
Status = RtlOpenCurrentUser(KEY_READ, Status = RtlOpenCurrentUser(KEY_READ,
&UserKey); &UserKey);
if (!NT_SUCCESS(Status)) if (!NT_SUCCESS(Status))
{ {
*LanguageId = PsInstallUILanguageId; Value = PsInstallUILanguageId;
return STATUS_SUCCESS; goto ReturnSuccess;
} }
InitializeObjectAttributes(&ObjectAttributes, InitializeObjectAttributes(&ObjectAttributes,
@ -375,8 +407,8 @@ NtQueryDefaultUILanguage(OUT PLANGID LanguageId)
&ObjectAttributes); &ObjectAttributes);
if (!NT_SUCCESS(Status)) if (!NT_SUCCESS(Status))
{ {
*LanguageId = PsInstallUILanguageId; Value = PsInstallUILanguageId;
return STATUS_SUCCESS; goto ReturnSuccess;
} }
ValueInfo = (PKEY_VALUE_PARTIAL_INFORMATION)ValueBuffer; ValueInfo = (PKEY_VALUE_PARTIAL_INFORMATION)ValueBuffer;
@ -393,8 +425,8 @@ NtQueryDefaultUILanguage(OUT PLANGID LanguageId)
if (!NT_SUCCESS(Status) || ValueInfo->Type != REG_SZ) if (!NT_SUCCESS(Status) || ValueInfo->Type != REG_SZ)
{ {
*LanguageId = PsInstallUILanguageId; Value = PsInstallUILanguageId;
return STATUS_SUCCESS; goto ReturnSuccess;
} }
ValueString.Length = ValueInfo->DataLength; ValueString.Length = ValueInfo->DataLength;
@ -406,15 +438,25 @@ NtQueryDefaultUILanguage(OUT PLANGID LanguageId)
&Value); &Value);
if (!NT_SUCCESS(Status)) if (!NT_SUCCESS(Status))
{ {
*LanguageId = PsInstallUILanguageId; Value = PsInstallUILanguageId;
return STATUS_SUCCESS; goto ReturnSuccess;
} }
DPRINT("Default language id: %04lx\n", Value); DPRINT("Default language id: %04lx\n", Value);
*LanguageId = Value; ReturnSuccess:
_SEH_TRY
{
*LanguageId = Value;
Status = STATUS_SUCCESS;
}
_SEH_EXCEPT(_SEH_ExSystemExceptionFilter)
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
return STATUS_SUCCESS; return Status;
} }
@ -424,11 +466,26 @@ NtQueryDefaultUILanguage(OUT PLANGID LanguageId)
NTSTATUS STDCALL NTSTATUS STDCALL
NtQueryInstallUILanguage(OUT PLANGID LanguageId) NtQueryInstallUILanguage(OUT PLANGID LanguageId)
{ {
PAGED_CODE(); NTSTATUS Status = STATUS_SUCCESS;
PAGED_CODE();
*LanguageId = PsInstallUILanguageId; _SEH_TRY
{
if (KeGetPreviousMode() != KernelMode)
{
ProbeForWriteLangid(LanguageId);
}
return STATUS_SUCCESS; *LanguageId = PsInstallUILanguageId;
}
_SEH_EXCEPT(_SEH_ExSystemExceptionFilter)
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
return Status;
} }

38
reactos/ntoskrnl/ps/process.c
View file

@ -870,6 +870,7 @@ NtCreateProcess(OUT PHANDLE ProcessHandle,
IN HANDLE DebugPort OPTIONAL, IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL) IN HANDLE ExceptionPort OPTIONAL)
{ {
HANDLE hProcess;
KPROCESSOR_MODE PreviousMode = ExGetPreviousMode(); KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
NTSTATUS Status = STATUS_SUCCESS; NTSTATUS Status = STATUS_SUCCESS;
@ -880,9 +881,7 @@ NtCreateProcess(OUT PHANDLE ProcessHandle,
{ {
_SEH_TRY _SEH_TRY
{ {
ProbeForWrite(ProcessHandle, ProbeForWriteHandle(ProcessHandle);
sizeof(HANDLE),
sizeof(ULONG));
} }
_SEH_HANDLE _SEH_HANDLE
{ {
@ -901,8 +900,9 @@ NtCreateProcess(OUT PHANDLE ProcessHandle,
} }
else else
{ {
/* Create a user Process */ /* Create a user Process, do NOT pass the pointer to the handle supplied
Status = PspCreateProcess(ProcessHandle, by the caller directly!!! */
Status = PspCreateProcess(&hProcess,
DesiredAccess, DesiredAccess,
ObjectAttributes, ObjectAttributes,
ParentProcess, ParentProcess,
@ -910,6 +910,18 @@ NtCreateProcess(OUT PHANDLE ProcessHandle,
SectionHandle, SectionHandle,
DebugPort, DebugPort,
ExceptionPort); ExceptionPort);
if (NT_SUCCESS(Status))
{
_SEH_TRY
{
*ProcessHandle = hProcess;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
}
} }
/* Return Status */ /* Return Status */
@ -940,7 +952,7 @@ NtOpenProcess(OUT PHANDLE ProcessHandle,
/* Open by name if one was given */ /* Open by name if one was given */
DPRINT("Checking type\n"); DPRINT("Checking type\n");
if (ObjectAttributes->ObjectName) if (ObjectAttributes->ObjectName) /* FIXME - neither probed nor protected! */
{ {
/* Open it */ /* Open it */
DPRINT("Opening by name\n"); DPRINT("Opening by name\n");
@ -964,11 +976,11 @@ NtOpenProcess(OUT PHANDLE ProcessHandle,
else if (ClientId) else if (ClientId)
{ {
/* Open by Thread ID */ /* Open by Thread ID */
if (ClientId->UniqueThread) if (ClientId->UniqueThread) /* FIXME - neither probed nor protected! */
{ {
/* Get the Process */ /* Get the Process */
DPRINT("Opening by Thread ID: %x\n", ClientId->UniqueThread); DPRINT("Opening by Thread ID: %x\n", ClientId->UniqueThread); /* FIXME - neither probed nor protected! */
Status = PsLookupProcessThreadByCid(ClientId, Status = PsLookupProcessThreadByCid(ClientId, /* FIXME - neither probed nor protected! */
&Process, &Process,
&Thread); &Thread);
DPRINT("Found: %x\n", Process); DPRINT("Found: %x\n", Process);
@ -976,8 +988,8 @@ NtOpenProcess(OUT PHANDLE ProcessHandle,
else else
{ {
/* Get the Process */ /* Get the Process */
DPRINT("Opening by Process ID: %x\n", ClientId->UniqueProcess); DPRINT("Opening by Process ID: %x\n", ClientId->UniqueProcess); /* FIXME - neither probed nor protected! */
Status = PsLookupProcessByProcessId(ClientId->UniqueProcess, Status = PsLookupProcessByProcessId(ClientId->UniqueProcess, /* FIXME - neither probed nor protected! */
&Process); &Process);
DPRINT("Found: %x\n", Process); DPRINT("Found: %x\n", Process);
} }
@ -990,12 +1002,12 @@ NtOpenProcess(OUT PHANDLE ProcessHandle,
/* Open the Process Object */ /* Open the Process Object */
Status = ObOpenObjectByPointer(Process, Status = ObOpenObjectByPointer(Process,
ObjectAttributes->Attributes, ObjectAttributes->Attributes, /* FIXME - neither probed nor protected! */
NULL, NULL,
DesiredAccess, DesiredAccess,
PsProcessType, PsProcessType,
PreviousMode, PreviousMode,
ProcessHandle); ProcessHandle); /* FIXME - neither probed nor protected! */
if(!NT_SUCCESS(Status)) if(!NT_SUCCESS(Status))
{ {
DPRINT1("Failure to open process\n"); DPRINT1("Failure to open process\n");

4
reactos/ntoskrnl/ps/query.c
View file

@ -1303,9 +1303,7 @@ NtQueryInformationThread (IN HANDLE ThreadHandle,
1); 1);
if (ReturnLength != NULL) if (ReturnLength != NULL)
{ {
ProbeForWrite(ReturnLength, ProbeForWriteUlong(ReturnLength);
sizeof(ULONG),
sizeof(ULONG));
} }
} }
_SEH_HANDLE _SEH_HANDLE

4
reactos/ntoskrnl/ps/security.c
View file

@ -79,9 +79,7 @@ NtOpenProcessTokenEx(IN HANDLE ProcessHandle,
{ {
_SEH_TRY _SEH_TRY
{ {
ProbeForWrite(TokenHandle, ProbeForWriteHandle(TokenHandle);
sizeof(HANDLE),
sizeof(ULONG));
} }
_SEH_HANDLE _SEH_HANDLE
{ {

8
reactos/ntoskrnl/ps/suspend.c
View file

@ -49,9 +49,7 @@ NtResumeThread(IN HANDLE ThreadHandle,
_SEH_TRY { _SEH_TRY {
ProbeForWrite(SuspendCount, ProbeForWriteUlong(SuspendCount);
sizeof(ULONG),
sizeof(ULONG));
} _SEH_HANDLE { } _SEH_HANDLE {
Status = _SEH_GetExceptionCode(); Status = _SEH_GetExceptionCode();
@ -124,9 +122,7 @@ NtSuspendThread(IN HANDLE ThreadHandle,
{ {
_SEH_TRY _SEH_TRY
{ {
ProbeForWrite(PreviousSuspendCount, ProbeForWriteUlong(PreviousSuspendCount);
sizeof(ULONG),
sizeof(ULONG));
} }
_SEH_HANDLE _SEH_HANDLE
{ {

30
reactos/ntoskrnl/ps/thread.c
View file

@ -597,9 +597,7 @@ NtCreateThread(OUT PHANDLE ThreadHandle,
_SEH_TRY { _SEH_TRY {
ProbeForWrite(ThreadHandle, ProbeForWriteHandle(ThreadHandle);
sizeof(HANDLE),
sizeof(ULONG));
if(ClientId != NULL) { if(ClientId != NULL) {
@ -632,18 +630,18 @@ NtCreateThread(OUT PHANDLE ThreadHandle,
} }
/* Use probed data for the Initial TEB */ /* Use probed data for the Initial TEB */
SafeInitialTeb = *InitialTeb; SafeInitialTeb = *InitialTeb; /* FIXME - not protected! */
InitialTeb = &SafeInitialTeb; InitialTeb = &SafeInitialTeb;
/* Call the shared function */ /* Call the shared function */
return PspCreateThread(ThreadHandle, return PspCreateThread(ThreadHandle, /* FIXME - not protected! */
DesiredAccess, DesiredAccess,
ObjectAttributes, ObjectAttributes,
ProcessHandle, ProcessHandle,
NULL, NULL,
ClientId, ClientId, /* FIXME - not protected! */
ThreadContext, ThreadContext, /* FIXME - not protected! */
InitialTeb, InitialTeb, /* FIXME - not protected! */
CreateSuspended, CreateSuspended,
NULL, NULL,
NULL); NULL);
@ -672,9 +670,7 @@ NtOpenThread(OUT PHANDLE ThreadHandle,
{ {
_SEH_TRY _SEH_TRY
{ {
ProbeForWrite(ThreadHandle, ProbeForWriteHandle(ThreadHandle);
sizeof(HANDLE),
sizeof(ULONG));
if(ClientId != NULL) if(ClientId != NULL)
{ {
@ -696,7 +692,7 @@ NtOpenThread(OUT PHANDLE ThreadHandle,
} }
/* Open by name if one was given */ /* Open by name if one was given */
if (ObjectAttributes->ObjectName) if (ObjectAttributes->ObjectName) /* FIXME - neither probed nor protected! */
{ {
/* Open it */ /* Open it */
Status = ObOpenObjectByName(ObjectAttributes, Status = ObOpenObjectByName(ObjectAttributes,
@ -711,18 +707,18 @@ NtOpenThread(OUT PHANDLE ThreadHandle,
{ {
DPRINT1("Could not open object by name\n"); DPRINT1("Could not open object by name\n");
} }
/* FIXME - would be a good idea to return the handle in case of success! */
/* Return Status */ /* Return Status */
return(Status); return(Status);
} }
else if (ClientId) else if (ClientId)
{ {
/* Open by Thread ID */ /* Open by Thread ID */
if (ClientId->UniqueProcess) if (ClientId->UniqueProcess) /* FIXME - neither probed nor protected! */
{ {
/* Get the Process */ /* Get the Process */
DPRINT("Opening by Process ID: %x\n", ClientId->UniqueProcess); DPRINT("Opening by Process ID: %x\n", ClientId->UniqueProcess); /* FIXME - neither probed nor protected! */
Status = PsLookupProcessThreadByCid(ClientId, Status = PsLookupProcessThreadByCid(ClientId, /* FIXME - neither probed nor protected! */
NULL, NULL,
&Thread); &Thread);
} }
@ -742,7 +738,7 @@ NtOpenThread(OUT PHANDLE ThreadHandle,
/* Open the Thread Object */ /* Open the Thread Object */
Status = ObOpenObjectByPointer(Thread, Status = ObOpenObjectByPointer(Thread,
ObjectAttributes->Attributes, ObjectAttributes->Attributes, /* FIXME - neither probed nor protected! */
NULL, NULL,
DesiredAccess, DesiredAccess,
PsThreadType, PsThreadType,