Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-08-03 20:56:26 +00:00
Code Issues Projects Releases Packages Wiki Activity

[NDK] Match AUX_ACCESS_DATA definition with publicly available version.

Browse source 
Looks like public symbols contain this structure starting with Win7,
so we can deduce what it looked like in Win2003.
Note that our previous definition was missing a second ULONG at the
end, which can be seen in the SeQueryInfoToken kmtest -- if you
allocated only sizeof(AUX_ACCESS_DATA), the test would crash with
a 4 byte buffer overflow.
This commit is contained in:
Thomas Faber 2023-05-27 18:24:29 -04:00 committed by Timo Kreuzer
parent ff410211e9
commit 156053cafd
5 changed files with 45 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

6
ntoskrnl/ob/obhandle.c
View file

@ -1647,8 +1647,8 @@ ObpCreateHandle(IN OB_OPEN_REASON OpenReason,
if (OpenReason == ObCreateHandle)
{
/* Check if we need to audit the privileges */
if ((AuxData->PrivilegeSet) &&
(AuxData->PrivilegeSet->PrivilegeCount))
if ((AuxData->PrivilegesUsed) &&
(AuxData->PrivilegesUsed->PrivilegeCount))
{
/* Do the audit */
#if 0
@ -1656,7 +1656,7 @@ ObpCreateHandle(IN OB_OPEN_REASON OpenReason,
&AccessState->
SubjectSecurityContext,
GrantedAccess,
AuxData->PrivilegeSet,
AuxData->PrivilegesUsed,
TRUE,
ExGetPreviousMode());
#endif

4
ntoskrnl/se/access.c
View file

@ -88,7 +88,7 @@ SeCreateAccessStateEx(
}
/* Set the Auxiliary Data */
AuxData->PrivilegeSet = (PPRIVILEGE_SET)((ULONG_PTR)AccessState +
AuxData->PrivilegesUsed = (PPRIVILEGE_SET)((ULONG_PTR)AccessState +
FIELD_OFFSET(ACCESS_STATE,
Privileges));
if (GenericMapping) AuxData->GenericMapping = *GenericMapping;
@ -158,7 +158,7 @@ SeDeleteAccessState(
/* Deallocate Privileges */
if (AccessState->PrivilegesAllocated)
ExFreePoolWithTag(AuxData->PrivilegeSet, TAG_PRIVILEGE_SET);
ExFreePoolWithTag(AuxData->PrivilegesUsed, TAG_PRIVILEGE_SET);
/* Deallocate Name and Type Name */
if (AccessState->ObjectName.Buffer)

14
ntoskrnl/se/priv.c
View file

@ -601,9 +601,9 @@ SeAppendPrivileges(
/* Calculate the size of the old privilege set */
OldPrivilegeSetSize = sizeof(PRIVILEGE_SET) +
(AuxData->PrivilegeSet->PrivilegeCount - 1) * sizeof(LUID_AND_ATTRIBUTES);
(AuxData->PrivilegesUsed->PrivilegeCount - 1) * sizeof(LUID_AND_ATTRIBUTES);
if (AuxData->PrivilegeSet->PrivilegeCount +
if (AuxData->PrivilegesUsed->PrivilegeCount +
Privileges->PrivilegeCount > INITIAL_PRIVILEGE_COUNT)
{
/* Calculate the size of the new privilege set */
@ -619,7 +619,7 @@ SeAppendPrivileges(
/* Copy original privileges from the acess state */
RtlCopyMemory(PrivilegeSet,
AuxData->PrivilegeSet,
AuxData->PrivilegesUsed,
OldPrivilegeSetSize);
/* Append privileges from the privilege set*/
@ -632,23 +632,23 @@ SeAppendPrivileges(
/* Free the old privilege set if it was allocated */
if (AccessState->PrivilegesAllocated != FALSE)
ExFreePoolWithTag(AuxData->PrivilegeSet, TAG_PRIVILEGE_SET);
ExFreePoolWithTag(AuxData->PrivilegesUsed, TAG_PRIVILEGE_SET);
/* Now we are using an allocated privilege set */
AccessState->PrivilegesAllocated = TRUE;
/* Assign the new privileges to the access state */
AuxData->PrivilegeSet = PrivilegeSet;
AuxData->PrivilegesUsed = PrivilegeSet;
}
else
{
/* Append privileges */
RtlCopyMemory((PVOID)((ULONG_PTR)AuxData->PrivilegeSet + OldPrivilegeSetSize),
RtlCopyMemory((PVOID)((ULONG_PTR)AuxData->PrivilegesUsed + OldPrivilegeSetSize),
(PVOID)((ULONG_PTR)Privileges + sizeof(PRIVILEGE_SET) - sizeof(LUID_AND_ATTRIBUTES)),
Privileges->PrivilegeCount * sizeof(LUID_AND_ATTRIBUTES));
/* Adjust the number of privileges in the target privilege set */
AuxData->PrivilegeSet->PrivilegeCount += Privileges->PrivilegeCount;
AuxData->PrivilegesUsed->PrivilegeCount += Privileges->PrivilegeCount;
}
return STATUS_SUCCESS;