From 189a5e840475bd5ac958684de4369c795ef736f6 Mon Sep 17 00:00:00 2001
From: David Welch <welch@cwcom.net>
Date: Sun, 18 Nov 2001 00:31:24 +0000
Subject: [PATCH] Fixed bugs with vim

svn path=/trunk/; revision=2377
---
 reactos/ntoskrnl/ex/sysinfo.c  | 120 +++++++++++++++++++--------------
 reactos/ntoskrnl/ke/i386/exp.c |  25 ++++++-
 2 files changed, 94 insertions(+), 51 deletions(-)

diff --git a/reactos/ntoskrnl/ex/sysinfo.c b/reactos/ntoskrnl/ex/sysinfo.c
index 1d70c779924..59fe9b5dc57 100644
--- a/reactos/ntoskrnl/ex/sysinfo.c
+++ b/reactos/ntoskrnl/ex/sysinfo.c
@@ -1,4 +1,4 @@
-/* $Id: sysinfo.c,v 1.13 2001/09/02 17:29:51 dwelch Exp $
+/* $Id: sysinfo.c,v 1.14 2001/11/18 00:31:23 dwelch Exp $
  *
  * COPYRIGHT:       See COPYING in the top level directory
  * PROJECT:         ReactOS kernel
@@ -1013,57 +1013,79 @@ CallQS [] =
 };
 
 
-NTSTATUS
-STDCALL
-NtQuerySystemInformation (
-	IN	SYSTEM_INFORMATION_CLASS	SystemInformationClass,
-	OUT	PVOID				SystemInformation,
-	IN	ULONG				Length,
-	OUT	PULONG				ResultLength
-	)
+NTSTATUS STDCALL
+NtQuerySystemInformation (IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
+			  OUT PVOID UnsafeSystemInformation,
+			  IN ULONG Length,
+			  OUT PULONG UnsafeResultLength)
 {
-	/*
-	 * If called from user mode, check 
-	 * possible unsafe arguments.
-	 */
-#if 0
-        if (KernelMode != KeGetPreviousMode())
-        {
-		// Check arguments
-		//ProbeForWrite(
-		//	SystemInformation,
-		//	Length
-		//	);
-		//ProbeForWrite(
-		//	ResultLength,
-		//	sizeof (ULONG)
-		//	);
-        }
-#endif
-	/*
-	 * Clear the user buffer.
-	 */
-	RtlZeroMemory (SystemInformation, Length);
-	/*
-	 * Check the request is valid.
-	 */
-	if (	(SystemInformationClass >= SystemInformationClassMin)
-		&& (SystemInformationClass < SystemInformationClassMax)
-		)
+  ULONG ResultLength;
+  PVOID SystemInformation;
+  NTSTATUS Status;
+  NTSTATUS FStatus;
+
+  if (ExGetPreviousMode() == KernelMode)
+    {
+      SystemInformation = UnsafeSystemInformation;
+    }
+  else
+    {
+      SystemInformation = ExAllocatePool(NonPagedPool, Length);
+      if (SystemInformation == NULL)
 	{
-		if (NULL != CallQS [SystemInformationClass].Query)
-		{
-			/*
-			 * Hand the request to a subhandler.
-			 */
-			return CallQS [SystemInformationClass].Query (
-					SystemInformation,
-					Length,
-					ResultLength
-					);
-		}
+	  return(STATUS_NO_MEMORY);
 	}
-	return (STATUS_INVALID_INFO_CLASS);
+    }
+  
+  /* Clear user buffer. */
+  RtlZeroMemory(SystemInformation, Length);
+
+  /*
+   * Check the request is valid.
+   */
+  if ((SystemInformationClass >= SystemInformationClassMin) && 
+      (SystemInformationClass < SystemInformationClassMax))
+    {
+      if (NULL != CallQS [SystemInformationClass].Query)
+	{
+	  /*
+	   * Hand the request to a subhandler.
+	   */
+	  FStatus = CallQS [SystemInformationClass].Query(SystemInformation,
+							  Length,
+							  &ResultLength);
+	  if (ExGetPreviousMode() != KernelMode)
+	    {
+	      Status = MmCopyToCaller(UnsafeSystemInformation, 
+				      SystemInformation,
+				      Length);
+	      ExFreePool(SystemInformation);
+	      if (!NT_SUCCESS(Status))
+		{
+		  return(Status);
+		}
+	    }
+	  if (UnsafeResultLength != NULL)
+	    {
+	      if (ExGetPreviousMode() == KernelMode)
+		{
+		  *UnsafeResultLength = ResultLength;
+		}
+	      else
+		{
+		  Status = MmCopyToCaller(UnsafeResultLength,
+					  &ResultLength,
+					  sizeof(ULONG));
+		  if (!NT_SUCCESS(Status))
+		    {
+		      return(Status);
+		    }
+		}
+	    }
+	  return(FStatus);
+	}
+    }
+  return (STATUS_INVALID_INFO_CLASS);
 }
 
 
diff --git a/reactos/ntoskrnl/ke/i386/exp.c b/reactos/ntoskrnl/ke/i386/exp.c
index 1440bfb47dd..72db0eb7859 100644
--- a/reactos/ntoskrnl/ke/i386/exp.c
+++ b/reactos/ntoskrnl/ke/i386/exp.c
@@ -38,6 +38,7 @@
 #include <internal/ps.h>
 #include <internal/trap.h>
 #include <ntdll/ldr.h>
+#include <internal/safe.h>
 
 #define NDEBUG
 #include <internal/debug.h>
@@ -368,6 +369,9 @@ KiUserTrapHandler(PKTRAP_FRAME Tf, ULONG ExceptionNr, PVOID Cr2)
   PULONG Frame;
   ULONG cr3;
   ULONG i;
+  ULONG ReturnAddress;
+  ULONG NextFrame;
+  NTSTATUS Status;
 
   /*
    * Get the PDBR
@@ -452,8 +456,25 @@ KiUserTrapHandler(PKTRAP_FRAME Tf, ULONG ExceptionNr, PVOID Cr2)
   Frame = (PULONG)Tf->Ebp;
   while (Frame != NULL)
     {
-      print_address((PVOID)Frame[1]);
-      Frame = (PULONG)Frame[0];
+      Status = MmCopyToCaller(&ReturnAddress, &Frame[1], sizeof(ULONG));
+      if (!NT_SUCCESS(Status))
+	{
+	  DbgPrint("????????\n");
+	  break;
+	}
+      print_address((PVOID)ReturnAddress);
+      Status = MmCopyToCaller(&NextFrame, &Frame[0], sizeof(ULONG));
+      if (!NT_SUCCESS(Status))
+	{
+	  DbgPrint("Frame is inaccessible.\n");
+	  break;
+	}
+      if ((NextFrame + sizeof(ULONG)) >= KERNEL_BASE)
+	{
+	  DbgPrint("Next frame is in kernel space!\n");
+	  break;
+	}
+      Frame = (PULONG)NextFrame;
       i++;
     }