From 199f575342a9d4383f44e9d29fa8088985dd9b9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?George=20Bi=C8=99oc?= Date: Sun, 26 Sep 2021 11:38:45 +0200 Subject: [PATCH] [NTOS:SE] Check the privilege count against the maximum threshold In SeCaptureLuidAndAttributesArray we must ensure that we don't go onto a potential integer overflow scenario by checking against the maximum limit threshold the kernel states. In addition, write an explicit name macro for the value. --- ntoskrnl/se/priv.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/ntoskrnl/se/priv.c b/ntoskrnl/se/priv.c index cae9103e210..a1013b1844b 100644 --- a/ntoskrnl/se/priv.c +++ b/ntoskrnl/se/priv.c @@ -15,6 +15,8 @@ /* GLOBALS ********************************************************************/ +#define SE_MAXIMUM_PRIVILEGE_LIMIT 0x3C + #define CONST_LUID(x1, x2) {x1, x2} const LUID SeCreateTokenPrivilege = CONST_LUID(SE_CREATE_TOKEN_PRIVILEGE, 0); const LUID SeAssignPrimaryTokenPrivilege = CONST_LUID(SE_ASSIGNPRIMARYTOKEN_PRIVILEGE, 0); @@ -427,7 +429,9 @@ SeCheckAuditPrivilege( * has been captured successfully. STATUS_INSUFFICIENT_RESOURCES is returned * if memory pool allocation for the captured buffer has failed. * STATUS_BUFFER_TOO_SMALL is returned if the buffer size is less than the - * required size. + * required size. STATUS_INVALID_PARAMETER is returned if the caller has + * submitted a privilege count that exceeds that maximum threshold the + * kernel can permit, for the purpose to avoid an integer overflow. */ NTSTATUS NTAPI @@ -454,15 +458,17 @@ SeCaptureLuidAndAttributesArray( return STATUS_SUCCESS; } + if (PrivilegeCount > SE_MAXIMUM_PRIVILEGE_LIMIT) + { + return STATUS_INVALID_PARAMETER; + } + if (PreviousMode == KernelMode && !CaptureIfKernel) { *Dest = Src; return STATUS_SUCCESS; } - /* FIXME - check PrivilegeCount for a valid number so we don't - cause an integer overflow or exhaust system resources! */ - BufferSize = PrivilegeCount * sizeof(LUID_AND_ATTRIBUTES); *Length = ROUND_UP(BufferSize, 4); /* round up to a 4 byte alignment */