[NTOS:IO]

- Don't delete the device node for root enumerated device objects on failure. It's pointless, since IopEnumerateDevice will just recreate it, and more importantly it causes a use-after-free because IopFreeDeviceNode does not unset the DeviceNode member of the device object extension, so IopEnumerateDevice will try to access the freed node - Set the device object's DeviceNode pointer to NULL in IopFreeDeviceNode - Use consistent pool tagging for device nodes CORE-8671 #resolve svn path=/trunk/; revision=64950
2025-02-24 01:15:09 +00:00 · 2014-10-24 09:39:15 +00:00 · 2014-10-24 09:39:15 +00:00 · 2c91c440f1
commit 2c91c440f1
parent 274363e9df
3 changed files with 13 additions and 14 deletions
--- a/reactos/ntoskrnl/include/internal/tag.h
+++ b/reactos/ntoskrnl/include/internal/tag.h
@ -81,6 +81,9 @@
 /* formerly located in io/mdl.c */
 #define TAG_MDL    ' LDM'

+/* formerly located in io/pnpmgr.c */
+#define TAG_IO_DEVNODE 'donD'
+
 /* formerly located in io/pnpnotify.c */
 #define TAG_PNP_NOTIFY  'NPnP'

--- a/reactos/ntoskrnl/io/iomgr/driver.c
+++ b/reactos/ntoskrnl/io/iomgr/driver.c
@ -930,7 +930,6 @@ IopInitializeBuiltinDriver(IN PLDR_DATA_TABLE_ENTRY BootLdrEntry)

    if (!NT_SUCCESS(Status))
    {
-        IopFreeDeviceNode(DeviceNode);
        return Status;
    }

@ -994,7 +993,6 @@ IopInitializeBootDrivers(VOID)
    if (!NT_SUCCESS(Status))
    {
        /* Fail */
-        IopFreeDeviceNode(DeviceNode);
        return;
    }

@ -1003,7 +1001,6 @@ IopInitializeBootDrivers(VOID)
    if (!NT_SUCCESS(Status))
    {
        /* Fail */
-        IopFreeDeviceNode(DeviceNode);
        ObDereferenceObject(DriverObject);
        return;
    }
@ -1013,7 +1010,6 @@ IopInitializeBootDrivers(VOID)
    if (!NT_SUCCESS(Status))
    {
        /* Fail */
-        IopFreeDeviceNode(DeviceNode);
        ObDereferenceObject(DriverObject);
        return;
    }
@ -2020,7 +2016,6 @@ IopLoadUnloadDriver(
        {
            DPRINT1("IopInitializeDriverModule() failed (Status %lx)\n", Status);
            MmUnloadSystemImage(ModuleObject);
-            IopFreeDeviceNode(DeviceNode);
            return Status;
        }

--- a/reactos/ntoskrnl/io/pnpmgr/pnpmgr.c
+++ b/reactos/ntoskrnl/io/pnpmgr/pnpmgr.c
@ -1024,7 +1024,7 @@ IopCreateDeviceNode(PDEVICE_NODE ParentNode,
   DPRINT("ParentNode 0x%p PhysicalDeviceObject 0x%p ServiceName %wZ\n",
      ParentNode, PhysicalDeviceObject, ServiceName);

-   Node = (PDEVICE_NODE)ExAllocatePool(NonPagedPool, sizeof(DEVICE_NODE));
+   Node = ExAllocatePoolWithTag(NonPagedPool, sizeof(DEVICE_NODE), TAG_IO_DEVNODE);
   if (!Node)
   {
      return STATUS_INSUFFICIENT_RESOURCES;
@ -1044,7 +1044,7 @@ IopCreateDeviceNode(PDEVICE_NODE ParentNode,
      FullServiceName.Buffer = ExAllocatePool(PagedPool, FullServiceName.MaximumLength);
      if (!FullServiceName.Buffer)
      {
-          ExFreePool(Node);
+          ExFreePoolWithTag(Node, TAG_IO_DEVNODE);
          return STATUS_INSUFFICIENT_RESOURCES;
      }

@ -1055,7 +1055,7 @@ IopCreateDeviceNode(PDEVICE_NODE ParentNode,
      if (!NT_SUCCESS(Status))
      {
         DPRINT1("PnpRootCreateDevice() failed with status 0x%08X\n", Status);
-         ExFreePool(Node);
+         ExFreePoolWithTag(Node, TAG_IO_DEVNODE);
         return Status;
      }

@ -1064,7 +1064,7 @@ IopCreateDeviceNode(PDEVICE_NODE ParentNode,
      if (!NT_SUCCESS(Status))
      {
          ZwClose(InstanceHandle);
-          ExFreePool(Node);
+          ExFreePoolWithTag(Node, TAG_IO_DEVNODE);
          ExFreePool(FullServiceName.Buffer);
          return Status;
      }
@ -1073,7 +1073,7 @@ IopCreateDeviceNode(PDEVICE_NODE ParentNode,
      if (!Node->ServiceName.Buffer)
      {
          ZwClose(InstanceHandle);
-          ExFreePool(Node);
+          ExFreePoolWithTag(Node, TAG_IO_DEVNODE);
          ExFreePool(FullServiceName.Buffer);
          return Status;
      }
@ -1122,7 +1122,7 @@ IopCreateDeviceNode(PDEVICE_NODE ParentNode,

      if (!NT_SUCCESS(Status))
      {
-          ExFreePool(Node);
+          ExFreePoolWithTag(Node, TAG_IO_DEVNODE);
          return Status;
      }

@ -1225,7 +1225,8 @@ IopFreeDeviceNode(PDEVICE_NODE DeviceNode)
      ExFreePool(DeviceNode->BootResources);
   }

-   ExFreePool(DeviceNode);
+   ((PEXTENDED_DEVOBJ_EXTENSION)DeviceNode->PhysicalDeviceObject->DeviceObjectExtension)->DeviceNode = NULL;
+   ExFreePoolWithTag(DeviceNode, TAG_IO_DEVNODE);

   return STATUS_SUCCESS;
 }
@ -2560,7 +2561,7 @@ IopActionInitChildServices(PDEVICE_NODE DeviceNode,

   DPRINT("IopActionInitChildServices(%p, %p)\n", DeviceNode, Context);

-   ParentDeviceNode = (PDEVICE_NODE)Context;
+   ParentDeviceNode = Context;

   /*
    * We are called for the parent too, but we don't need to do special
@ -3545,7 +3546,7 @@ PipAllocateDeviceNode(IN PDEVICE_OBJECT PhysicalDeviceObject)
    PAGED_CODE();

    /* Allocate it */
-    DeviceNode = ExAllocatePoolWithTag(NonPagedPool, sizeof(DEVICE_NODE), 'donD');
+    DeviceNode = ExAllocatePoolWithTag(NonPagedPool, sizeof(DEVICE_NODE), TAG_IO_DEVNODE);
    if (!DeviceNode) return DeviceNode;

    /* Statistics */