[NTOS:KD] Protect against invalid user arguments in KdpPrintString. CORE-14057

2024-09-28 05:26:58 +00:00 · 2017-12-08 14:41:41 +01:00 · 2017-12-08 14:41:41 +01:00 · 34ccecbce8
parent 1a38c76266
commit 34ccecbce8
2 changed files with 28 additions and 4 deletions
--- a/ntoskrnl/include/internal/kd.h
+++ b/ntoskrnl/include/internal/kd.h
@ -193,8 +193,8 @@ KdpCallGdb(
 ULONG
 NTAPI
 KdpPrintString(
-    LPSTR String,
-    ULONG Length);
+    _In_reads_bytes_(Length) PCHAR UnsafeString,
+    _In_ ULONG Length);

 ULONG
 NTAPI
--- a/ntoskrnl/kd/kdio.c
+++ b/ntoskrnl/kd/kdio.c
@ -567,14 +567,38 @@ KdpScreenInit(PKD_DISPATCH_TABLE DispatchTable,

 ULONG
 NTAPI
-KdpPrintString(LPSTR String,
-               ULONG Length)
+KdpPrintString(
+    _In_reads_bytes_(Length) PCHAR UnsafeString,
+    _In_ ULONG Length)
 {
    PLIST_ENTRY CurrentEntry;
    PKD_DISPATCH_TABLE CurrentTable;
+    PCHAR String;

    if (!KdpDebugMode.Value) return 0;

+    Length = min(Length, 512);
+
+    if (ExGetPreviousMode() != KernelMode)
+    {
+        _SEH2_TRY
+        {
+            ProbeForRead(UnsafeString, Length, 1);
+            String = _alloca(Length + 1);
+            RtlCopyMemory(String, UnsafeString, Length);
+            String[Length] = ANSI_NULL;
+        }
+        _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+        {
+            return 0;
+        }
+        _SEH2_END;
+    }
+    else
+    {
+        String = UnsafeString;
+    }
+
    /* Call the registered handlers */
    CurrentEntry = KdProviders.Flink;
    while (CurrentEntry != &KdProviders)