Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-08-07 08:23:00 +00:00
Code Issues Projects Releases Packages Wiki Activity

added buffer checks to NtCreateThread()

Browse source 
svn path=/trunk/; revision=13358
This commit is contained in:
Thomas Bluemel 2005-01-28 22:43:13 +00:00
parent 00ae7e938d
commit 48bc6a5e53
1 changed files with 74 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

98
reactos/ntoskrnl/ps/create.c
View file

@ -421,7 +421,7 @@ PsInitializeThread(PEPROCESS Process,
Status = ObCreateObject(UserMode, Status = ObCreateObject(UserMode,
PsThreadType, PsThreadType,
ThreadAttributes, ThreadAttributes,
UserMode, KernelMode,
NULL, NULL,
sizeof(ETHREAD), sizeof(ETHREAD),
0, 0,
@ -444,19 +444,6 @@ PsInitializeThread(PEPROCESS Process,
Thread->ThreadsProcess = Process; Thread->ThreadsProcess = Process;
Thread->Cid.UniqueProcess = (HANDLE)Thread->ThreadsProcess->UniqueProcessId; Thread->Cid.UniqueProcess = (HANDLE)Thread->ThreadsProcess->UniqueProcessId;
Status = ObInsertObject ((PVOID)Thread,
NULL,
DesiredAccess,
0,
NULL,
ThreadHandle);
if (!NT_SUCCESS(Status))
{
ObDereferenceObject (Thread);
ObDereferenceObject (Process);
return Status;
}
DPRINT("Thread = %x\n",Thread); DPRINT("Thread = %x\n",Thread);
KeInitializeThread(&Process->Pcb, &Thread->Tcb, First); KeInitializeThread(&Process->Pcb, &Thread->Tcb, First);
@ -489,7 +476,13 @@ PsInitializeThread(PEPROCESS Process,
*ThreadPtr = Thread; *ThreadPtr = Thread;
return(STATUS_SUCCESS); Status = ObInsertObject((PVOID)Thread,
NULL,
DesiredAccess,
0,
NULL,
ThreadHandle);
return(Status);
} }
@ -663,17 +656,64 @@ NtCreateThread(OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess, IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle, IN HANDLE ProcessHandle,
OUT PCLIENT_ID Client, OUT PCLIENT_ID ClientId,
IN PCONTEXT ThreadContext, IN PCONTEXT ThreadContext,
IN PINITIAL_TEB InitialTeb, IN PINITIAL_TEB InitialTeb,
IN BOOLEAN CreateSuspended) IN BOOLEAN CreateSuspended)
{ {
HANDLE hThread;
CONTEXT SafeContext;
INITIAL_TEB SafeInitialTeb;
PEPROCESS Process; PEPROCESS Process;
PETHREAD Thread; PETHREAD Thread;
PTEB TebBase; PTEB TebBase;
NTSTATUS Status;
PKAPC LdrInitApc; PKAPC LdrInitApc;
KIRQL oldIrql; KIRQL oldIrql;
KPROCESSOR_MODE PreviousMode;
NTSTATUS Status = STATUS_SUCCESS;
if(ThreadContext == NULL)
{
return STATUS_INVALID_PARAMETER;
}
PreviousMode = ExGetPreviousMode();
if(PreviousMode != KernelMode)
{
_SEH_TRY
{
ProbeForWrite(ThreadHandle,
sizeof(HANDLE),
sizeof(ULONG));
if(ClientId != NULL)
{
ProbeForWrite(ClientId,
sizeof(CLIENT_ID),
sizeof(ULONG));
}
ProbeForRead(ThreadContext,
sizeof(CONTEXT),
sizeof(ULONG));
SafeContext = *ThreadContext;
ThreadContext = &SafeContext;
ProbeForRead(InitialTeb,
sizeof(INITIAL_TEB),
sizeof(ULONG));
SafeInitialTeb = *InitialTeb;
InitialTeb = &SafeInitialTeb;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
return Status;
}
}
DPRINT("NtCreateThread(ThreadHandle %x, PCONTEXT %x)\n", DPRINT("NtCreateThread(ThreadHandle %x, PCONTEXT %x)\n",
ThreadHandle,ThreadContext); ThreadHandle,ThreadContext);
@ -681,7 +721,7 @@ NtCreateThread(OUT PHANDLE ThreadHandle,
Status = ObReferenceObjectByHandle(ProcessHandle, Status = ObReferenceObjectByHandle(ProcessHandle,
PROCESS_CREATE_THREAD, PROCESS_CREATE_THREAD,
PsProcessType, PsProcessType,
UserMode, PreviousMode,
(PVOID*)&Process, (PVOID*)&Process,
NULL); NULL);
if(!NT_SUCCESS(Status)) if(!NT_SUCCESS(Status))
@ -691,7 +731,7 @@ NtCreateThread(OUT PHANDLE ThreadHandle,
Status = PsInitializeThread(Process, Status = PsInitializeThread(Process,
&Thread, &Thread,
ThreadHandle, &hThread,
DesiredAccess, DesiredAccess,
ObjectAttributes, ObjectAttributes,
FALSE); FALSE);
@ -721,11 +761,6 @@ NtCreateThread(OUT PHANDLE ThreadHandle,
Thread->StartAddress = NULL; Thread->StartAddress = NULL;
if (Client != NULL)
{
*Client = Thread->Cid;
}
/* /*
* Maybe send a message to the process's debugger * Maybe send a message to the process's debugger
*/ */
@ -767,8 +802,21 @@ NtCreateThread(OUT PHANDLE ThreadHandle,
PsUnblockThread(Thread, NULL, 0); PsUnblockThread(Thread, NULL, 0);
KeReleaseDispatcherDatabaseLock(oldIrql); KeReleaseDispatcherDatabaseLock(oldIrql);
_SEH_TRY
{
if(ClientId != NULL)
{
*ClientId = Thread->Cid;
}
*ThreadHandle = hThread;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
return(STATUS_SUCCESS); return Status;
} }