Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-12-28 10:04:49 +00:00
Code Issues Projects Releases Packages Wiki Activity

[NTOS:SE] HACK: Temporarily grant access to the client if empty generic mapping was passed

Browse source 
Certain apps such as AIM installer passes an empty generic mapping (this can
be understood with their generic masks set to 0) and our code tries to map
the access right from an ACE with the mapping provided by AccessCheck.

This can lead to a bug where we would not be able to decode the generic right
from an ACE as we need a proper generic mapping in order to do so. A mask
right that is not decoded it cannot be used to mask out the remaining rights,
further resulting into a denied access right.

What Windows does instead is they are mapping the ACE's rights in another place,
presumably when setting security data to an object, and they are using the
generic mapping passed by the kernel.

What we can do for the time being is to temporarily grant access to the client,
but only if they are an administrator.

CORE-18576
This commit is contained in:
George Bișoc 2023-09-30 20:51:12 +02:00
parent 95c104f29a
commit 4b4638dc55
No known key found for this signature in database
GPG key ID: 688C4FBE25D7DEF6
1 changed files with 28 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
ntoskrnl/se/accesschk.c
View file

@ -1058,6 +1058,34 @@ SepAccessCheckWorker(
goto ReturnCommonStatus;
}
/*
* HACK: Temporary hack that checks if the caller passed an empty
* generic mapping. In such cases we cannot mask out the remaining
* access rights without a proper mapping so the only option we
* can do is to check if the client is an administrator,
* since they are powerful users.
*
* See CORE-18576 for information.
*/
if (GenericMapping->GenericRead == 0 &&
GenericMapping->GenericWrite == 0 &&
GenericMapping->GenericExecute == 0 &&
GenericMapping->GenericAll == 0)
{
if (SeTokenIsAdmin(Token))
{
/* Grant him access */
PreviouslyGrantedAccess |= RemainingAccess;
Status = STATUS_SUCCESS;
goto ReturnCommonStatus;
}
/* It's not an admin so bail out */
PreviouslyGrantedAccess = 0;
Status = STATUS_ACCESS_DENIED;
goto ReturnCommonStatus;
}
/* Get the DACL */
Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
&Present,