From 63977328b1b163d2cadb05b52330ae12910b7d98 Mon Sep 17 00:00:00 2001 From: Thomas Faber Date: Sat, 19 Jan 2019 11:35:18 +0100 Subject: [PATCH] [NTOSKRNL] Guard against negative InformationClass enum values. CORE-15651 --- ntoskrnl/ex/sysinfo.c | 6 ++++-- ntoskrnl/io/iomgr/iofunc.c | 18 ++++++++++++------ 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/ntoskrnl/ex/sysinfo.c b/ntoskrnl/ex/sysinfo.c index a7883d4944d..4949705ab29 100644 --- a/ntoskrnl/ex/sysinfo.c +++ b/ntoskrnl/ex/sysinfo.c @@ -2847,7 +2847,8 @@ NtQuerySystemInformation( /* * Check if the request is valid. */ - if (SystemInformationClass >= MAX_SYSTEM_INFO_CLASS) + if (SystemInformationClass < MIN_SYSTEM_INFO_CLASS || + SystemInformationClass >= MAX_SYSTEM_INFO_CLASS) { _SEH2_YIELD(return STATUS_INVALID_INFO_CLASS); } @@ -2871,7 +2872,8 @@ NtQuerySystemInformation( /* * Check if the request is valid. */ - if (SystemInformationClass >= MAX_SYSTEM_INFO_CLASS) + if (SystemInformationClass < MIN_SYSTEM_INFO_CLASS || + SystemInformationClass >= MAX_SYSTEM_INFO_CLASS) { _SEH2_YIELD(return STATUS_INVALID_INFO_CLASS); } diff --git a/ntoskrnl/io/iomgr/iofunc.c b/ntoskrnl/io/iomgr/iofunc.c index 61fd88f8fd1..f2d3e59dd2c 100644 --- a/ntoskrnl/io/iomgr/iofunc.c +++ b/ntoskrnl/io/iomgr/iofunc.c @@ -2158,7 +2158,8 @@ NtQueryInformationFile(IN HANDLE FileHandle, if (PreviousMode != KernelMode) { /* Validate the information class */ - if ((FileInformationClass >= FileMaximumInformation) || + if ((FileInformationClass < 0) || + (FileInformationClass >= FileMaximumInformation) || !(IopQueryOperationLength[FileInformationClass])) { /* Invalid class */ @@ -2192,7 +2193,8 @@ NtQueryInformationFile(IN HANDLE FileHandle, else { /* Validate the information class */ - if ((FileInformationClass >= FileMaximumInformation) || + if ((FileInformationClass < 0) || + (FileInformationClass >= FileMaximumInformation) || !(IopQueryOperationLength[FileInformationClass])) { /* Invalid class */ @@ -2959,7 +2961,8 @@ NtSetInformationFile(IN HANDLE FileHandle, if (PreviousMode != KernelMode) { /* Validate the information class */ - if ((FileInformationClass >= FileMaximumInformation) || + if ((FileInformationClass < 0) || + (FileInformationClass >= FileMaximumInformation) || !(IopSetOperationLength[FileInformationClass])) { /* Invalid class */ @@ -2995,7 +2998,8 @@ NtSetInformationFile(IN HANDLE FileHandle, else { /* Validate the information class */ - if ((FileInformationClass >= FileMaximumInformation) || + if ((FileInformationClass < 0) || + (FileInformationClass >= FileMaximumInformation) || !(IopSetOperationLength[FileInformationClass])) { /* Invalid class */ @@ -3991,7 +3995,8 @@ NtQueryVolumeInformationFile(IN HANDLE FileHandle, if (PreviousMode != KernelMode) { /* Validate the information class */ - if ((FsInformationClass >= FileFsMaximumInformation) || + if ((FsInformationClass < 0) || + (FsInformationClass >= FileFsMaximumInformation) || !(IopQueryFsOperationLength[FsInformationClass])) { /* Invalid class */ @@ -4163,7 +4168,8 @@ NtSetVolumeInformationFile(IN HANDLE FileHandle, if (PreviousMode != KernelMode) { /* Validate the information class */ - if ((FsInformationClass >= FileFsMaximumInformation) || + if ((FsInformationClass < 0) || + (FsInformationClass >= FileFsMaximumInformation) || !(IopSetFsOperationLength[FsInformationClass])) { /* Invalid class */