[0.4.10][NTOS][WIN32SS][UDFS] Fix double free in ObCreateObject, fix retvals CORE-14271

Backport the following commits: 0.4.15-dev-6401-g 53b30e3f3b [NTOSKRNL][NTGDI] Formatting addendum, no functional change 0.4.15-dev-5487-g e7bbbf049e [NTOS] Fix double free on allocation failure in ObCreateObject partially 0.4.13-dev-358-g 38db074491 [WIN32SS][UDFS] Misc addendum to CORE-14271 (#1529) 0.4.12-dev-648-g 17af7f0c27 [UDFS] Correctly check SeSinglePrivilegeCheck() return value (#1324) CORE-14271 0.4.12-dev-552-g 0483a5a380 [NTOS:OB] Correctly check SeSinglePrivilegeCheck() return value (#1323) CORE-14271 Just for verifying that the size didn't increase anywhere: ntoskrnl.exe GCC8.4.0dbg RosBEWin2.2.2 master 5.124.096 ntoskrnl.exe GCC4.7.2dbg RosBEWin2.1.6 0.4.14 4.413.440 -> 4.413.440 ntoskrnl.exe GCC4.7.2dbg RosBEWin2.1.6 0.4.13 4.367.360 -> 4.367.360 ntoskrnl.exe GCC4.7.2dbg RosBEWin2.1.6 0.4.12 4.377.600 -> 4.377.600 ntoskrnl.exe GCC4.7.2dbg RosBEWin2.1.6 0.4.11 4.377.088 -> 4.377.088 ntoskrnl.exe GCC4.7.2dbg RosBEWin2.1.6 0.4.10 4.344.320 -> 4.344.320 ntoskrnl.exe GCC4.7.2dbg RosBEWin2.1.6 0.4. 9 4.311.552 -> 4.311.552 ntoskrnl.exe GCC4.7.2dbg RosBEWin2.1.6 0.4. 8 4.296.704 -> 4.296.704 ntoskrnl.exe GCC4.7.2dbg RosBEWin2.1.6 0.4. 7 4.231.168 -> 4.231.168 udfs.sys GCC8.4.0dbg RosBEWin2.2.2 master 835.584 udfs.sys GCC4.7.2dbg RosBEWin2.1.6 0.4.14 745.472 -> 745.472 udfs.sys GCC4.7.2dbg RosBEWin2.1.6 0.4.13 745.472 -> 745.472 udfs.sys GCC4.7.2dbg RosBEWin2.1.6 0.4.12 749.568 -> 749.568 udfs.sys GCC4.7.2dbg RosBEWin2.1.6 0.4.11 749.568 -> 749.568 udfs.sys GCC4.7.2dbg RosBEWin2.1.6 0.4.10 749.568 -> 749.568 udfs.sys GCC4.7.2dbg RosBEWin2.1.6 0.4. 9 749.568 -> 749.568 udfs.sys GCC4.7.2dbg RosBEWin2.1.6 0.4. 8 749.568 -> 749.568 udfs.sys GCC4.7.2dbg RosBEWin2.1.6 0.4. 7 749.568 -> 749.568 user32.dll GCC8.4.0dbg RosBEWin2.2.2 master 1.585.152 user32.dll GCC4.7.2dbg RosBEWin2.1.6 0.4.14 1.448.448 -> 1.448.448 user32.dll GCC4.7.2dbg RosBEWin2.1.6 0.4.13 1.445.376 -> 1.445.376 user32.dll GCC4.7.2dbg RosBEWin2.1.6 0.4.12 1.455.616 -> 1.455.616 user32.dll GCC4.7.2dbg RosBEWin2.1.6 0.4.11 1.453.056 -> 1.453.056 user32.dll GCC4.7.2dbg RosBEWin2.1.6 0.4.10 1.434.624 -> 1.434.624 user32.dll GCC4.7.2dbg RosBEWin2.1.6 0.4. 9 1.422.336 -> 1.422.336 user32.dll GCC4.7.2dbg RosBEWin2.1.6 0.4. 8 1.421.824 -> 1.421.824 user32.dll GCC4.7.2dbg RosBEWin2.1.6 0.4. 7 1.418.752 -> 1.418.752 win32k.sys GCC8.4.0dbg RosBEWin2.2.2 master 3.477.504 win32k.sys GCC4.7.2dbg RosBEWin2.1.6 0.4.14 2.904.064 -> 2.904.064 win32k.sys GCC4.7.2dbg RosBEWin2.1.6 0.4.13 2.895.872 -> 2.895.872 win32k.sys GCC4.7.2dbg RosBEWin2.1.6 0.4.12 2.887.680 -> 2.887.680 win32k.sys GCC4.7.2dbg RosBEWin2.1.6 0.4.11 2.867.200 -> 2.867.200 win32k.sys GCC4.7.2dbg RosBEWin2.1.6 0.4.10 2.863.104 -> 2.863.104 win32k.sys GCC4.7.2dbg RosBEWin2.1.6 0.4. 9 2.834.432 -> 2.834.432 win32k.sys GCC4.7.2dbg RosBEWin2.1.6 0.4. 8 2.830.336 -> 2.830.336 win32k.sys GCC4.7.2dbg RosBEWin2.1.6 0.4. 7 2.830.336 -> 2.830.336
2024-09-28 21:44:31 +00:00 · 2023-08-02 00:51:41 +02:00 · 2023-08-02 00:51:41 +02:00 · 641b04205f
parent 076c3c738a
commit 641b04205f
6 changed files with 27 additions and 43 deletions
--- a/drivers/filesystems/udfs/create.cpp
+++ b/drivers/filesystems/udfs/create.cpp
@ -742,9 +742,9 @@ op_vol_accs_dnd:

        // we should check appropriate privilege if OpenForBackup requested
        if(OpenForBackup) {
-            RC = SeSinglePrivilegeCheck(SeExports->SeBackupPrivilege, UserMode);
-            if(!NT_SUCCESS(RC))
-                try_return(RC);
+            if (!SeSinglePrivilegeCheck(SeExports->SeBackupPrivilege, UserMode)) {
+                try_return(RC = STATUS_PRIVILEGE_NOT_HELD);
+            }
        }

        // The FSD might wish to implement the open-by-id option. The "id"
--- a/drivers/filesystems/udfs/secursup.cpp
+++ b/drivers/filesystems/udfs/secursup.cpp
@ -934,9 +934,9 @@ UDFCheckAccessRights(
    )
 {
    NTSTATUS RC;
-    BOOLEAN SecurityCheck = TRUE;
    BOOLEAN ROCheck = FALSE;
 #ifdef UDF_ENABLE_SECURITY
+    BOOLEAN SecurityCheck;
    PSECURITY_DESCRIPTOR SecDesc;
    SECURITY_SUBJECT_CONTEXT SubjectContext;
    ACCESS_MASK LocalAccessMask;
@ -1011,8 +1011,7 @@ treat_as_ro:
        } else
 #endif //UDF_ENABLE_SECURITY
        if(DesiredAccess & ACCESS_SYSTEM_SECURITY) {
-            SecurityCheck = SeSinglePrivilegeCheck(SeExports->SeSecurityPrivilege, UserMode);
-            if(!SecurityCheck)
+            if (!SeSinglePrivilegeCheck(SeExports->SeSecurityPrivilege, UserMode))
                return STATUS_ACCESS_DENIED;
            Ccb->PreviouslyGrantedAccess |= ACCESS_SYSTEM_SECURITY;
        }
--- a/ntoskrnl/config/cmsysini.c
+++ b/ntoskrnl/config/cmsysini.c
@ -1,7 +1,6 @@
 /*
 * PROJECT:         ReactOS Kernel
 * LICENSE:         BSD - See COPYING.ARM in the top level directory
- * FILE:            ntoskrnl/config/cmsysini.c
 * PURPOSE:         Configuration Manager - System Initialization Code
 * PROGRAMMERS:     ReactOS Portable Systems Group
 *                  Alex Ionescu (alex.ionescu@reactos.org)
@ -412,7 +411,7 @@ CmpSetSystemValues(IN PLOADER_PARAMETER_BLOCK LoaderBlock)
                               NULL,
                               NULL);
    Status = NtOpenKey(&KeyHandle, KEY_WRITE, &ObjectAttributes);
-    if (!NT_SUCCESS(Status)) goto Quickie;
+    if (!NT_SUCCESS(Status)) goto Quit;

    /* Key opened, now write to the key */
    RtlInitUnicodeString(&KeyName, L"SystemStartOptions");
@ -422,7 +421,7 @@ CmpSetSystemValues(IN PLOADER_PARAMETER_BLOCK LoaderBlock)
                           REG_SZ,
                           CmpLoadOptions.Buffer,
                           CmpLoadOptions.Length);
-    if (!NT_SUCCESS(Status)) goto Quickie;
+    if (!NT_SUCCESS(Status)) goto Quit;

    /* Setup value name for system boot device in ARC format */
    RtlInitUnicodeString(&KeyName, L"SystemBootDevice");
@ -434,7 +433,7 @@ CmpSetSystemValues(IN PLOADER_PARAMETER_BLOCK LoaderBlock)
                           ValueName.Buffer,
                           ValueName.Length);

-Quickie:
+Quit:
    /* Free the buffers */
    RtlFreeUnicodeString(&ValueName);

@ -872,7 +871,6 @@ CmpInitializeSystemHive(IN PLOADER_PARAMETER_BLOCK LoaderBlock)
    UNICODE_STRING KeyName;
    PCMHIVE SystemHive = NULL;
    PSECURITY_DESCRIPTOR SecurityDescriptor;
-    BOOLEAN Success;

    PAGED_CODE();

@ -920,12 +918,8 @@ CmpInitializeSystemHive(IN PLOADER_PARAMETER_BLOCK LoaderBlock)
    }

    /* Set the hive filename */
-    Success = RtlCreateUnicodeString(&SystemHive->FileFullPath,
-                                     L"\\SystemRoot\\System32\\Config\\SYSTEM");
-    if (!Success)
-    {
+    if (!RtlCreateUnicodeString(&SystemHive->FileFullPath, L"\\SystemRoot\\System32\\Config\\SYSTEM"))
        return FALSE;
-    }

    /* Manually set the hive as volatile, if in Live CD mode */
    if (HiveBase && CmpShareSystemHives)
--- a/ntoskrnl/ob/oblife.c
+++ b/ntoskrnl/ob/oblife.c
@ -858,10 +858,11 @@ ObpAllocateObject(IN POBJECT_CREATE_INFORMATION ObjectCreateInfo,

 NTSTATUS
 NTAPI
-ObQueryTypeInfo(IN POBJECT_TYPE ObjectType,
-                OUT POBJECT_TYPE_INFORMATION ObjectTypeInfo,
-                IN ULONG Length,
-                OUT PULONG ReturnLength)
+ObQueryTypeInfo(
+    IN POBJECT_TYPE ObjectType,
+    OUT POBJECT_TYPE_INFORMATION ObjectTypeInfo,
+    IN ULONG Length,
+    OUT PULONG ReturnLength)
 {
    NTSTATUS Status = STATUS_SUCCESS;
    PWSTR InfoBuffer;
@ -873,7 +874,7 @@ ObQueryTypeInfo(IN POBJECT_TYPE ObjectType,
        *ReturnLength += sizeof(*ObjectTypeInfo) +
                         ALIGN_UP(ObjectType->Name.MaximumLength, ULONG);

-        /* Check if thats too much though. */
+        /* Check if that is too much */
        if (Length < *ReturnLength)
        {
            _SEH2_YIELD(return STATUS_INFO_LENGTH_MISMATCH);
@ -1022,6 +1023,7 @@ ObCreateObject(IN KPROCESSOR_MODE ProbeMode OPTIONAL,
        /* Release the Capture Info, we don't need it */
        ObpFreeObjectCreateInformation(ObjectCreateInfo);
        if (ObjectName.Buffer) ObpFreeObjectNameBuffer(&ObjectName);
+        return Status;
    }

    /* We failed, so release the Buffer */
@ -1413,9 +1415,8 @@ NtMakePermanentObject(IN HANDLE ObjectHandle)
    PAGED_CODE();

    /* Make sure that the caller has SeCreatePermanentPrivilege */
-    Status = SeSinglePrivilegeCheck(SeCreatePermanentPrivilege,
-                                    PreviousMode);
-    if (!NT_SUCCESS(Status)) return STATUS_PRIVILEGE_NOT_HELD;
+    if (!SeSinglePrivilegeCheck(SeCreatePermanentPrivilege, PreviousMode))
+        return STATUS_PRIVILEGE_NOT_HELD;

    /* Reference the object */
    Status = ObReferenceObjectByHandle(ObjectHandle,
--- a/win32ss/gdi/ntgdi/freetype.c
+++ b/win32ss/gdi/ntgdi/freetype.c
@ -1,7 +1,6 @@
 /*
 * PROJECT:         ReactOS win32 kernel mode subsystem
 * LICENSE:         GPL - See COPYING in the top level directory
- * FILE:            win32ss/gdi/ntgdi/freetype.c
 * PURPOSE:         FreeType font engine interface
 * PROGRAMMERS:     Copyright 2001 Huw D M Davies for CodeWeavers.
 *                  Copyright 2006 Dmitry Timoshkov for CodeWeavers.
@ -353,7 +352,6 @@ IntLoadFontSubstList(PLIST_ENTRY pHead)
    BYTE                            CharSets[FONTSUBST_FROM_AND_TO];
    LPWSTR                          pch;
    PFONTSUBST_ENTRY                pEntry;
-    BOOLEAN                         Success;

    /* the FontSubstitutes registry key */
    static UNICODE_STRING FontSubstKey =
@ -398,8 +396,7 @@ IntLoadFontSubstList(PLIST_ENTRY pHead)
        pInfo = (PKEY_VALUE_FULL_INFORMATION)InfoBuffer;
        Length = pInfo->NameLength / sizeof(WCHAR);
        pInfo->Name[Length] = UNICODE_NULL;   /* truncate */
-        Success = RtlCreateUnicodeString(&FromW, pInfo->Name);
-        if (!Success)
+        if (!RtlCreateUnicodeString(&FromW, pInfo->Name))
        {
            Status = STATUS_INSUFFICIENT_RESOURCES;
            DPRINT("RtlCreateUnicodeString failed\n");
@ -421,8 +418,7 @@ IntLoadFontSubstList(PLIST_ENTRY pHead)
        pch = (LPWSTR)((PUCHAR)pInfo + pInfo->DataOffset);
        Length = pInfo->DataLength / sizeof(WCHAR);
        pch[Length] = UNICODE_NULL; /* truncate */
-        Success = RtlCreateUnicodeString(&ToW, pch);
-        if (!Success)
+        if (!RtlCreateUnicodeString(&ToW, pch))
        {
            Status = STATUS_INSUFFICIENT_RESOURCES;
            DPRINT("RtlCreateUnicodeString failed\n");
--- a/win32ss/user/user32/windows/clipboard.c
+++ b/win32ss/user/user32/windows/clipboard.c
@ -91,7 +91,7 @@ UINT
 WINAPI
 RegisterClipboardFormatA(LPCSTR lpszFormat)
 {
-    UINT ret = 0;
+    UINT ret;
    UNICODE_STRING usFormat = {0};

    if (lpszFormat == NULL)
@ -100,19 +100,17 @@ RegisterClipboardFormatA(LPCSTR lpszFormat)
        return 0;
    }

-    /* check for "" */
    if (*lpszFormat == 0) //NULL
    {
        SetLastError(ERROR_INVALID_NAME);
        return 0;
    }

-    ret = RtlCreateUnicodeStringFromAsciiz(&usFormat, lpszFormat);
-    if (ret)
-    {
-        ret = NtUserRegisterWindowMessage(&usFormat); //(LPCWSTR)
-        RtlFreeUnicodeString(&usFormat);
-    }
+    if (!RtlCreateUnicodeStringFromAsciiz(&usFormat, lpszFormat))
+        return 0;
+
+    ret = NtUserRegisterWindowMessage(&usFormat); //(LPCWSTR)
+    RtlFreeUnicodeString(&usFormat);

    return ret;
 }
@ -124,7 +122,6 @@ UINT
 WINAPI
 RegisterClipboardFormatW(LPCWSTR lpszFormat)
 {
-    UINT ret = 0;
    UNICODE_STRING usFormat = {0};

    if (lpszFormat == NULL)
@ -133,7 +130,6 @@ RegisterClipboardFormatW(LPCWSTR lpszFormat)
        return 0;
    }

-    /* check for "" */
    if (*lpszFormat == 0) //NULL
    {
        SetLastError(ERROR_INVALID_NAME);
@ -141,9 +137,7 @@ RegisterClipboardFormatW(LPCWSTR lpszFormat)
    }

    RtlInitUnicodeString(&usFormat, lpszFormat);
-    ret = NtUserRegisterWindowMessage(&usFormat);
-
-    return ret;
+    return NtUserRegisterWindowMessage(&usFormat);
 }

 static PVOID WINAPI