[FORMATTING]

No code changes.

svn path=/trunk/; revision=47428
This commit is contained in:
Eric Kohl 2010-05-29 20:40:28 +00:00
parent fa9cd08b02
commit 6af485d3aa
3 changed files with 101 additions and 80 deletions

View file

@ -43,7 +43,7 @@ RtlpMapFile(PUNICODE_STRING ImageFileName,
if (!NT_SUCCESS(Status)) if (!NT_SUCCESS(Status))
{ {
DPRINT1("Failed to read image file from disk\n"); DPRINT1("Failed to read image file from disk\n");
return(Status); return Status;
} }
/* Now create a section for this image */ /* Now create a section for this image */
@ -94,7 +94,7 @@ RtlpInitEnvironment(HANDLE ProcessHandle,
if (!NT_SUCCESS(Status)) if (!NT_SUCCESS(Status))
{ {
DPRINT1("Failed to reserve 1MB of space \n"); DPRINT1("Failed to reserve 1MB of space \n");
return(Status); return Status;
} }
} }
@ -118,7 +118,7 @@ RtlpInitEnvironment(HANDLE ProcessHandle,
if (!NT_SUCCESS(Status)) if (!NT_SUCCESS(Status))
{ {
DPRINT1("Failed to allocate Environment Block\n"); DPRINT1("Failed to allocate Environment Block\n");
return(Status); return Status;
} }
/* Write the Environment Block */ /* Write the Environment Block */
@ -144,7 +144,7 @@ RtlpInitEnvironment(HANDLE ProcessHandle,
if (!NT_SUCCESS(Status)) if (!NT_SUCCESS(Status))
{ {
DPRINT1("Failed to allocate Parameter Block\n"); DPRINT1("Failed to allocate Parameter Block\n");
return(Status); return Status;
} }
/* Write the Parameter Block */ /* Write the Parameter Block */
@ -245,7 +245,7 @@ RtlCreateUserProcess(IN PUNICODE_STRING ImageFileName,
{ {
DPRINT1("Could not create Kernel Process Object\n"); DPRINT1("Could not create Kernel Process Object\n");
ZwClose(hSection); ZwClose(hSection);
return(Status); return Status;
} }
/* Get some information on the image */ /* Get some information on the image */
@ -259,7 +259,7 @@ RtlCreateUserProcess(IN PUNICODE_STRING ImageFileName,
DPRINT1("Could not query Section Info\n"); DPRINT1("Could not query Section Info\n");
ZwClose(ProcessInfo->ProcessHandle); ZwClose(ProcessInfo->ProcessHandle);
ZwClose(hSection); ZwClose(hSection);
return(Status); return Status;
} }
/* Get some information about the process */ /* Get some information about the process */
@ -273,7 +273,7 @@ RtlCreateUserProcess(IN PUNICODE_STRING ImageFileName,
DPRINT1("Could not query Process Info\n"); DPRINT1("Could not query Process Info\n");
ZwClose(ProcessInfo->ProcessHandle); ZwClose(ProcessInfo->ProcessHandle);
ZwClose(hSection); ZwClose(hSection);
return(Status); return Status;
} }
/* Create Process Environment */ /* Create Process Environment */
@ -320,7 +320,6 @@ RtlEncodePointer(IN PVOID Pointer)
&Cookie, &Cookie,
sizeof(Cookie), sizeof(Cookie),
NULL); NULL);
if(!NT_SUCCESS(Status)) if(!NT_SUCCESS(Status))
{ {
DPRINT1("Failed to receive the process cookie! Status: 0x%lx\n", Status); DPRINT1("Failed to receive the process cookie! Status: 0x%lx\n", Status);

View file

@ -249,9 +249,11 @@ SepCaptureSecurityQualityOfService(IN POBJECT_ATTRIBUTES ObjectAttributes OPTIO
if (((PSECURITY_QUALITY_OF_SERVICE)ObjectAttributes->SecurityQualityOfService)->Length == if (((PSECURITY_QUALITY_OF_SERVICE)ObjectAttributes->SecurityQualityOfService)->Length ==
sizeof(SECURITY_QUALITY_OF_SERVICE)) sizeof(SECURITY_QUALITY_OF_SERVICE))
{ {
/* don't allocate memory here because ExAllocate should bugcheck /*
the system if it's buggy, SEH would catch that! So make a local * Don't allocate memory here because ExAllocate should bugcheck
copy of the qos structure.*/ * the system if it's buggy, SEH would catch that! So make a local
* copy of the qos structure.
*/
RtlCopyMemory(&SafeQos, RtlCopyMemory(&SafeQos,
ObjectAttributes->SecurityQualityOfService, ObjectAttributes->SecurityQualityOfService,
sizeof(SECURITY_QUALITY_OF_SERVICE)); sizeof(SECURITY_QUALITY_OF_SERVICE));
@ -407,8 +409,10 @@ SeCaptureSecurityDescriptor(IN PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor,
_SEH2_TRY _SEH2_TRY
{ {
/* first only probe and copy until the control field of the descriptor /*
to determine whether it's a self-relative descriptor */ * First only probe and copy until the control field of the descriptor
* to determine whether it's a self-relative descriptor
*/
DescriptorSize = FIELD_OFFSET(SECURITY_DESCRIPTOR, DescriptorSize = FIELD_OFFSET(SECURITY_DESCRIPTOR,
Owner); Owner);
ProbeForRead(OriginalSecurityDescriptor, ProbeForRead(OriginalSecurityDescriptor,
@ -420,15 +424,17 @@ SeCaptureSecurityDescriptor(IN PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor,
_SEH2_YIELD(return STATUS_UNKNOWN_REVISION); _SEH2_YIELD(return STATUS_UNKNOWN_REVISION);
} }
/* make a copy on the stack */ /* Make a copy on the stack */
DescriptorCopy.Revision = OriginalSecurityDescriptor->Revision; DescriptorCopy.Revision = OriginalSecurityDescriptor->Revision;
DescriptorCopy.Sbz1 = OriginalSecurityDescriptor->Sbz1; DescriptorCopy.Sbz1 = OriginalSecurityDescriptor->Sbz1;
DescriptorCopy.Control = OriginalSecurityDescriptor->Control; DescriptorCopy.Control = OriginalSecurityDescriptor->Control;
DescriptorSize = ((DescriptorCopy.Control & SE_SELF_RELATIVE) ? DescriptorSize = ((DescriptorCopy.Control & SE_SELF_RELATIVE) ?
sizeof(SECURITY_DESCRIPTOR_RELATIVE) : sizeof(SECURITY_DESCRIPTOR)); sizeof(SECURITY_DESCRIPTOR_RELATIVE) : sizeof(SECURITY_DESCRIPTOR));
/* probe and copy the entire security descriptor structure. The SIDs /*
and ACLs will be probed and copied later though */ * Probe and copy the entire security descriptor structure. The SIDs
* and ACLs will be probed and copied later though
*/
ProbeForRead(OriginalSecurityDescriptor, ProbeForRead(OriginalSecurityDescriptor,
DescriptorSize, DescriptorSize,
sizeof(ULONG)); sizeof(ULONG));
@ -473,7 +479,7 @@ SeCaptureSecurityDescriptor(IN PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor,
return STATUS_UNKNOWN_REVISION; return STATUS_UNKNOWN_REVISION;
} }
/* make a copy on the stack */ /* Make a copy on the stack */
DescriptorCopy.Revision = OriginalSecurityDescriptor->Revision; DescriptorCopy.Revision = OriginalSecurityDescriptor->Revision;
DescriptorCopy.Sbz1 = OriginalSecurityDescriptor->Sbz1; DescriptorCopy.Sbz1 = OriginalSecurityDescriptor->Sbz1;
DescriptorCopy.Control = OriginalSecurityDescriptor->Control; DescriptorCopy.Control = OriginalSecurityDescriptor->Control;
@ -499,9 +505,11 @@ SeCaptureSecurityDescriptor(IN PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor,
if (DescriptorCopy.Control & SE_SELF_RELATIVE) if (DescriptorCopy.Control & SE_SELF_RELATIVE)
{ {
/* in case we're dealing with a self-relative descriptor, do a basic convert /*
to an absolute descriptor. We do this so we can simply access the data * In case we're dealing with a self-relative descriptor, do a basic convert
using the pointers without calculating them again. */ * to an absolute descriptor. We do this so we can simply access the data
* using the pointers without calculating them again.
*/
DescriptorCopy.Control &= ~SE_SELF_RELATIVE; DescriptorCopy.Control &= ~SE_SELF_RELATIVE;
if (DescriptorCopy.Owner != NULL) if (DescriptorCopy.Owner != NULL)
{ {
@ -521,7 +529,7 @@ SeCaptureSecurityDescriptor(IN PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor,
} }
} }
/* determine the size of the SIDs */ /* Determine the size of the SIDs */
#define DetermineSIDSize(SidType) \ #define DetermineSIDSize(SidType) \
do { \ do { \
if(DescriptorCopy.SidType != NULL) \ if(DescriptorCopy.SidType != NULL) \
@ -530,7 +538,7 @@ SID *SidType = (SID*)DescriptorCopy.SidType; \
\ \
if(CurrentMode != KernelMode) \ if(CurrentMode != KernelMode) \
{ \ { \
/* securely access the buffers! */ \ /* Securely access the buffers! */ \
_SEH2_TRY \ _SEH2_TRY \
{ \ { \
SidType##SAC = ProbeForReadUchar(&SidType->SubAuthorityCount); \ SidType##SAC = ProbeForReadUchar(&SidType->SubAuthorityCount); \
@ -561,7 +569,7 @@ DescriptorSize += ROUND_UP(SidType##Size, sizeof(ULONG)); \
#undef DetermineSIDSize #undef DetermineSIDSize
/* determine the size of the ACLs */ /* Determine the size of the ACLs */
#define DetermineACLSize(AclType, AclFlag) \ #define DetermineACLSize(AclType, AclFlag) \
do { \ do { \
if((DescriptorCopy.Control & SE_##AclFlag##_PRESENT) && \ if((DescriptorCopy.Control & SE_##AclFlag##_PRESENT) && \
@ -571,7 +579,7 @@ PACL AclType = (PACL)DescriptorCopy.AclType; \
\ \
if(CurrentMode != KernelMode) \ if(CurrentMode != KernelMode) \
{ \ { \
/* securely access the buffers! */ \ /* Securely access the buffers! */ \
_SEH2_TRY \ _SEH2_TRY \
{ \ { \
AclType##Size = ProbeForReadUshort(&AclType->AclSize); \ AclType##Size = ProbeForReadUshort(&AclType->AclSize); \
@ -604,8 +612,10 @@ DescriptorCopy.AclType = NULL; \
#undef DetermineACLSize #undef DetermineACLSize
/* allocate enough memory to store a complete copy of a self-relative /*
security descriptor */ * Allocate enough memory to store a complete copy of a self-relative
* security descriptor
*/
NewDescriptor = ExAllocatePoolWithTag(PoolType, NewDescriptor = ExAllocatePoolWithTag(PoolType,
DescriptorSize, DescriptorSize,
TAG_SD); TAG_SD);
@ -620,11 +630,13 @@ DescriptorCopy.AclType = NULL; \
_SEH2_TRY _SEH2_TRY
{ {
/* setup the offsets and copy the SIDs and ACLs to the new /*
self-relative security descriptor. Probing the pointers is not * Setup the offsets and copy the SIDs and ACLs to the new
neccessary anymore as we did that when collecting the sizes! * self-relative security descriptor. Probing the pointers is not
Make sure to validate the SIDs and ACLs *again* as they could have * neccessary anymore as we did that when collecting the sizes!
been modified in the meanwhile! */ * Make sure to validate the SIDs and ACLs *again* as they could have
* been modified in the meanwhile!
*/
#define CopySID(Type) \ #define CopySID(Type) \
do { \ do { \
if(DescriptorCopy.Type != NULL) \ if(DescriptorCopy.Type != NULL) \
@ -673,14 +685,16 @@ Offset += ROUND_UP(Type##Size, sizeof(ULONG)); \
} }
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{ {
/* we failed to copy the data to the new descriptor */ /* We failed to copy the data to the new descriptor */
ExFreePool(NewDescriptor); ExFreePool(NewDescriptor);
_SEH2_YIELD(return _SEH2_GetExceptionCode()); _SEH2_YIELD(return _SEH2_GetExceptionCode());
} }
_SEH2_END; _SEH2_END;
/* we're finally done! copy the pointer to the captured descriptor to /*
to the caller */ * We're finally done!
* Copy the pointer to the captured descriptor to to the caller.
*/
*CapturedSecurityDescriptor = NewDescriptor; *CapturedSecurityDescriptor = NewDescriptor;
return STATUS_SUCCESS; return STATUS_SUCCESS;
} }
@ -691,7 +705,7 @@ Offset += ROUND_UP(Type##Size, sizeof(ULONG)); \
} }
else else
{ {
/* nothing to do... */ /* Nothing to do... */
*CapturedSecurityDescriptor = NULL; *CapturedSecurityDescriptor = NULL;
} }
@ -765,6 +779,7 @@ SeQuerySecurityDescriptorInfo(IN PSECURITY_INFORMATION SecurityInformation,
Dacl = (PACL)((ULONG_PTR)ObjectSd->Dacl + (ULONG_PTR)ObjectSd); Dacl = (PACL)((ULONG_PTR)ObjectSd->Dacl + (ULONG_PTR)ObjectSd);
DaclLength = ROUND_UP((ULONG)Dacl->AclSize, 4); DaclLength = ROUND_UP((ULONG)Dacl->AclSize, 4);
} }
Control |= (ObjectSd->Control & (SE_DACL_DEFAULTED | SE_DACL_PRESENT)); Control |= (ObjectSd->Control & (SE_DACL_DEFAULTED | SE_DACL_PRESENT));
} }
@ -776,6 +791,7 @@ SeQuerySecurityDescriptorInfo(IN PSECURITY_INFORMATION SecurityInformation,
Sacl = (PACL)((ULONG_PTR)ObjectSd->Sacl + (ULONG_PTR)ObjectSd); Sacl = (PACL)((ULONG_PTR)ObjectSd->Sacl + (ULONG_PTR)ObjectSd);
SaclLength = ROUND_UP(Sacl->AclSize, 4); SaclLength = ROUND_UP(Sacl->AclSize, 4);
} }
Control |= (ObjectSd->Control & (SE_SACL_DEFAULTED | SE_SACL_PRESENT)); Control |= (ObjectSd->Control & (SE_SACL_DEFAULTED | SE_SACL_PRESENT));
} }
@ -846,14 +862,16 @@ SeReleaseSecurityDescriptor(IN PSECURITY_DESCRIPTOR CapturedSecurityDescriptor,
{ {
PAGED_CODE(); PAGED_CODE();
/* WARNING! You need to call this function with the same value for CurrentMode /*
and CaptureIfKernelMode that you previously passed to * WARNING! You need to call this function with the same value for CurrentMode
SeCaptureSecurityDescriptor() in order to avoid memory leaks! */ * and CaptureIfKernelMode that you previously passed to
* SeCaptureSecurityDescriptor() in order to avoid memory leaks!
*/
if (CapturedSecurityDescriptor != NULL && if (CapturedSecurityDescriptor != NULL &&
(CurrentMode != KernelMode || (CurrentMode != KernelMode ||
(CurrentMode == KernelMode && CaptureIfKernelMode))) (CurrentMode == KernelMode && CaptureIfKernelMode)))
{ {
/* only delete the descriptor when SeCaptureSecurityDescriptor() allocated one! */ /* Only delete the descriptor when SeCaptureSecurityDescriptor() allocated one! */
ExFreePoolWithTag(CapturedSecurityDescriptor, TAG_SD); ExFreePoolWithTag(CapturedSecurityDescriptor, TAG_SD);
} }
@ -888,8 +906,9 @@ SeSetSecurityDescriptorInfo(IN PVOID Object OPTIONAL,
ObjectSd = *ObjectsSecurityDescriptor; ObjectSd = *ObjectsSecurityDescriptor;
/* The object does not have a security descriptor. */
if (!ObjectSd) if (!ObjectSd)
return STATUS_NO_SECURITY_ON_OBJECT; // The object does not have a security descriptor. return STATUS_NO_SECURITY_ON_OBJECT;
SecurityInformation = *_SecurityInformation; SecurityInformation = *_SecurityInformation;
@ -1074,8 +1093,9 @@ SeSetSecurityDescriptorInfoEx(IN PVOID Object OPTIONAL,
{ {
PISECURITY_DESCRIPTOR ObjectSd = *ObjectsSecurityDescriptor; PISECURITY_DESCRIPTOR ObjectSd = *ObjectsSecurityDescriptor;
/* The object does not have a security descriptor. */
if (!ObjectSd) if (!ObjectSd)
return STATUS_NO_SECURITY_ON_OBJECT; // The object does not have a security descriptor. return STATUS_NO_SECURITY_ON_OBJECT;
UNIMPLEMENTED; UNIMPLEMENTED;
return STATUS_NOT_IMPLEMENTED; return STATUS_NOT_IMPLEMENTED;

View file

@ -1709,7 +1709,7 @@ NtSetInformationToken(IN HANDLE TokenHandle,
{ {
PACL CapturedAcl; PACL CapturedAcl;
/* capture and copy the dacl */ /* Capture and copy the dacl */
Status = SepCaptureAcl(InputAcl, Status = SepCaptureAcl(InputAcl,
PreviousMode, PreviousMode,
PagedPool, PagedPool,
@ -1717,19 +1717,19 @@ NtSetInformationToken(IN HANDLE TokenHandle,
&CapturedAcl); &CapturedAcl);
if (NT_SUCCESS(Status)) if (NT_SUCCESS(Status))
{ {
/* free the previous dacl if present */ /* Free the previous dacl if present */
if(Token->DefaultDacl != NULL) if(Token->DefaultDacl != NULL)
{ {
ExFreePool(Token->DefaultDacl); ExFreePool(Token->DefaultDacl);
} }
/* set the new dacl */ /* Set the new dacl */
Token->DefaultDacl = CapturedAcl; Token->DefaultDacl = CapturedAcl;
} }
} }
else else
{ {
/* clear and free the default dacl if present */ /* Clear and free the default dacl if present */
if (Token->DefaultDacl != NULL) if (Token->DefaultDacl != NULL)
{ {
ExFreePool(Token->DefaultDacl); ExFreePool(Token->DefaultDacl);
@ -1750,7 +1750,7 @@ NtSetInformationToken(IN HANDLE TokenHandle,
_SEH2_TRY _SEH2_TRY
{ {
/* buffer size was already verified, no need to check here again */ /* Buffer size was already verified, no need to check here again */
SessionId = *(PULONG)TokenInformation; SessionId = *(PULONG)TokenInformation;
} }
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
@ -1880,7 +1880,7 @@ NtDuplicateToken(IN HANDLE ExistingTokenHandle,
} }
} }
/* free the captured structure */ /* Free the captured structure */
SepReleaseSecurityQualityOfService(CapturedSecurityQualityOfService, SepReleaseSecurityQualityOfService(CapturedSecurityQualityOfService,
PreviousMode, PreviousMode,
FALSE); FALSE);
@ -1997,7 +1997,8 @@ NtAdjustPrivilegesToken(IN HANDLE TokenHandle,
} }
else else
{ {
/* FIXME: Should revert all the changes, calculate how /*
* FIXME: Should revert all the changes, calculate how
* much space would be needed, set ResultLength * much space would be needed, set ResultLength
* accordingly and fail. * accordingly and fail.
*/ */
@ -2044,7 +2045,8 @@ NtAdjustPrivilegesToken(IN HANDLE TokenHandle,
} }
else else
{ {
/* FIXME: Should revert all the changes, calculate how /*
* FIXME: Should revert all the changes, calculate how
* much space would be needed, set ResultLength * much space would be needed, set ResultLength
* accordingly and fail. * accordingly and fail.
*/ */