Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-12-28 10:04:49 +00:00
Code Issues Projects Releases Packages Wiki Activity

- correctly deny access to handles when rights requested can't be granted

Browse source 
- map generic rights correctly
- various fixes where handles with inappropriate access rights were created

svn path=/trunk/; revision=14197
This commit is contained in:
Thomas Bluemel 2005-03-19 19:13:01 +00:00
parent 6f3c732b92
commit 6c8fad94ac
22 changed files with 129 additions and 89 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
reactos/include/ddk/cmtypes.h
View file

@ -10,7 +10,10 @@ typedef enum _KEY_INFORMATION_CLASS
{
KeyBasicInformation,
KeyNodeInformation,
KeyFullInformation
KeyFullInformation,
KeyNameInformation,
KeyCachedInformation,
KeyFlagsInformation
} KEY_INFORMATION_CLASS;
typedef struct _KEY_BASIC_INFORMATION

2
reactos/lib/advapi32/reg/reg.c
View file

@ -222,7 +222,7 @@ OpenUsersKey (PHANDLE KeyHandle)
NULL,
NULL);
return NtOpenKey (KeyHandle,
KEY_ALL_ACCESS,
MAXIMUM_ALLOWED,
&Attributes);
}

2
reactos/lib/kernel32/file/dir.c
View file

@ -221,7 +221,7 @@ RemoveDirectoryW (
DPRINT("NtPathU '%S'\n", NtPathU.Buffer);
Status = NtCreateFile (&DirectoryHandle,
FILE_WRITE_ATTRIBUTES, /* 0x110080 */
DELETE,
&ObjectAttributes,
&IoStatusBlock,
NULL,

10
reactos/lib/ntdll/ldr/utils.c
View file

@ -682,7 +682,7 @@ LdrpMapDllImageFile(IN PWSTR SearchPath OPTIONAL,
SECTION_ALL_ACCESS,
NULL,
NULL,
PAGE_READWRITE,
PAGE_READONLY,
SEC_COMMIT | (MapAsDataFile ? 0 : SEC_IMAGE),
FileHandle);
NtClose(FileHandle);
@ -2048,7 +2048,7 @@ LdrpLoadModule(IN PWSTR SearchPath OPTIONAL,
&ViewSize,
0,
MEM_COMMIT,
PAGE_READWRITE);
PAGE_READONLY);
if (!NT_SUCCESS(Status))
{
DPRINT1("map view of section failed (Status %x)\n", Status);
@ -2875,10 +2875,10 @@ LdrVerifyImageMatchesChecksum (IN HANDLE FileHandle,
DPRINT ("LdrVerifyImageMatchesChecksum() called\n");
Status = NtCreateSection (&SectionHandle,
SECTION_MAP_EXECUTE,
SECTION_MAP_READ,
NULL,
NULL,
PAGE_EXECUTE,
PAGE_READONLY,
SEC_COMMIT,
FileHandle);
if (!NT_SUCCESS(Status))
@ -2898,7 +2898,7 @@ LdrVerifyImageMatchesChecksum (IN HANDLE FileHandle,
&ViewSize,
ViewShare,
0,
PAGE_EXECUTE);
PAGE_READONLY);
if (!NT_SUCCESS(Status))
{
DPRINT1 ("NtMapViewOfSection() failed (Status %lx)\n", Status);

4
reactos/lib/ntdll/rtl/path.c
View file

@ -290,8 +290,8 @@ RtlSetCurrentDirectory_U(PUNICODE_STRING dir)
}
/* don't keep the directory handle open on removable media */
if (!NtQueryVolumeInformationFile( handle, &iosb, &device_info,
sizeof(device_info), FileFsDeviceInformation ) &&
if (NT_SUCCESS(NtQueryVolumeInformationFile( handle, &iosb, &device_info,
sizeof(device_info), FileFsDeviceInformation )) &&
(device_info.Characteristics & FILE_REMOVABLE_MEDIA))
{
DPRINT1("don't keep the directory handle open on removable media\n");

2
reactos/lib/syssetup/wizard.c
View file

@ -1133,7 +1133,7 @@ SetSystemLocalTime(HWND hwnd, PSETUPDATA SetupData)
*/
if(OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES,
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&hToken))
{
priv.PrivilegeCount = 1;

20
reactos/ntoskrnl/cm/ntfunc.c
View file

@ -460,10 +460,13 @@ NtEnumerateKey(IN HANDLE KeyHandle,
PKEY_FULL_INFORMATION FullInformation;
PDATA_CELL ClassCell;
ULONG NameSize, ClassSize;
KPROCESSOR_MODE PreviousMode;
NTSTATUS Status;
PAGED_CODE();
PreviousMode = ExGetPreviousMode();
DPRINT("KH %x I %d KIC %x KI %x L %d RL %x\n",
KeyHandle,
Index,
@ -476,7 +479,7 @@ NtEnumerateKey(IN HANDLE KeyHandle,
Status = ObReferenceObjectByHandle(KeyHandle,
KEY_ENUMERATE_SUB_KEYS,
CmiKeyType,
UserMode,
PreviousMode,
(PVOID *) &KeyObject,
NULL);
if (!NT_SUCCESS(Status))
@ -1056,7 +1059,7 @@ NtFlushKey(IN HANDLE KeyHandle)
/* Verify that the handle is valid and is a registry key */
Status = ObReferenceObjectByHandle(KeyHandle,
KEY_QUERY_VALUE,
0,
CmiKeyType,
PreviousMode,
(PVOID *)&KeyObject,
@ -1218,7 +1221,7 @@ NtQueryKey(IN HANDLE KeyHandle,
/* Verify that the handle is valid and is a registry key */
Status = ObReferenceObjectByHandle(KeyHandle,
KEY_READ,
(KeyInformationClass != KeyNameInformation ? KEY_QUERY_VALUE : 0),
CmiKeyType,
UserMode,
(PVOID *) &KeyObject,
@ -1377,6 +1380,13 @@ NtQueryKey(IN HANDLE KeyHandle,
}
break;
case KeyNameInformation:
case KeyCachedInformation:
case KeyFlagsInformation:
DPRINT1("Key information class 0x%x not yet implemented!\n", KeyInformationClass);
Status = STATUS_NOT_IMPLEMENTED;
break;
default:
DPRINT1("Not handling 0x%x\n", KeyInformationClass);
Status = STATUS_INVALID_INFO_CLASS;
@ -1658,14 +1668,12 @@ NtSetValueKey(IN HANDLE KeyHandle,
KeyHandle, ValueName, Type);
DesiredAccess = KEY_SET_VALUE;
if (Type == REG_LINK)
DesiredAccess |= KEY_CREATE_LINK;
/* Verify that the handle is valid and is a registry key */
Status = ObReferenceObjectByHandle(KeyHandle,
DesiredAccess,
CmiKeyType,
UserMode,
ExGetPreviousMode(),
(PVOID *)&KeyObject,
NULL);
if (!NT_SUCCESS(Status))

6
reactos/ntoskrnl/cm/registry.c
View file

@ -423,7 +423,7 @@ CmInitializeRegistry(VOID)
ASSERT(NT_SUCCESS(Status));
Status = ObInsertObject(RootKey,
NULL,
STANDARD_RIGHTS_REQUIRED,
KEY_ALL_ACCESS,
0,
NULL,
&RootKeyHandle);
@ -462,7 +462,7 @@ CmInitializeRegistry(VOID)
RootKeyHandle,
NULL);
Status = ZwCreateKey(&KeyHandle,
STANDARD_RIGHTS_REQUIRED,
KEY_ALL_ACCESS,
&ObjectAttributes,
0,
NULL,
@ -479,7 +479,7 @@ CmInitializeRegistry(VOID)
RootKeyHandle,
NULL);
Status = ZwCreateKey(&KeyHandle,
STANDARD_RIGHTS_REQUIRED,
KEY_ALL_ACCESS,
&ObjectAttributes,
0,
NULL,

3
reactos/ntoskrnl/io/create.c
View file

@ -448,9 +448,6 @@ IoCreateFile(OUT PHANDLE FileHandle,
return Status;
}
RtlMapGenericMask(&DesiredAccess,
BODY_TO_HEADER(FileObject)->ObjectType->Mapping);
Status = ObInsertObject ((PVOID)FileObject,
NULL,
DesiredAccess,

3
reactos/ntoskrnl/io/device.c
View file

@ -349,7 +349,10 @@ IoGetDeviceObjectPointer(
FILE_NON_DIRECTORY_FILE);
if (!NT_SUCCESS(Status))
{
DPRINT1("NtOpenFile failed, Status: 0x%x\n", Status);
return Status;
}
Status = ObReferenceObjectByHandle(
FileHandle,

2
reactos/ntoskrnl/io/driver.c
View file

@ -960,7 +960,7 @@ IoCreateDriverList(VOID)
NULL);
Status = ZwOpenKey(&KeyHandle,
0x10001,
KEY_ENUMERATE_SUB_KEYS,
&ObjectAttributes);
if (!NT_SUCCESS(Status))
{

4
reactos/ntoskrnl/io/file.c
View file

@ -50,7 +50,7 @@ NtQueryInformationFile(HANDLE FileHandle,
PreviousMode = ExGetPreviousMode();
Status = ObReferenceObjectByHandle(FileHandle,
FILE_READ_ATTRIBUTES,
0, /* FIXME - access depends on the information class! */
IoFileObjectType,
PreviousMode,
(PVOID *)&FileObject,
@ -402,7 +402,7 @@ NtSetInformationFile(HANDLE FileHandle,
/* Get the file object from the file handle */
Status = ObReferenceObjectByHandle(FileHandle,
FILE_WRITE_ATTRIBUTES,
0, /* FIXME - depends on the information class */
IoFileObjectType,
PreviousMode,
(PVOID *)&FileObject,

6
reactos/ntoskrnl/io/iomgr.c
View file

@ -34,9 +34,9 @@ ULONG IoOtherOperationCount = 0;
ULONGLONG IoOtherTransferCount = 0;
KSPIN_LOCK EXPORTED IoStatisticsLock = 0;
static GENERIC_MAPPING IopFileMapping = {FILE_GENERIC_READ,
FILE_GENERIC_WRITE,
FILE_GENERIC_EXECUTE,
static GENERIC_MAPPING IopFileMapping = {STANDARD_RIGHTS_READ | SYNCHRONIZE | FILE_READ_DATA | FILE_READ_PROPERTIES,
STANDARD_RIGHTS_WRITE | SYNCHRONIZE | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_WRITE_PROPERTIES,
STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE | FILE_EXECUTE | FILE_READ_ATTRIBUTES,
FILE_ALL_ACCESS};
/* FUNCTIONS ****************************************************************/

2
reactos/ntoskrnl/io/vpb.c
View file

@ -107,7 +107,7 @@ NtQueryVolumeInformationFile(IN HANDLE FileHandle,
PreviousMode = ExGetPreviousMode();
Status = ObReferenceObjectByHandle(FileHandle,
FILE_READ_ATTRIBUTES,
0, /* FIXME - depends on the information class! */
IoFileObjectType,
PreviousMode,
(PVOID*)&FileObject,

7
reactos/ntoskrnl/ke/i386/exp.c
View file

@ -120,7 +120,10 @@ KeRosPrintAddress(PVOID address)
MODULE_TEXT_SECTION* current;
extern LIST_ENTRY ModuleTextListHead;
ULONG_PTR RelativeAddress;
ULONG i = 0;
do
{
current_entry = ModuleTextListHead.Flink;
while (current_entry != &ModuleTextListHead &&
@ -138,6 +141,10 @@ KeRosPrintAddress(PVOID address)
}
current_entry = current_entry->Flink;
}
address = (PVOID)((ULONG_PTR)address & ~0xC0000000);
} while(++i <= 1);
return(FALSE);
}
#endif /* KDBG */

2
reactos/ntoskrnl/ldr/sysdll.c
View file

@ -144,7 +144,7 @@ NTSTATUS LdrpMapSystemDll(HANDLE ProcessHandle,
SECTION_ALL_ACCESS,
NULL,
NULL,
PAGE_READWRITE,
PAGE_READONLY,
SEC_IMAGE | SEC_COMMIT,
FileHandle);
if (!NT_SUCCESS(Status))

72
reactos/ntoskrnl/ob/handle.c
View file

@ -40,6 +40,8 @@
~(EX_HANDLE_ENTRY_PROTECTFROMCLOSE | EX_HANDLE_ENTRY_INHERITABLE | \
EX_HANDLE_ENTRY_AUDITONCLOSE)))
#define GENERIC_ANY (GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL)
/* FUNCTIONS ***************************************************************/
VOID
@ -549,6 +551,18 @@ ObCreateHandle(PEPROCESS Process,
ASSERT((ULONG_PTR)ObjectHeader & EX_HANDLE_ENTRY_LOCKED);
if (GrantedAccess & MAXIMUM_ALLOWED)
{
GrantedAccess &= ~MAXIMUM_ALLOWED;
GrantedAccess |= GENERIC_ALL;
}
if (GrantedAccess & GENERIC_ANY)
{
RtlMapGenericMask(&GrantedAccess,
ObjectHeader->ObjectType->Mapping);
}
NewEntry.u1.Object = ObjectHeader;
if(Inherit)
NewEntry.u1.ObAttributes |= EX_HANDLE_ENTRY_INHERITABLE;
@ -644,7 +658,6 @@ ObReferenceObjectByHandle(HANDLE Handle,
POBJECT_HEADER ObjectHeader;
PVOID ObjectBody;
ACCESS_MASK GrantedAccess;
PGENERIC_MAPPING GenericMapping;
ULONG Attributes;
NTSTATUS Status;
LONG ExHandle = HANDLE_TO_EX_HANDLE(Handle);
@ -714,6 +727,13 @@ ObReferenceObjectByHandle(HANDLE Handle,
return(STATUS_OBJECT_TYPE_MISMATCH);
}
/* desire as much access rights as possible */
if (DesiredAccess & MAXIMUM_ALLOWED)
{
DesiredAccess &= ~MAXIMUM_ALLOWED;
DesiredAccess |= GENERIC_ALL;
}
KeEnterCriticalRegion();
HandleEntry = ExMapHandleToPointer(PsGetCurrentProcess()->ObjectTable,
@ -730,16 +750,6 @@ ObReferenceObjectByHandle(HANDLE Handle,
DPRINT("locked1: ObjectHeader: 0x%x [HT:0x%x]\n", ObjectHeader, PsGetCurrentProcess()->ObjectTable);
ObReferenceObjectByPointer(ObjectBody,
0,
NULL,
UserMode);
Attributes = HandleEntry->u1.ObAttributes & (EX_HANDLE_ENTRY_PROTECTFROMCLOSE |
EX_HANDLE_ENTRY_INHERITABLE |
EX_HANDLE_ENTRY_AUDITONCLOSE);
GrantedAccess = HandleEntry->u2.GrantedAccess;
GenericMapping = ObjectHeader->ObjectType->Mapping;
if (ObjectType != NULL && ObjectType != ObjectHeader->ObjectType)
{
DPRINT("ObjectType mismatch: %wZ vs %wZ (handle 0x%x)\n", &ObjectType->TypeName, ObjectHeader->ObjectType ? &ObjectHeader->ObjectType->TypeName : NULL, Handle);
@ -748,28 +758,43 @@ ObReferenceObjectByHandle(HANDLE Handle,
HandleEntry);
KeLeaveCriticalRegion();
ObDereferenceObject(ObjectBody);
return(STATUS_OBJECT_TYPE_MISMATCH);
}
/* map the generic access masks if the caller asks for generic access */
if (DesiredAccess & GENERIC_ANY)
{
RtlMapGenericMask(&DesiredAccess,
BODY_TO_HEADER(ObjectBody)->ObjectType->Mapping);
}
GrantedAccess = HandleEntry->u2.GrantedAccess;
/* Unless running as KernelMode, deny access if caller desires more access
rights than the handle can grant */
if(AccessMode != KernelMode && (~GrantedAccess & DesiredAccess))
{
ExUnlockHandleTableEntry(PsGetCurrentProcess()->ObjectTable,
HandleEntry);
KeLeaveCriticalRegion();
if (DesiredAccess && AccessMode != KernelMode)
{
RtlMapGenericMask(&DesiredAccess, GenericMapping);
if (!(GrantedAccess & DesiredAccess) &&
!((~GrantedAccess) & DesiredAccess))
{
ObDereferenceObject(ObjectBody);
CHECKPOINT;
return(STATUS_ACCESS_DENIED);
}
}
ObReferenceObjectByPointer(ObjectBody,
0,
NULL,
UserMode);
Attributes = HandleEntry->u1.ObAttributes & (EX_HANDLE_ENTRY_PROTECTFROMCLOSE |
EX_HANDLE_ENTRY_INHERITABLE |
EX_HANDLE_ENTRY_AUDITONCLOSE);
ExUnlockHandleTableEntry(PsGetCurrentProcess()->ObjectTable,
HandleEntry);
KeLeaveCriticalRegion();
if (HandleInformation != NULL)
{
@ -838,9 +863,6 @@ ObInsertObject(IN PVOID Object,
Access = DesiredAccess;
ObjectHeader = BODY_TO_HEADER(Object);
RtlMapGenericMask(&Access,
ObjectHeader->ObjectType->Mapping);
return(ObCreateHandle(PsGetCurrentProcess(),
Object,
Access,

2
reactos/ntoskrnl/ob/object.c
View file

@ -412,7 +412,7 @@ ObFindObject(POBJECT_ATTRIBUTES ObjectAttributes,
else
{
Status = ObReferenceObjectByHandle(ObjectAttributes->RootDirectory,
DIRECTORY_TRAVERSE,
0,
NULL,
UserMode,
&CurrentObject,

2
reactos/ntoskrnl/se/token.c
View file

@ -1663,7 +1663,7 @@ NtAdjustPrivilegesToken (IN HANDLE TokenHandle,
// &Length);
Status = ObReferenceObjectByHandle (TokenHandle,
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
TOKEN_ADJUST_PRIVILEGES | (PreviousState != NULL ? TOKEN_QUERY : 0),
SepTokenObjectType,
PreviousMode,
(PVOID*)&Token,

2
reactos/subsys/smss/initwkdll.c
View file

@ -60,7 +60,7 @@ SmpKnownDllsQueryRoutine(PWSTR ValueName,
(HANDLE)Context,
NULL);
Status = NtOpenFile(&FileHandle,
SYNCHRONIZE | FILE_EXECUTE,
SYNCHRONIZE | FILE_EXECUTE | FILE_READ_DATA,
&ObjectAttributes,
&IoStatusBlock,
FILE_SHARE_READ,

2
reactos/subsys/system/services/database.c
View file

@ -327,7 +327,7 @@ ScmCreateServiceDataBase(VOID)
NULL);
Status = RtlpNtOpenKey(&ServicesKey,
0x10001,
KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS,
&ObjectAttributes,
0);
if (!NT_SUCCESS(Status))

2
reactos/subsys/system/winlogon/setup.c
View file

@ -84,7 +84,7 @@ SetSetupType (DWORD dwSetupType)
dwError = RegOpenKeyEx(HKEY_LOCAL_MACHINE,
L"SYSTEM\\Setup", //TEXT("SYSTEM\\Setup"),
0,
KEY_QUERY_VALUE,
KEY_SET_VALUE,
&hKey);
if (dwError != ERROR_SUCCESS)
{