From 6ee0895a39c9cfe98208209ff9466a63fb7130bd Mon Sep 17 00:00:00 2001 From: Timo Kreuzer Date: Mon, 9 Oct 2023 21:45:01 +0300 Subject: [PATCH] [NTOS:MM] Attach to the target process in MmMapViewOfSection This is required to satisfy VAD locking rules. --- ntoskrnl/mm/section.c | 49 +++++++++++++++++++++++++++---------------- 1 file changed, 31 insertions(+), 18 deletions(-) diff --git a/ntoskrnl/mm/section.c b/ntoskrnl/mm/section.c index 35c36d45cfa..ff77ef77077 100644 --- a/ntoskrnl/mm/section.c +++ b/ntoskrnl/mm/section.c @@ -4008,6 +4008,8 @@ MmMapViewOfSection(IN PVOID SectionObject, PMMSUPPORT AddressSpace; NTSTATUS Status = STATUS_SUCCESS; BOOLEAN NotAtBase = FALSE; + BOOLEAN IsAttached = FALSE; + KAPC_STATE ApcState; if (MiIsRosSectionObject(SectionObject) == FALSE) { @@ -4031,6 +4033,12 @@ MmMapViewOfSection(IN PVOID SectionObject, return STATUS_INVALID_PAGE_PROTECTION; } + if (PsGetCurrentProcess() != Process) + { + KeStackAttachProcess(&Process->Pcb, &ApcState); + IsAttached = TRUE; + } + /* FIXME: We should keep this, but it would break code checking equality */ Protect &= ~PAGE_NOCACHE; @@ -4097,15 +4105,15 @@ MmMapViewOfSection(IN PVOID SectionObject, /* Fail if the user requested a fixed base address. */ if ((*BaseAddress) != NULL) { - MmUnlockAddressSpace(AddressSpace); - return STATUS_CONFLICTING_ADDRESSES; + Status = STATUS_CONFLICTING_ADDRESSES; + goto Exit; } /* Otherwise find a gap to map the image. */ ImageBase = (ULONG_PTR)MmFindGap(AddressSpace, PAGE_ROUND_UP(ImageSize), MM_VIRTMEM_GRANULARITY, FALSE); if (ImageBase == 0) { - MmUnlockAddressSpace(AddressSpace); - return STATUS_CONFLICTING_ADDRESSES; + Status = STATUS_CONFLICTING_ADDRESSES; + goto Exit; } /* Remember that we loaded image at a different base address */ NotAtBase = TRUE; @@ -4136,8 +4144,7 @@ MmMapViewOfSection(IN PVOID SectionObject, MmUnlockSectionSegment(&SectionSegments[i]); } - MmUnlockAddressSpace(AddressSpace); - return Status; + goto Exit; } } @@ -4160,22 +4167,22 @@ MmMapViewOfSection(IN PVOID SectionObject, if ((Protect & (PAGE_READWRITE|PAGE_EXECUTE_READWRITE)) && !(Section->InitialPageProtection & (PAGE_READWRITE|PAGE_EXECUTE_READWRITE))) { - MmUnlockAddressSpace(AddressSpace); - return STATUS_SECTION_PROTECTION; + Status = STATUS_SECTION_PROTECTION; + goto Exit; } /* check for read access */ if ((Protect & (PAGE_READONLY|PAGE_WRITECOPY|PAGE_EXECUTE_READ|PAGE_EXECUTE_WRITECOPY)) && !(Section->InitialPageProtection & (PAGE_READONLY|PAGE_READWRITE|PAGE_WRITECOPY|PAGE_EXECUTE_READ|PAGE_EXECUTE_READWRITE|PAGE_EXECUTE_WRITECOPY))) { - MmUnlockAddressSpace(AddressSpace); - return STATUS_SECTION_PROTECTION; + Status = STATUS_SECTION_PROTECTION; + goto Exit; } /* check for execute access */ if ((Protect & (PAGE_EXECUTE|PAGE_EXECUTE_READ|PAGE_EXECUTE_READWRITE|PAGE_EXECUTE_WRITECOPY)) && !(Section->InitialPageProtection & (PAGE_EXECUTE|PAGE_EXECUTE_READ|PAGE_EXECUTE_READWRITE|PAGE_EXECUTE_WRITECOPY))) { - MmUnlockAddressSpace(AddressSpace); - return STATUS_SECTION_PROTECTION; + Status = STATUS_SECTION_PROTECTION; + goto Exit; } if (SectionOffset == NULL) @@ -4189,8 +4196,8 @@ MmMapViewOfSection(IN PVOID SectionObject, if ((ViewOffset % PAGE_SIZE) != 0) { - MmUnlockAddressSpace(AddressSpace); - return STATUS_MAPPED_ALIGNMENT; + Status = STATUS_MAPPED_ALIGNMENT; + goto Exit; } if ((*ViewSize) == 0) @@ -4219,18 +4226,24 @@ MmMapViewOfSection(IN PVOID SectionObject, MmUnlockSectionSegment(Segment); if (!NT_SUCCESS(Status)) { - MmUnlockAddressSpace(AddressSpace); - return Status; + goto Exit; } } - MmUnlockAddressSpace(AddressSpace); - if (NotAtBase) Status = STATUS_IMAGE_NOT_AT_BASE; else Status = STATUS_SUCCESS; +Exit: + + MmUnlockAddressSpace(AddressSpace); + + if (IsAttached) + { + KeUnstackDetachProcess(&ApcState); + } + return Status; }