[NTOS:SE] Cast the ACE to known ACE type variants on SepGetSidFromAce

ACCESS_DENIED_ACE_TYPE, ACCESS_ALLOWED_ACE_TYPE, SYSTEM_AUDIT_ACE_TYPE and SYSTEM_ALARM_ACE_TYPE belong to the same commonly internal ACE type, aka KNOWN_ACE, as each of these ACEs have the same structure field offsets. The only difference are ACCESS_DENIED_OBJECT_ACE_TYPE and ACCESS_ALLOWED_OBJECT_ACE_TYPE as they have their own internal ACE type variant, the KNOWN_OBJECT_ACE structure. The general guideline is that public ACE structure variants have to be used elsehwere such as in UM whilst the kernel has to use the internal known ACE type variants when possible.
2025-02-22 16:36:33 +00:00 · 2023-07-16 20:45:13 +02:00 · 2023-07-16 20:45:13 +02:00 · 8289de6ef7
commit 8289de6ef7
parent a42f642ea1
2 changed files with 20 additions and 26 deletions
--- a/ntoskrnl/se/sid.c
+++ b/ntoskrnl/se/sid.c
@ -580,51 +580,41 @@ SepGetSidFromAce(
    _In_ UCHAR AceType,
    _In_ PACE Ace)
 {
-    PSID Sid;
+    PULONG Flags;
+    ULONG GuidSize = 0;
+    PSID Sid = NULL;
    PAGED_CODE();

    /* Sanity check */
    ASSERT(Ace);

-    /* Initialize the SID */
-    Sid = NULL;
-
    /* Obtain the SID based upon ACE type */
    switch (AceType)
    {
        case ACCESS_DENIED_ACE_TYPE:
-        {
-            Sid = (PSID)&((PACCESS_DENIED_ACE)Ace)->SidStart;
-            break;
-        }
-
        case ACCESS_ALLOWED_ACE_TYPE:
+        case SYSTEM_AUDIT_ACE_TYPE:
+        case SYSTEM_ALARM_ACE_TYPE:
        {
-            Sid = (PSID)&((PACCESS_ALLOWED_ACE)Ace)->SidStart;
+            Sid = (PSID)&((PKNOWN_ACE)Ace)->SidStart;
            break;
        }

        case ACCESS_DENIED_OBJECT_ACE_TYPE:
-        {
-            Sid = (PSID)&((PACCESS_DENIED_OBJECT_ACE)Ace)->SidStart;
-            break;
-        }
-
        case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
        {
-            Sid = (PSID)&((PACCESS_ALLOWED_OBJECT_ACE)Ace)->SidStart;
-            break;
-        }
+            Flags = (PULONG)&((PKNOWN_OBJECT_ACE)Ace)->Flags;
+            if (*Flags & ACE_OBJECT_TYPE_PRESENT)
+            {
+                GuidSize += sizeof(GUID);
+            }

-        case SYSTEM_AUDIT_ACE_TYPE:
-        {
-            Sid = (PSID)&((PSYSTEM_AUDIT_ACE)Ace)->SidStart;
-            break;
-        }
+            if (*Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT)
+            {
+                GuidSize += sizeof(GUID);
+            }

-        case SYSTEM_ALARM_ACE_TYPE:
-        {
-            Sid = (PSID)&((PSYSTEM_ALARM_ACE)Ace)->SidStart;
+            Sid = (PSID)((ULONG_PTR)&((PKNOWN_OBJECT_ACE)Ace)->SidStart + GuidSize);
            break;
        }

--- a/sdk/include/xdk/setypes.h
+++ b/sdk/include/xdk/setypes.h
@ -801,6 +801,10 @@ typedef struct _SYSTEM_MANDATORY_LABEL_ACE {
  $ULONG SidStart;
 } SYSTEM_MANDATORY_LABEL_ACE, *PSYSTEM_MANDATORY_LABEL_ACE;

+/* Object ACE flags */
+#define ACE_OBJECT_TYPE_PRESENT           0x00000001
+#define ACE_INHERITED_OBJECT_TYPE_PRESENT 0x00000002
+
 #define SYSTEM_MANDATORY_LABEL_NO_WRITE_UP   0x1
 #define SYSTEM_MANDATORY_LABEL_NO_READ_UP    0x2
 #define SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP 0x4