From a07571a47c09ac1d6667404ad2badd772a9b9101 Mon Sep 17 00:00:00 2001 From: Art Yerkes Date: Fri, 1 Oct 2004 04:00:11 +0000 Subject: [PATCH] pool.c: assert irql and pool type for PASSIVE_LEVEL and above. ntoskrnl/ob/security.c: This function did not either identify the new descriptor as self relative nor honor the case where self-relative was not set. Now fixed. Bug identified by WaxDragon (while loading a cygwin app) svn path=/trunk/; revision=11140 --- reactos/ntoskrnl/mm/pool.c | 18 +++++++++++++++- reactos/ntoskrnl/ob/security.c | 38 +++++++++++++++++++++++++--------- 2 files changed, 45 insertions(+), 11 deletions(-) diff --git a/reactos/ntoskrnl/mm/pool.c b/reactos/ntoskrnl/mm/pool.c index 7c38ba16b32..38d9666a016 100644 --- a/reactos/ntoskrnl/mm/pool.c +++ b/reactos/ntoskrnl/mm/pool.c @@ -1,4 +1,4 @@ -/* $Id: pool.c,v 1.33 2004/08/21 20:05:35 tamlin Exp $ +/* $Id: pool.c,v 1.34 2004/10/01 04:00:11 arty Exp $ * * COPYRIGHT: See COPYING in the top level directory * PROJECT: ReactOS kernel @@ -93,6 +93,9 @@ ExAllocatePool (POOL_TYPE PoolType, ULONG NumberOfBytes) */ { PVOID Block; + ASSERT_IRQL(DISPATCH_LEVEL); + assert(KeGetCurrentIrql() == PASSIVE_LEVEL || PoolType == NonPagedPool); + #if defined(__GNUC__) Block = EiAllocatePool(PoolType, @@ -120,6 +123,10 @@ PVOID STDCALL ExAllocatePoolWithTag (ULONG PoolType, ULONG NumberOfBytes, ULONG Tag) { PVOID Block; + + ASSERT_IRQL(DISPATCH_LEVEL); + assert(KeGetCurrentIrql() == PASSIVE_LEVEL || PoolType != PagedPool); + #if defined(__GNUC__) Block = EiAllocatePool(PoolType, @@ -161,6 +168,9 @@ ExAllocatePoolWithTagPriority( IN EX_POOL_PRIORITY Priority ) { + ASSERT_IRQL(DISPATCH_LEVEL); + assert(KeGetCurrentIrql() == PASSIVE_LEVEL || PoolType != PagedPool); + /* Check if this is one of the "Special" Flags, used by the Verifier */ if (Priority & 8) { /* Check if this is a xxSpecialUnderrun */ @@ -188,6 +198,9 @@ ExAllocatePoolWithQuotaTag (IN POOL_TYPE PoolType, PVOID Block; PEPROCESS Process; + ASSERT_IRQL(DISPATCH_LEVEL); + assert(KeGetCurrentIrql() == PASSIVE_LEVEL || PoolType == NonPagedPool); + /* Allocate the Pool First */ Block = EiAllocatePool(PoolType, NumberOfBytes, @@ -232,6 +245,8 @@ ExAllocatePoolWithQuotaTag (IN POOL_TYPE PoolType, VOID STDCALL ExFreePool(IN PVOID Block) { + ASSERT_IRQL(DISPATCH_LEVEL); + if (Block >= MmPagedPoolBase && (char*)Block < ((char*)MmPagedPoolBase + MmPagedPoolSize)) { ExFreePagedPool(Block); @@ -248,6 +263,7 @@ ExFreePool(IN PVOID Block) VOID STDCALL ExFreePoolWithTag(IN PVOID Block, IN ULONG Tag) { + ASSERT_IRQL(DISPATCH_LEVEL); /* FIXME: Validate the tag */ ExFreePool(Block); } diff --git a/reactos/ntoskrnl/ob/security.c b/reactos/ntoskrnl/ob/security.c index f6eadd65fe8..4d1000a9c18 100644 --- a/reactos/ntoskrnl/ob/security.c +++ b/reactos/ntoskrnl/ob/security.c @@ -266,18 +266,22 @@ NtSetSecurityObject(IN HANDLE Handle, { if (SecurityDescriptor->Owner != NULL) { - Owner = (PSID)((ULONG_PTR)SecurityDescriptor->Owner + (ULONG_PTR)SecurityDescriptor); - OwnerLength = ROUND_UP(RtlLengthSid(Owner), 4); + if( SecurityDescriptor->Control & SE_SELF_RELATIVE ) + Owner = (PSID)((ULONG_PTR)SecurityDescriptor->Owner + + (ULONG_PTR)SecurityDescriptor); + else + Owner = (PSID)SecurityDescriptor->Owner; + OwnerLength = ROUND_UP(RtlLengthSid(Owner), 4); } Control |= (SecurityDescriptor->Control & SE_OWNER_DEFAULTED); } else { if (ObjectSd->Owner != NULL) - { + { Owner = (PSID)((ULONG_PTR)ObjectSd->Owner + (ULONG_PTR)ObjectSd); OwnerLength = ROUND_UP(RtlLengthSid(Owner), 4); - } + } Control |= (ObjectSd->Control & SE_OWNER_DEFAULTED); } @@ -286,8 +290,12 @@ NtSetSecurityObject(IN HANDLE Handle, { if (SecurityDescriptor->Group != NULL) { - Group = (PSID)((ULONG_PTR)SecurityDescriptor->Group + (ULONG_PTR)SecurityDescriptor); - GroupLength = ROUND_UP(RtlLengthSid(Group), 4); + if( SecurityDescriptor->Control & SE_SELF_RELATIVE ) + Group = (PSID)((ULONG_PTR)SecurityDescriptor->Group + + (ULONG_PTR)SecurityDescriptor); + else + Group = (PSID)SecurityDescriptor->Group; + GroupLength = ROUND_UP(RtlLengthSid(Group), 4); } Control |= (SecurityDescriptor->Control & SE_GROUP_DEFAULTED); } @@ -307,7 +315,12 @@ NtSetSecurityObject(IN HANDLE Handle, if ((SecurityDescriptor->Control & SE_DACL_PRESENT) && (SecurityDescriptor->Dacl != NULL)) { - Dacl = (PACL)((ULONG_PTR)SecurityDescriptor->Dacl + (ULONG_PTR)SecurityDescriptor); + if( SecurityDescriptor->Control & SE_SELF_RELATIVE ) + Dacl = (PACL)((ULONG_PTR)SecurityDescriptor->Dacl + + (ULONG_PTR)SecurityDescriptor); + else + Dacl = (PACL)SecurityDescriptor->Dacl; + DaclLength = ROUND_UP((ULONG)Dacl->AclSize, 4); } Control |= (SecurityDescriptor->Control & (SE_DACL_DEFAULTED | SE_DACL_PRESENT)); @@ -329,8 +342,12 @@ NtSetSecurityObject(IN HANDLE Handle, if ((SecurityDescriptor->Control & SE_SACL_PRESENT) && (SecurityDescriptor->Sacl != NULL)) { - Sacl = (PACL)((ULONG_PTR)SecurityDescriptor->Sacl + (ULONG_PTR)SecurityDescriptor); - SaclLength = ROUND_UP((ULONG)Sacl->AclSize, 4); + if( SecurityDescriptor->Control & SE_SELF_RELATIVE ) + Sacl = (PACL)((ULONG_PTR)SecurityDescriptor->Sacl + + (ULONG_PTR)SecurityDescriptor); + else + Sacl = (PACL)SecurityDescriptor->Sacl; + SaclLength = ROUND_UP((ULONG)Sacl->AclSize, 4); } Control |= (SecurityDescriptor->Control & (SE_SACL_DEFAULTED | SE_SACL_PRESENT)); } @@ -356,7 +373,8 @@ NtSetSecurityObject(IN HANDLE Handle, RtlCreateSecurityDescriptor(NewSd, SECURITY_DESCRIPTOR_REVISION1); - NewSd->Control = Control; + /* We always build a self-relative descriptor */ + NewSd->Control = Control | SE_SELF_RELATIVE; Current = (ULONG_PTR)NewSd + sizeof(SECURITY_DESCRIPTOR);