[NTOS:IO][NTOS:PNP] Fix incorrect usage of IopGetRegistryValue

KEY_VALUE_FULL_INFORMATION was not always freed properly
2025-02-23 00:45:24 +00:00 · 2021-03-19 01:07:22 +03:00 · 2021-03-19 01:07:22 +03:00 · aec3d9cc8f
commit aec3d9cc8f
parent 42094071ee
2 changed files with 55 additions and 42 deletions
--- a/ntoskrnl/io/iomgr/driver.c
+++ b/ntoskrnl/io/iomgr/driver.c
@ -195,7 +195,12 @@ IopGetDriverNames(
    if (driverName.Buffer == NULL)
    {
        status = IopGetRegistryValue(ServiceHandle, L"Type", &kvInfo);
-        if (!NT_SUCCESS(status) || kvInfo->Type != REG_DWORD)
+        if (!NT_SUCCESS(status))
+        {
+            ExFreePoolWithTag(basicInfo, TAG_IO);
+            return status;
+        }
+        if (kvInfo->Type != REG_DWORD)
        {
            ExFreePool(kvInfo);
            ExFreePoolWithTag(basicInfo, TAG_IO); // container for serviceName
--- a/ntoskrnl/io/pnpmgr/devaction.c
+++ b/ntoskrnl/io/pnpmgr/devaction.c
@ -419,11 +419,15 @@ PiAttachFilterDriversCallback(
    SERVICE_LOAD_TYPE startType = DisableLoad;

    Status = IopGetRegistryValue(serviceHandle, L"Start", &kvInfo);
-    if (NT_SUCCESS(Status) && kvInfo->Type == REG_DWORD)
+    if (NT_SUCCESS(Status))
    {
-        RtlMoveMemory(&startType,
-                      (PVOID)((ULONG_PTR)kvInfo + kvInfo->DataOffset),
-                      sizeof(startType));
+        if (kvInfo->Type == REG_DWORD)
+        {
+            RtlMoveMemory(&startType,
+                          (PVOID)((ULONG_PTR)kvInfo + kvInfo->DataOffset),
+                          sizeof(startType));
+        }
+        
        ExFreePool(kvInfo);
    }

@ -621,52 +625,56 @@ PiCallDriverAddDevice(

    // try to get the class GUID of an instance and its registry key
    Status = IopGetRegistryValue(SubKey, REGSTR_VAL_CLASSGUID, &kvInfo);
-    if (NT_SUCCESS(Status) && kvInfo->Type == REG_SZ && kvInfo->DataLength > sizeof(WCHAR))
+    if (NT_SUCCESS(Status))
    {
-        UNICODE_STRING classGUID = {
-            .MaximumLength = kvInfo->DataLength,
-            .Length = kvInfo->DataLength - sizeof(UNICODE_NULL),
-            .Buffer = (PVOID)((ULONG_PTR)kvInfo + kvInfo->DataOffset)
-        };
-        HANDLE ccsControlHandle;
+        if (kvInfo->Type == REG_SZ && kvInfo->DataLength > sizeof(WCHAR))
+        {
+            UNICODE_STRING classGUID = {
+                .MaximumLength = kvInfo->DataLength,
+                .Length = kvInfo->DataLength - sizeof(UNICODE_NULL),
+                .Buffer = (PVOID)((ULONG_PTR)kvInfo + kvInfo->DataOffset)
+            };
+            HANDLE ccsControlHandle;

-        Status = IopOpenRegistryKeyEx(&ccsControlHandle, NULL, &ccsControlClass, KEY_READ);
-        if (!NT_SUCCESS(Status))
-        {
-            DPRINT1("IopOpenRegistryKeyEx() failed for \"%wZ\" (status %x)\n",
-                    &ccsControlClass, Status);
-        }
-        else
-        {
-            // open the CCS\Control\Class\<ClassGUID> key
-            Status = IopOpenRegistryKeyEx(&ClassKey, ccsControlHandle, &classGUID, KEY_READ);
-            ZwClose(ccsControlHandle);
+            Status = IopOpenRegistryKeyEx(&ccsControlHandle, NULL, &ccsControlClass, KEY_READ);
            if (!NT_SUCCESS(Status))
            {
-                DPRINT1("Failed to open class key \"%wZ\" (status %x)\n", &classGUID, Status);
-            }
-        }
-
-        if (ClassKey)
-        {
-            // Check the Properties key of a class too
-            // Windows fills some device properties from this key (which is protected)
-            // TODO: add the device properties from this key
-
-            UNICODE_STRING properties = RTL_CONSTANT_STRING(REGSTR_KEY_DEVICE_PROPERTIES);
-            HANDLE propertiesHandle;
-
-            Status = IopOpenRegistryKeyEx(&propertiesHandle, ClassKey, &properties, KEY_READ);
-            if (!NT_SUCCESS(Status))
-            {
-                DPRINT("Properties key failed to open for \"%wZ\" (status %x)\n",
-                       &classGUID, Status);
+                DPRINT1("IopOpenRegistryKeyEx() failed for \"%wZ\" (status %x)\n",
+                        &ccsControlClass, Status);
            }
            else
            {
-                ZwClose(propertiesHandle);
+                // open the CCS\Control\Class\<ClassGUID> key
+                Status = IopOpenRegistryKeyEx(&ClassKey, ccsControlHandle, &classGUID, KEY_READ);
+                ZwClose(ccsControlHandle);
+                if (!NT_SUCCESS(Status))
+                {
+                    DPRINT1("Failed to open class key \"%wZ\" (status %x)\n", &classGUID, Status);
+                }
+            }
+
+            if (ClassKey)
+            {
+                // Check the Properties key of a class too
+                // Windows fills some device properties from this key (which is protected)
+                // TODO: add the device properties from this key
+
+                UNICODE_STRING properties = RTL_CONSTANT_STRING(REGSTR_KEY_DEVICE_PROPERTIES);
+                HANDLE propertiesHandle;
+
+                Status = IopOpenRegistryKeyEx(&propertiesHandle, ClassKey, &properties, KEY_READ);
+                if (!NT_SUCCESS(Status))
+                {
+                    DPRINT("Properties key failed to open for \"%wZ\" (status %x)\n",
+                           &classGUID, Status);
+                }
+                else
+                {
+                    ZwClose(propertiesHandle);
+                }
            }
        }
+        
        ExFreePool(kvInfo);
    }