Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-12-27 17:44:45 +00:00
Code Issues Projects Releases Packages Wiki Activity

protect access to buffers in NtOpenProcess

Browse source 
svn path=/trunk/; revision=18863
This commit is contained in:
Thomas Bluemel 2005-10-29 23:40:05 +00:00
parent e01e983072
commit c55ab58a88
1 changed files with 86 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

127
reactos/ntoskrnl/ps/process.c
View file

@ -873,7 +873,6 @@ NtCreateProcess(OUT PHANDLE ProcessHandle,
IN HANDLE DebugPort OPTIONAL, IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL) IN HANDLE ExceptionPort OPTIONAL)
{ {
HANDLE hProcess;
KPROCESSOR_MODE PreviousMode = ExGetPreviousMode(); KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
NTSTATUS Status = STATUS_SUCCESS; NTSTATUS Status = STATUS_SUCCESS;
@ -903,9 +902,8 @@ NtCreateProcess(OUT PHANDLE ProcessHandle,
} }
else else
{ {
/* Create a user Process, do NOT pass the pointer to the handle supplied /* Create a user Process */
by the caller directly!!! */ Status = PspCreateProcess(ProcessHandle,
Status = PspCreateProcess(&hProcess,
DesiredAccess, DesiredAccess,
ObjectAttributes, ObjectAttributes,
ParentProcess, ParentProcess,
@ -913,18 +911,6 @@ NtCreateProcess(OUT PHANDLE ProcessHandle,
SectionHandle, SectionHandle,
DebugPort, DebugPort,
ExceptionPort); ExceptionPort);
if (NT_SUCCESS(Status))
{
_SEH_TRY
{
*ProcessHandle = hProcess;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
}
} }
/* Return Status */ /* Return Status */
@ -941,21 +927,67 @@ NtOpenProcess(OUT PHANDLE ProcessHandle,
IN POBJECT_ATTRIBUTES ObjectAttributes, IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId) IN PCLIENT_ID ClientId)
{ {
KPROCESSOR_MODE PreviousMode = ExGetPreviousMode(); KPROCESSOR_MODE PreviousMode;
NTSTATUS Status = STATUS_INVALID_PARAMETER; CLIENT_ID SafeClientId;
PEPROCESS Process; ULONG Attributes = 0;
HANDLE hProcess;
BOOLEAN HasObjectName = FALSE;
PETHREAD Thread = NULL; PETHREAD Thread = NULL;
PEPROCESS Process = NULL;
DPRINT("NtOpenProcess(ProcessHandle %x, DesiredAccess %x, " NTSTATUS Status = STATUS_SUCCESS;
"ObjectAttributes %x, ClientId %x { UniP %d, UniT %d })\n",
ProcessHandle, DesiredAccess, ObjectAttributes, ClientId,
ClientId->UniqueProcess, ClientId->UniqueThread);
PAGED_CODE(); PAGED_CODE();
PreviousMode = KeGetPreviousMode();
/* Probe the paraemeters */
if(PreviousMode != KernelMode)
{
_SEH_TRY
{
ProbeForWriteHandle(ProcessHandle);
if(ClientId != NULL)
{
ProbeForRead(ClientId,
sizeof(CLIENT_ID),
sizeof(ULONG));
SafeClientId = *ClientId;
ClientId = &SafeClientId;
}
/* just probe the object attributes structure, don't capture it
completely. This is done later if necessary */
ProbeForRead(ObjectAttributes,
sizeof(OBJECT_ATTRIBUTES),
sizeof(ULONG));
HasObjectName = (ObjectAttributes->ObjectName != NULL);
Attributes = ObjectAttributes->Attributes;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status)) return Status;
}
else
{
HasObjectName = (ObjectAttributes->ObjectName != NULL);
Attributes = ObjectAttributes->Attributes;
}
if (HasObjectName && ClientId != NULL)
{
/* can't pass both, n object name and a client id */
return STATUS_INVALID_PARAMETER_MIX;
}
/* Open by name if one was given */ /* Open by name if one was given */
DPRINT("Checking type\n"); DPRINT("Checking type\n");
if (ObjectAttributes->ObjectName) /* FIXME - neither probed nor protected! */ if (HasObjectName)
{ {
/* Open it */ /* Open it */
DPRINT("Opening by name\n"); DPRINT("Opening by name\n");
@ -965,36 +997,30 @@ NtOpenProcess(OUT PHANDLE ProcessHandle,
PreviousMode, PreviousMode,
DesiredAccess, DesiredAccess,
NULL, NULL,
ProcessHandle); &hProcess);
if (Status != STATUS_SUCCESS) if (!NT_SUCCESS(Status))
{ {
DPRINT1("Could not open object by name\n"); DPRINT1("Could not open object by name\n");
} }
/* Return Status */
DPRINT("Found: %x\n", ProcessHandle);
return(Status);
} }
else if (ClientId) else if (ClientId != NULL)
{ {
/* Open by Thread ID */ /* Open by Thread ID */
if (ClientId->UniqueThread) /* FIXME - neither probed nor protected! */ if (ClientId->UniqueThread)
{ {
/* Get the Process */ /* Get the Process */
DPRINT("Opening by Thread ID: %x\n", ClientId->UniqueThread); /* FIXME - neither probed nor protected! */ DPRINT("Opening by Thread ID: %x\n", ClientId->UniqueThread);
Status = PsLookupProcessThreadByCid(ClientId, /* FIXME - neither probed nor protected! */ Status = PsLookupProcessThreadByCid(ClientId,
&Process, &Process,
&Thread); &Thread);
DPRINT("Found: %x\n", Process);
} }
else else
{ {
/* Get the Process */ /* Get the Process */
DPRINT("Opening by Process ID: %x\n", ClientId->UniqueProcess); /* FIXME - neither probed nor protected! */ DPRINT("Opening by Process ID: %x\n", ClientId->UniqueProcess);
Status = PsLookupProcessByProcessId(ClientId->UniqueProcess, /* FIXME - neither probed nor protected! */ Status = PsLookupProcessByProcessId(ClientId->UniqueProcess,
&Process); &Process);
DPRINT("Found: %x\n", Process);
} }
if(!NT_SUCCESS(Status)) if(!NT_SUCCESS(Status))
@ -1005,12 +1031,12 @@ NtOpenProcess(OUT PHANDLE ProcessHandle,
/* Open the Process Object */ /* Open the Process Object */
Status = ObOpenObjectByPointer(Process, Status = ObOpenObjectByPointer(Process,
ObjectAttributes->Attributes, /* FIXME - neither probed nor protected! */ Attributes,
NULL, NULL,
DesiredAccess, DesiredAccess,
PsProcessType, PsProcessType,
PreviousMode, PreviousMode,
ProcessHandle); /* FIXME - neither probed nor protected! */ &hProcess);
if(!NT_SUCCESS(Status)) if(!NT_SUCCESS(Status))
{ {
DPRINT1("Failure to open process\n"); DPRINT1("Failure to open process\n");
@ -1022,6 +1048,25 @@ NtOpenProcess(OUT PHANDLE ProcessHandle,
/* Dereference the Process */ /* Dereference the Process */
ObDereferenceObject(Process); ObDereferenceObject(Process);
} }
else
{
/* neither an object name nor a client id was passed */
return STATUS_INVALID_PARAMETER_MIX;
}
/* Write back the handle */
if(NT_SUCCESS(Status))
{
_SEH_TRY
{
*ProcessHandle = hProcess;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
}
return Status; return Status;
} }