From cb93b06d3564b727e5908f14c6e6ef44a2310fc6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Herm=C3=A8s=20B=C3=A9lusca-Ma=C3=AFto?=
 <hermes.belusca-maito@reactos.org>
Date: Sun, 22 Sep 2013 00:26:31 +0000
Subject: [PATCH] [NTOS] - Fix disabling impersonation in
 PsDisableImpersonation, and - Fix how we do restore impersonation in
 NtOpenThreadTokenEx. Patch by Thomas Faber, CORE-7476 #comment Patch
 committed in revision 60301, thanks :). Please retest the bug.

svn path=/trunk/; revision=60301
---
 reactos/ntoskrnl/ps/security.c | 18 +++++-------------
 reactos/ntoskrnl/se/token.c    |  8 +++++---
 2 files changed, 10 insertions(+), 16 deletions(-)

diff --git a/reactos/ntoskrnl/ps/security.c b/reactos/ntoskrnl/ps/security.c
index 4a9c0916d82..7532cbe0703 100644
--- a/reactos/ntoskrnl/ps/security.c
+++ b/reactos/ntoskrnl/ps/security.c
@@ -820,10 +820,10 @@ PsDereferencePrimaryToken(IN PACCESS_TOKEN PrimaryToken)
 BOOLEAN
 NTAPI
 PsDisableImpersonation(IN PETHREAD Thread,
-                       IN PSE_IMPERSONATION_STATE ImpersonationState)
+                       OUT PSE_IMPERSONATION_STATE ImpersonationState)
 {
     PPS_IMPERSONATION_INFORMATION Impersonation = NULL;
-    LONG NewValue, OldValue;
+    LONG OldFlags;
     PAGED_CODE();
     PSTRACE(PS_SECURITY_DEBUG,
             "Thread: %p State: %p\n", Thread, ImpersonationState);
@@ -835,19 +835,11 @@ PsDisableImpersonation(IN PETHREAD Thread,
         PspLockThreadSecurityExclusive(Thread);
 
         /* Disable impersonation */
-        OldValue = Thread->CrossThreadFlags;
-        do
-        {
-            /* Attempt to change the flag */
-            NewValue =
-                InterlockedCompareExchange((PLONG)&Thread->CrossThreadFlags,
-                                           OldValue &~
-                                           CT_ACTIVE_IMPERSONATION_INFO_BIT,
-                                           OldValue);
-        } while (NewValue != OldValue);
+        OldFlags = PspClearCrossThreadFlag(Thread,
+                                           CT_ACTIVE_IMPERSONATION_INFO_BIT);
 
         /* Make sure nobody disabled it behind our back */
-        if (NewValue & CT_ACTIVE_IMPERSONATION_INFO_BIT)
+        if (OldFlags & CT_ACTIVE_IMPERSONATION_INFO_BIT)
         {
             /* Copy the old state */
             Impersonation = Thread->ImpersonationInfo;
diff --git a/reactos/ntoskrnl/se/token.c b/reactos/ntoskrnl/se/token.c
index 8d6e350041f..7a14c967291 100644
--- a/reactos/ntoskrnl/se/token.c
+++ b/reactos/ntoskrnl/se/token.c
@@ -1065,7 +1065,7 @@ NtQueryInformationToken(IN HANDLE TokenHandle,
     PTOKEN Token;
     ULONG RequiredLength;
     KPROCESSOR_MODE PreviousMode;
-    NTSTATUS Status = STATUS_SUCCESS;
+    NTSTATUS Status;
 
     PAGED_CODE();
 
@@ -2429,6 +2429,7 @@ NtOpenThreadTokenEx(IN HANDLE ThreadHandle,
     PACL Dacl = NULL;
     KPROCESSOR_MODE PreviousMode;
     NTSTATUS Status;
+    BOOLEAN RestoreImpersonation = FALSE;
 
     PAGED_CODE();
 
@@ -2482,7 +2483,8 @@ NtOpenThreadTokenEx(IN HANDLE ThreadHandle,
 
     if (OpenAsSelf)
     {
-        PsDisableImpersonation(PsGetCurrentThread(), &ImpersonationState);
+        RestoreImpersonation = PsDisableImpersonation(PsGetCurrentThread(),
+                                                      &ImpersonationState);
     }
 
     if (CopyOnOpen)
@@ -2533,7 +2535,7 @@ NtOpenThreadTokenEx(IN HANDLE ThreadHandle,
 
     if (Dacl) ExFreePoolWithTag(Dacl, TAG_TOKEN_ACL);
 
-    if (OpenAsSelf)
+    if (RestoreImpersonation)
     {
         PsRestoreImpersonation(PsGetCurrentThread(), &ImpersonationState);
     }