[NTOSKRNL] Address issues raised in PR 3361 review

This commit is contained in:
Jérôme Gardou 2020-12-02 15:17:28 +01:00
parent 70c62aa2c9
commit d2fa434cb7
3 changed files with 24 additions and 27 deletions

View file

@ -274,8 +274,6 @@ MmFinalizeSegment(PMM_SECTION_SEGMENT Segment)
DPRINT("Finalize segment %p\n", Segment); DPRINT("Finalize segment %p\n", Segment);
__debugbreak();
MmLockSectionSegment(Segment); MmLockSectionSegment(Segment);
RemoveEntryList(&Segment->ListOfSegments); RemoveEntryList(&Segment->ListOfSegments);
if (Segment->Flags & MM_DATAFILE_SEGMENT) { if (Segment->Flags & MM_DATAFILE_SEGMENT) {
@ -622,8 +620,6 @@ MiFreeSegmentPage(PMM_SECTION_SEGMENT Segment,
ULONG_PTR Entry; ULONG_PTR Entry;
PFILE_OBJECT FileObject = Segment->FileObject; PFILE_OBJECT FileObject = Segment->FileObject;
__debugbreak();
Entry = MmGetPageEntrySectionSegment(Segment, FileOffset); Entry = MmGetPageEntrySectionSegment(Segment, FileOffset);
DPRINTC("MiFreeSegmentPage(%p:%I64x -> Entry %Ix\n", DPRINTC("MiFreeSegmentPage(%p:%I64x -> Entry %Ix\n",
Segment, Segment,

View file

@ -1094,6 +1094,14 @@ MiMapViewInSystemSpace(IN PVOID Section,
*ViewSize = SectionSize - SectionOffset->QuadPart; *ViewSize = SectionSize - SectionOffset->QuadPart;
} }
/* Check overflow */
if ((SectionOffset->QuadPart + *ViewSize) < SectionOffset->QuadPart)
{
DPRINT1("Integer overflow between size & offset!\n");
MiDereferenceControlArea(ControlArea);
return STATUS_INVALID_VIEW_SIZE;
}
/* Check if the caller wanted a larger section than the view */ /* Check if the caller wanted a larger section than the view */
if (SectionOffset->QuadPart + *ViewSize > SectionSize) if (SectionOffset->QuadPart + *ViewSize > SectionSize)
{ {

View file

@ -2050,7 +2050,7 @@ MmCreatePhysicalMemorySection(VOID)
/* /*
* Create the section mapping physical memory * Create the section mapping physical memory
*/ */
SectionSize.QuadPart = ~((ULONG_PTR)0); SectionSize.QuadPart = MmNumberOfPhysicalPages * PAGE_SIZE;
InitializeObjectAttributes(&Obj, InitializeObjectAttributes(&Obj,
&Name, &Name,
OBJ_PERMANENT | OBJ_KERNEL_EXCLUSIVE, OBJ_PERMANENT | OBJ_KERNEL_EXCLUSIVE,
@ -2192,7 +2192,6 @@ MmCreateDataFileSection(PSECTION *SectionObject,
(PVOID*)&Section); (PVOID*)&Section);
if (!NT_SUCCESS(Status)) if (!NT_SUCCESS(Status))
{ {
ObDereferenceObject(FileObject);
return(Status); return(Status);
} }
/* /*
@ -2240,7 +2239,6 @@ MmCreateDataFileSection(PSECTION *SectionObject,
if (MaximumSize.QuadPart == 0) if (MaximumSize.QuadPart == 0)
{ {
ObDereferenceObject(Section); ObDereferenceObject(Section);
ObDereferenceObject(FileObject);
return STATUS_MAPPED_FILE_SIZE_ZERO; return STATUS_MAPPED_FILE_SIZE_ZERO;
} }
} }
@ -2254,7 +2252,6 @@ MmCreateDataFileSection(PSECTION *SectionObject,
if (!NT_SUCCESS(Status)) if (!NT_SUCCESS(Status))
{ {
ObDereferenceObject(Section); ObDereferenceObject(Section);
ObDereferenceObject(FileObject);
return(STATUS_SECTION_NOT_EXTENDED); return(STATUS_SECTION_NOT_EXTENDED);
} }
} }
@ -2263,7 +2260,6 @@ MmCreateDataFileSection(PSECTION *SectionObject,
if (FileObject->SectionObjectPointer == NULL) if (FileObject->SectionObjectPointer == NULL)
{ {
ObDereferenceObject(Section); ObDereferenceObject(Section);
ObDereferenceObject(FileObject);
return STATUS_INVALID_FILE_FOR_SECTION; return STATUS_INVALID_FILE_FOR_SECTION;
} }
@ -2274,7 +2270,6 @@ MmCreateDataFileSection(PSECTION *SectionObject,
if (Status != STATUS_SUCCESS) if (Status != STATUS_SUCCESS)
{ {
ObDereferenceObject(Section); ObDereferenceObject(Section);
ObDereferenceObject(FileObject);
return(Status); return(Status);
} }
@ -2305,7 +2300,6 @@ MmCreateDataFileSection(PSECTION *SectionObject,
//KeSetEvent((PVOID)&FileObject->Lock, IO_NO_INCREMENT, FALSE); //KeSetEvent((PVOID)&FileObject->Lock, IO_NO_INCREMENT, FALSE);
MiReleasePfnLock(OldIrql); MiReleasePfnLock(OldIrql);
ObDereferenceObject(Section); ObDereferenceObject(Section);
ObDereferenceObject(FileObject);
return(STATUS_NO_MEMORY); return(STATUS_NO_MEMORY);
} }
@ -2329,6 +2323,7 @@ MmCreateDataFileSection(PSECTION *SectionObject,
ExInitializeFastMutex(&Segment->Lock); ExInitializeFastMutex(&Segment->Lock);
Segment->FileObject = FileObject; Segment->FileObject = FileObject;
ObReferenceObject(FileObject);
Segment->Image.FileOffset = 0; Segment->Image.FileOffset = 0;
Segment->Protection = SectionPageProtection; Segment->Protection = SectionPageProtection;
@ -2370,9 +2365,6 @@ MmCreateDataFileSection(PSECTION *SectionObject,
} }
MmUnlockSectionSegment(Segment); MmUnlockSectionSegment(Segment);
/* The segment already has a reference to a file object. Don't bother keeping one.*/
ObDereferenceObject(FileObject);
} }
Section->SizeOfSection = MaximumSize; Section->SizeOfSection = MaximumSize;
@ -3053,7 +3045,6 @@ MmCreateImageSection(PSECTION *SectionObject,
(PVOID*)(PVOID)&Section); (PVOID*)(PVOID)&Section);
if (!NT_SUCCESS(Status)) if (!NT_SUCCESS(Status))
{ {
ObDereferenceObject(FileObject);
return(Status); return(Status);
} }
@ -3093,17 +3084,14 @@ MmCreateImageSection(PSECTION *SectionObject,
NTSTATUS StatusExeFmt; NTSTATUS StatusExeFmt;
PMM_SECTION_SEGMENT DataSectionObject; PMM_SECTION_SEGMENT DataSectionObject;
ImageSectionObject = ExAllocatePoolWithTag(NonPagedPool, sizeof(MM_IMAGE_SECTION_OBJECT), TAG_MM_SECTION_SEGMENT); ImageSectionObject = ExAllocatePoolZero(NonPagedPool, sizeof(MM_IMAGE_SECTION_OBJECT), TAG_MM_SECTION_SEGMENT);
if (ImageSectionObject == NULL) if (ImageSectionObject == NULL)
{ {
MiReleasePfnLock(OldIrql); MiReleasePfnLock(OldIrql);
ObDereferenceObject(FileObject);
ObDereferenceObject(Section); ObDereferenceObject(Section);
return(STATUS_NO_MEMORY); return(STATUS_NO_MEMORY);
} }
RtlZeroMemory(ImageSectionObject, sizeof(MM_IMAGE_SECTION_OBJECT));
ImageSectionObject->SegFlags = MM_SEGMENT_INCREATE; ImageSectionObject->SegFlags = MM_SEGMENT_INCREATE;
ImageSectionObject->RefCount = 1; ImageSectionObject->RefCount = 1;
FileObject->SectionObjectPointer->ImageSectionObject = ImageSectionObject; FileObject->SectionObjectPointer->ImageSectionObject = ImageSectionObject;
@ -3172,7 +3160,6 @@ MmCreateImageSection(PSECTION *SectionObject,
ExFreePoolWithTag(ImageSectionObject, TAG_MM_SECTION_SEGMENT); ExFreePoolWithTag(ImageSectionObject, TAG_MM_SECTION_SEGMENT);
ObDereferenceObject(Section); ObDereferenceObject(Section);
ObDereferenceObject(FileObject);
return(Status); return(Status);
} }
@ -3194,12 +3181,15 @@ MmCreateImageSection(PSECTION *SectionObject,
ExFreePool(ImageSectionObject->Segments); ExFreePool(ImageSectionObject->Segments);
ExFreePool(ImageSectionObject); ExFreePool(ImageSectionObject);
ObDereferenceObject(Section); ObDereferenceObject(Section);
ObDereferenceObject(FileObject);
return(Status); return(Status);
} }
OldIrql = MiAcquirePfnLock(); OldIrql = MiAcquirePfnLock();
ImageSectionObject->SegFlags &= ~MM_SEGMENT_INCREATE; ImageSectionObject->SegFlags &= ~MM_SEGMENT_INCREATE;
/* Take a ref on the file on behalf of the newly created structure */
ObReferenceObject(FileObject);
MiReleasePfnLock(OldIrql); MiReleasePfnLock(OldIrql);
Status = StatusExeFmt; Status = StatusExeFmt;
@ -3213,9 +3203,6 @@ MmCreateImageSection(PSECTION *SectionObject,
Section->Segment = (PSEGMENT)ImageSectionObject; Section->Segment = (PSEGMENT)ImageSectionObject;
/* We let the Image Section Object hold the reference */
ObDereferenceObject(FileObject);
Status = STATUS_SUCCESS; Status = STATUS_SUCCESS;
} }
//KeSetEvent((PVOID)&FileObject->Lock, IO_NO_INCREMENT, FALSE); //KeSetEvent((PVOID)&FileObject->Lock, IO_NO_INCREMENT, FALSE);
@ -3693,9 +3680,11 @@ NtQuerySection(
_SEH2_TRY _SEH2_TRY
{ {
*((SECTION_BASIC_INFORMATION*)SectionInformation) = Sbi; *((SECTION_BASIC_INFORMATION*)SectionInformation) = Sbi;
if (ResultLength) if (ResultLength != NULL)
{
*ResultLength = sizeof(Sbi); *ResultLength = sizeof(Sbi);
} }
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{ {
Status = _SEH2_GetExceptionCode(); Status = _SEH2_GetExceptionCode();
@ -3718,8 +3707,10 @@ NtQuerySection(
PSECTION_IMAGE_INFORMATION Sii = (PSECTION_IMAGE_INFORMATION)SectionInformation; PSECTION_IMAGE_INFORMATION Sii = (PSECTION_IMAGE_INFORMATION)SectionInformation;
*Sii = ImageSectionObject->ImageInformation; *Sii = ImageSectionObject->ImageInformation;
if (ResultLength != NULL) if (ResultLength != NULL)
{
*ResultLength = sizeof(*Sii); *ResultLength = sizeof(*Sii);
} }
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{ {
Status = _SEH2_GetExceptionCode(); Status = _SEH2_GetExceptionCode();
@ -4374,6 +4365,7 @@ MmCreateSection (OUT PVOID * Section,
SectionPageProtection, SectionPageProtection,
AllocationAttributes, AllocationAttributes,
FileObject); FileObject);
ObDereferenceObject(FileObject);
} }
#ifndef NEWCC #ifndef NEWCC
else if (FileObject != NULL) else if (FileObject != NULL)
@ -4386,6 +4378,7 @@ MmCreateSection (OUT PVOID * Section,
AllocationAttributes, AllocationAttributes,
FileObject, FileObject,
FileHandle != NULL); FileHandle != NULL);
ObDereferenceObject(FileObject);
} }
#else #else
else if (FileHandle != NULL || FileObject != NULL) else if (FileHandle != NULL || FileObject != NULL)
@ -4393,8 +4386,8 @@ MmCreateSection (OUT PVOID * Section,
Status = MmCreateCacheSection(SectionObject, Status = MmCreateCacheSection(SectionObject,
DesiredAccess, DesiredAccess,
ObjectAttributes, ObjectAttributes,
SizeOfSection, MaximumSize,
InitialPageProtection, SectionPageProtection,
AllocationAttributes, AllocationAttributes,
FileObject); FileObject);
} }