Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-05-08 03:07:05 +00:00
Code Issues Projects Releases Packages Wiki Activity

[NTOSKRNL] Probe parameters in NtAllocateUuids() if called from user-mode

Browse source 
This will avoid that userland applications can trigger an invalid write in
the kernel (and thus, a BSOD).

CORE-15462
This commit is contained in:
Pierre Schweitzer 2018-12-19 08:07:28 +01:00
parent 4a8c57fcbc
commit d8cb37bf15
No known key found for this signature in database
GPG key ID: 7545556C3D585B0B
1 changed files with 45 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
ntoskrnl/ex/uuid.c
View file

@ -319,9 +319,39 @@ NtAllocateUuids(OUT PULARGE_INTEGER Time,
ULARGE_INTEGER IntTime;
ULONG IntRange;
NTSTATUS Status;
KPROCESSOR_MODE PreviousMode;
PAGED_CODE();
/* Probe if user mode */
PreviousMode = ExGetPreviousMode();
if (PreviousMode != KernelMode)
{
_SEH2_TRY
{
ProbeForWrite(Time,
sizeof(ULARGE_INTEGER),
sizeof(ULONG));
ProbeForWrite(Range,
sizeof(ULONG),
sizeof(ULONG));
ProbeForWrite(Sequence,
sizeof(ULONG),
sizeof(ULONG));
ProbeForWrite(Seed,
SEED_BUFFER_SIZE,
sizeof(UCHAR));
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
_SEH2_YIELD(return _SEH2_GetExceptionCode());
}
_SEH2_END;
}
ExAcquireFastMutex(&UuidMutex);
if (!UuidSequenceInitialized)
@ -358,13 +388,22 @@ NtAllocateUuids(OUT PULARGE_INTEGER Time,
ExReleaseFastMutex(&UuidMutex);
Time->QuadPart = IntTime.QuadPart;
*Range = IntRange;
*Sequence = UuidSequence;
/* Write back LUID to caller */
_SEH2_TRY
{
Time->QuadPart = IntTime.QuadPart;
*Range = IntRange;
*Sequence = UuidSequence;
RtlCopyMemory(Seed,
UuidSeed,
SEED_BUFFER_SIZE);
RtlCopyMemory(Seed,
UuidSeed,
SEED_BUFFER_SIZE);
}
_SEH2_EXCEPT(ExSystemExceptionFilter())
{
Status = _SEH2_GetExceptionCode();
}
_SEH2_END;
return STATUS_SUCCESS;
}