[NTOSKRNL] Probe parameters in NtAllocateUuids() if called from user-mode

This will avoid that userland applications can trigger an invalid write in
the kernel (and thus, a BSOD).

CORE-15462

ntoskrnl/ex/uuid.c

@@ -319,9 +319,39 @@ NtAllocateUuids(OUT PULARGE_INTEGER Time,
     ULARGE_INTEGER IntTime;
     ULONG IntRange;
     NTSTATUS Status;
+    KPROCESSOR_MODE PreviousMode;
 
     PAGED_CODE();
 
+    /* Probe if user mode */
+    PreviousMode = ExGetPreviousMode();
+    if (PreviousMode != KernelMode)
+    {
+        _SEH2_TRY
+        {
+            ProbeForWrite(Time,
+                          sizeof(ULARGE_INTEGER),
+                          sizeof(ULONG));
+
+            ProbeForWrite(Range,
+                          sizeof(ULONG),
+                          sizeof(ULONG));
+
+            ProbeForWrite(Sequence,
+                          sizeof(ULONG),
+                          sizeof(ULONG));
+
+            ProbeForWrite(Seed,
+                          SEED_BUFFER_SIZE,
+                          sizeof(UCHAR));
+        }
+        _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+        {
+            _SEH2_YIELD(return _SEH2_GetExceptionCode());
+        }
+        _SEH2_END;
+    }
+
     ExAcquireFastMutex(&UuidMutex);
 
     if (!UuidSequenceInitialized)
@@ -358,13 +388,22 @@ NtAllocateUuids(OUT PULARGE_INTEGER Time,
 
     ExReleaseFastMutex(&UuidMutex);
 
-    Time->QuadPart = IntTime.QuadPart;
+    /* Write back LUID to caller */
-    *Range = IntRange;
+    _SEH2_TRY
-    *Sequence = UuidSequence;
+    {
+        Time->QuadPart = IntTime.QuadPart;
+        *Range = IntRange;
+        *Sequence = UuidSequence;
 
-    RtlCopyMemory(Seed,
+        RtlCopyMemory(Seed,
-                  UuidSeed,
+                      UuidSeed,
-                  SEED_BUFFER_SIZE);
+                      SEED_BUFFER_SIZE);
+    }
+    _SEH2_EXCEPT(ExSystemExceptionFilter())
+    {
+        Status = _SEH2_GetExceptionCode();
+    }
+    _SEH2_END;
 
     return STATUS_SUCCESS;
 }