From ddbfcbae40f52ce21b0f0b99f5cf5f5c83e7f4f5 Mon Sep 17 00:00:00 2001
From: Stefan Ginsberg <stefanginsberg@gmail.com>
Date: Wed, 15 Jul 2009 16:13:08 +0000
Subject: [PATCH] - Don't assume the object body allocated by ObCreateObject
 (through ObpAllocateObject) is zero-initialized (it shouldn't be).

svn path=/trunk/; revision=41972
---
 reactos/ntoskrnl/mm/section.c                 |  7 +++++++
 reactos/ntoskrnl/se/token.c                   | 20 +++++++++----------
 .../subsystems/win32/win32k/ntuser/desktop.c  |  1 +
 .../subsystems/win32/win32k/ntuser/winsta.c   |  3 +++
 4 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/reactos/ntoskrnl/mm/section.c b/reactos/ntoskrnl/mm/section.c
index b52795d22a7..8bbeaa689ce 100644
--- a/reactos/ntoskrnl/mm/section.c
+++ b/reactos/ntoskrnl/mm/section.c
@@ -2375,6 +2375,8 @@ MmCreatePageFileSection(PROS_SECTION_OBJECT *SectionObject,
    /*
     * Initialize it
     */
+   Section->Type = 0;
+   Section->Size = 0;
    Section->SectionPageProtection = SectionPageProtection;
    Section->AllocationAttributes = AllocationAttributes;
    Section->Segment = NULL;
@@ -2447,6 +2449,8 @@ MmCreateDataFileSection(PROS_SECTION_OBJECT *SectionObject,
    /*
     * Initialize it
     */
+   Section->Type = 0;
+   Section->Size = 0;
    Section->SectionPageProtection = SectionPageProtection;
    Section->AllocationAttributes = AllocationAttributes;
    Section->Segment = NULL;
@@ -3373,6 +3377,9 @@ MmCreateImageSection(PROS_SECTION_OBJECT *SectionObject,
    /*
     * Initialize it
     */
+   Section->Type = 0;
+   Section->Size = 0;
+   Section->MaximumSize.QuadPart = 0;
    Section->SectionPageProtection = SectionPageProtection;
    Section->AllocationAttributes = AllocationAttributes;
 
diff --git a/reactos/ntoskrnl/se/token.c b/reactos/ntoskrnl/se/token.c
index dbe3f77a82a..c43d5f8ee80 100644
--- a/reactos/ntoskrnl/se/token.c
+++ b/reactos/ntoskrnl/se/token.c
@@ -247,7 +247,10 @@ SepDuplicateToken(PTOKEN Token,
         DPRINT1("ObCreateObject() failed (Status %lx)\n");
         return(Status);
     }
-    
+
+    /* Zero out the buffer */
+    RtlZeroMemory(AccessToken, sizeof(TOKEN));
+
     Status = ZwAllocateLocallyUniqueId(&AccessToken->TokenId);
     if (!NT_SUCCESS(Status))
     {
@@ -264,7 +267,6 @@ SepDuplicateToken(PTOKEN Token,
     
     AccessToken->TokenLock = &SepTokenLock;
     
-    AccessToken->TokenInUse = 0;
     AccessToken->TokenType  = TokenType;
     AccessToken->ImpersonationLevel = Level;
     RtlCopyLuid(&AccessToken->AuthenticationId, &Token->AuthenticationId);
@@ -332,10 +334,6 @@ SepDuplicateToken(PTOKEN Token,
                    Token->DefaultDacl,
                    Token->DefaultDacl->AclSize);
         }
-        else
-        {
-            AccessToken->DefaultDacl = 0;
-        }
     }
     
     if ( NT_SUCCESS(Status) )
@@ -549,6 +547,9 @@ SepCreateSystemProcessToken(VOID)
     {
         return NULL;
     }
+
+    /* Zero out the buffer */
+    RtlZeroMemory(AccessToken, sizeof(TOKEN));
     
     Status = ExpAllocateLocallyUniqueId(&AccessToken->TokenId);
     if (!NT_SUCCESS(Status))
@@ -575,8 +576,6 @@ SepCreateSystemProcessToken(VOID)
     
     AccessToken->TokenType = TokenPrimary;
     AccessToken->ImpersonationLevel = SecurityDelegation;
-    AccessToken->TokenSource.SourceIdentifier.LowPart = 0;
-    AccessToken->TokenSource.SourceIdentifier.HighPart = 0;
     memcpy(AccessToken->TokenSource.SourceName, "SeMgr\0\0\0", 8);
     AccessToken->ExpirationTime.QuadPart = -1;
     AccessToken->UserAndGroupCount = 4;
@@ -2042,6 +2041,9 @@ NtCreateToken(OUT PHANDLE TokenHandle,
         DPRINT1("ObCreateObject() failed (Status %lx)\n");
         return(Status);
     }
+
+    /* Zero out the buffer */
+    RtlZeroMemory(AccessToken, sizeof(TOKEN));
     
     AccessToken->TokenLock = &SepTokenLock;
     
@@ -2058,8 +2060,6 @@ NtCreateToken(OUT PHANDLE TokenHandle,
     
     AccessToken->UserAndGroupCount = TokenGroups->GroupCount + 1;
     AccessToken->PrivilegeCount    = TokenPrivileges->PrivilegeCount;
-    AccessToken->UserAndGroups     = 0;
-    AccessToken->Privileges        = 0;
     
     AccessToken->TokenType = TokenType;
     AccessToken->ImpersonationLevel = ((PSECURITY_QUALITY_OF_SERVICE)
diff --git a/reactos/subsystems/win32/win32k/ntuser/desktop.c b/reactos/subsystems/win32/win32k/ntuser/desktop.c
index 125568a15ea..b5cffedc20d 100644
--- a/reactos/subsystems/win32/win32k/ntuser/desktop.c
+++ b/reactos/subsystems/win32/win32k/ntuser/desktop.c
@@ -142,6 +142,7 @@ IntDesktopObjectParse(IN PVOID ParseObject,
     if (!NT_SUCCESS(Status)) return Status;
 
     /* Initialize shell hook window list and set the parent */
+    RtlZeroMemory(Desktop, sizeof(DESKTOP));
     InitializeListHead(&Desktop->ShellHookWindows);
     Desktop->WindowStation = (PWINSTATION_OBJECT)ParseObject;
 
diff --git a/reactos/subsystems/win32/win32k/ntuser/winsta.c b/reactos/subsystems/win32/win32k/ntuser/winsta.c
index f2c2821c887..5da6ce8dec6 100644
--- a/reactos/subsystems/win32/win32k/ntuser/winsta.c
+++ b/reactos/subsystems/win32/win32k/ntuser/winsta.c
@@ -483,6 +483,9 @@ NtUserCreateWindowStation(
       return 0;
    }
 
+   /* Zero out the buffer */
+   RtlZeroMemory(WindowStationObject, sizeof(WINSTATION_OBJECT));
+
    KeInitializeSpinLock(&WindowStationObject->Lock);
 
    InitializeListHead(&WindowStationObject->DesktopListHead);