Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-07-27 21:32:08 +00:00
Code Issues Projects Releases Packages Wiki Activity

[NTOSKRNL] ExRaiseHardError(): Protect strings copy to user-mode space inside a SEH block.

Browse source
This commit is contained in:
Hermès Bélusca-Maïto 2018-04-01 17:52:10 +02:00
parent 842605e3ef
commit ea390c2b3f
No known key found for this signature in database
GPG key ID: 3B2539C65E7B93D0
1 changed files with 34 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

56
ntoskrnl/ex/harderr.c
View file

@ -387,6 +387,7 @@ ExRaiseHardError(IN NTSTATUS ErrorStatus,
IN ULONG ValidResponseOptions, IN ULONG ValidResponseOptions,
OUT PULONG Response) OUT PULONG Response)
{ {
NTSTATUS Status;
SIZE_T Size; SIZE_T Size;
UNICODE_STRING CapturedParams[MAXIMUM_HARDERROR_PARAMETERS]; UNICODE_STRING CapturedParams[MAXIMUM_HARDERROR_PARAMETERS];
ULONG i; ULONG i;
@ -394,7 +395,7 @@ ExRaiseHardError(IN NTSTATUS ErrorStatus,
PHARDERROR_USER_PARAMETERS UserParams; PHARDERROR_USER_PARAMETERS UserParams;
PWSTR BufferBase; PWSTR BufferBase;
ULONG SafeResponse; ULONG SafeResponse;
NTSTATUS Status;
PAGED_CODE(); PAGED_CODE();
/* Check if we have parameters */ /* Check if we have parameters */
@ -435,35 +436,46 @@ ExRaiseHardError(IN NTSTATUS ErrorStatus,
UserParams = UserData; UserParams = UserData;
BufferBase = UserParams->Buffer; BufferBase = UserParams->Buffer;
/* Loop parameters again */ /* Enter SEH block as we are writing to user-mode space */
for (i = 0; i < NumberOfParameters; i++) _SEH2_TRY
{ {
/* Check if we're in the mask */ /* Loop parameters again */
if (UnicodeStringParameterMask & (1 << i)) for (i = 0; i < NumberOfParameters; i++)
{ {
/* Update the base */ /* Check if we are in the mask */
UserParams->Parameters[i] = (ULONG_PTR)&UserParams->Strings[i]; if (UnicodeStringParameterMask & (1 << i))
{
/* Update the base */
UserParams->Parameters[i] = (ULONG_PTR)&UserParams->Strings[i];
/* Copy the string buffer */ /* Copy the string buffer */
RtlMoveMemory(BufferBase, RtlMoveMemory(BufferBase,
CapturedParams[i].Buffer, CapturedParams[i].Buffer,
CapturedParams[i].MaximumLength); CapturedParams[i].MaximumLength);
/* Set buffer */ /* Set buffer */
CapturedParams[i].Buffer = BufferBase; CapturedParams[i].Buffer = BufferBase;
/* Copy the string structure */ /* Copy the string structure */
UserParams->Strings[i] = CapturedParams[i]; UserParams->Strings[i] = CapturedParams[i];
/* Update the pointer */ /* Update the pointer */
BufferBase += CapturedParams[i].MaximumLength; BufferBase += CapturedParams[i].MaximumLength;
} }
else else
{ {
/* No need to copy any strings */ /* No need to copy any strings */
UserParams->Parameters[i] = Parameters[i]; UserParams->Parameters[i] = Parameters[i];
}
} }
} }
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
/* Return the exception code */
Status = _SEH2_GetExceptionCode();
DPRINT1("ExRaiseHardError - Exception when writing data to user-mode, Status 0x%08lx\n", Status);
}
_SEH2_END;
} }
else else
{ {