Commit graph

1393 commits

Author SHA1 Message Date
Kyle Katarn
7ed0284e8e
[NTOS:EX] Fix returned number of handles for Idle System Process (#4661)
PsIdleProcess and PsInitialSystemProcess share the same handle table. This
leads ObGetProcessHandleCount() to report the same number of handles
when called on those system processes, when being enumerated by
NtQuerySystemInformation(SystemProcessInformation).

Instead, just return 0 for the handle count of the Idle process in SystemProcessInformation.
This is not done in ObGetProcessHandleCount(), since a separate
NtQueryInformationProcess(ProcessHandleCount) for the idle process should return
a non-zero value.

CORE-16577
2022-09-03 22:56:33 +02:00
Serge Gautherie
730b13daac
[NTOS:MM] kdbg.c: Fix Argv[n] copypastas (#4634) 2022-08-27 15:58:54 +02:00
Timo Kreuzer
e9a129c1e2 [NTOS] Remove useless functions 2022-08-22 11:22:08 +02:00
Timo Kreuzer
620f9ee71a [NTOS] Add MxCsr handling to trap handlers 2022-08-22 11:22:08 +02:00
Timo Kreuzer
92c798c657 [NTOSKRNL] Implement KiXmmExceptionHandler 2022-08-22 11:22:08 +02:00
Timo Kreuzer
39f11249ff [NTOS][RTL] Initialize MxCsr where missing 2022-08-22 11:22:08 +02:00
George Bișoc
3b00f98b94
[NTOS:SE] Fix new dynamic length calculation in TokenPrimaryGroup case
Not only primary group assignation was broken but new dynamic length calculation is also broken. The length of the captured SID is not taken into account so the new dynamic length gets only the size of the default ACL present in an access token.
Therefore, the condition is always FALSE and the code never jumps to the STATUS_ALLOTTED_SPACE_EXCEEDED branch because the length will always be small than the charged dynamic length.

Addendum to 86bde3c.
2022-08-16 20:27:27 +02:00
George Bișoc
86bde3c76a
[NTOS:SE] Fix the primary group assignation in TokenPrimaryGroup class case
With current master, what happens is that when someone wants to assign a new primary group SID for an access token, it results in an instant page fault because the primary group variable doesn't get assigned the dynamic part's address.
So the primary group variable gets an address which is basically a representation of the ACL size, hence the said address is bogus and it's where the page fault kicks in.

CORE-18249
2022-08-16 13:05:44 +02:00
Timo Kreuzer
786017c5b6 [NTOS] Don't assert, when dispatching an exception to user mode fails
Instead continue with second chance handling.
2022-08-04 16:15:24 +02:00
Timo Kreuzer
b3a8f8611d [NTOS] Treat page faults with interrupts disabled as access violation 2022-08-04 16:15:24 +02:00
Timo Kreuzer
e45af60560 [NTOS:KE/X64] Enable interrupts when accessing user mode memory 2022-08-04 16:15:24 +02:00
Timo Kreuzer
902c6eee1e [NTOS:KE] Restore interrupts in KiSwitchKernelStack 2022-08-04 16:15:24 +02:00
Timo Kreuzer
ae39ad4d10 [NTOS] Add a hack for VBox 2022-08-04 16:15:24 +02:00
Timo Kreuzer
74014e74c0 [NTOS:KDBG] Improve x64 stack trace printing 2022-08-04 16:15:24 +02:00
Timo Kreuzer
fe777bb52f [NTOS:KDBG] Nuke KdbEnter and KdbpCliModuleLoaded
They are not used anymore. Also clean up some obsolete prototypes.
2022-07-20 23:57:42 +02:00
Timo Kreuzer
31a5fa61bb [NTOS:KDBG] Add KdbpPrintUnicodeString
Calling normal unicode functions is not allowed at IRQL > APC_LEVEL, so calling _vsnprintf with unicode parameters from KDBG is invalid.
2022-07-20 23:57:42 +02:00
Timo Kreuzer
253362509e [KDBG] Fix x64 KDBG 2022-07-20 23:57:42 +02:00
Timo Kreuzer
04fe666590 [NDK] Add missing x64 unwind definitions 2022-07-20 23:57:42 +02:00
Timo Kreuzer
45f75d5d32 [NTOS:KE/x64] Handle user faults in KiGeneralProtectionFaultHandler 2022-07-14 18:35:28 +02:00
George Bișoc
54a00aa8eb
[CMLIB][NTOS:CM] Deduplicate other common definitions between CMLIB and the NTOS CM
Addendum to commit 8c2454e (r70605). Credits and courtesy go to Hermès BÉLUSCA - MAÏTO.

CORE-10802 CORE-10793
2022-07-10 14:35:53 +02:00
Tuur Martens
10126e7710 [NTOS:MM] Fix VADs being inserted even though the quota would exceed
Since we were charging the pool quota after the VAD insertion,
if the quota charge failed, the VAD would still have been inserted.
This commit attempts to resolve this issue by charging quota
before inserting the VAD thus allowing the quota charge to fail early.

Addendum to 884356a0. CORE-18028
2022-07-06 18:48:32 +02:00
Timo Kreuzer
f606b36cff [NTOSKRNL] Fix a bug in MiDeleteVirtualAddresses
When a PDE gets empty, we skip the address to the next PDE boundary, which might introduce an AddressGap, which wasn't handled before.
2022-07-05 19:29:05 +02:00
George Bișoc
4471ee4dfa
[NTOS:SE] Properly handle dynamic counters in token
On current master, ReactOS faces these problems:

- ObCreateObject charges both paged and non paged pool a size of TOKEN structure, not the actual dynamic contents of WHAT IS inside a token. For paged pool charge the size is that of the dynamic area (primary group + default DACL if any). This is basically what DynamicCharged is for.
For the non paged pool charge, the actual charge is that of TOKEN structure upon creation. On duplication and filtering however, the paged pool charge size is that of the inherited dynamic charged space from an existing token whereas the non paged pool size is that of the calculated token body
length for the new duplicated/filtered token. On current master, we're literally cheating the kernel by charging the wrong amount of quota not taking into account the dynamic contents which they come from UM.

- Both DynamicCharged and DynamicAvailable are not fully handled (DynamicAvailable is pretty much poorly handled with some cases still to be taking into account). DynamicCharged is barely handled, like at all.

- As a result of these two points above, NtSetInformationToken doesn't check when the caller wants to set up a new default token DACL or primary group if the newly DACL or the said group exceeds the dynamic charged boundary. So what happens is that I'm going to act like a smug bastard fat politician and whack
the primary group and DACL of an token however I want to, because why in the hell not? In reality no, the kernel has to punish whoever attempts to do that, although we currently don't.

- The dynamic area (aka DynamicPart) only picks up the default DACL but not the primary group as well. Generally the dynamic part is composed of primary group and default DACL, if provided.

In addition to that, we aren't returning the dynamic charged and available area in token statistics. SepComputeAvailableDynamicSpace helper is here to accommodate that. Apparently Windows is calculating the dynamic available area rather than just querying the DynamicAvailable field directly from the token.
My theory regarding this is like the following: on Windows both TokenDefaultDacl and TokenPrimaryGroup classes are barely used by the system components during startup (LSASS provides both a DACL and primary group when calling NtCreateToken anyway). In fact DynamicAvailable is 0 during token creation, duplication and filtering when inspecting a token with WinDBG. So
if an application wants to query token statistics that application will face a dynamic available space of 0.
2022-06-29 10:06:37 +02:00
George Bișoc
5da5e644bb
[NTOS:OB] Include the security descriptor charge when charging the paged pool quota of an object
On ObpChargeQuotaForObject function, the kernel will either charge the default object type charges or the specified information charges obtained from ObCreateObject API call. What happens is that if a paged pool charge is specified on ObCreateObject call the kernel will charge that
but when an object is about to be de-allocated, the amount of quota to return back to the system is the amounting of the paged pool charge specified previously by the ObCreateObject call plus the amounting of the security descriptor charge (see oblife.c / line 98).

This will result in a fatal crash with a bugcheck of QUOTA_UNDERFLOW because we are returning quota with bits of it that was never charged and that's SecurityDescriptorCharge. A QUOTA_UNDERFLOW bugcheck occurs in two following scenarios:

-- When installing Virtualbox Guest Additions and prompting the installer to reboot the system for you
-- When logging off and on back to the system and then you restart the system normally

This bug has been discovered whilst working on #4555 PR.
2022-06-26 19:47:02 +02:00
Timo Kreuzer
8521f6d7b5 [RTL] Implement dynamic function tables for x64 2022-06-25 21:45:47 +02:00
George Bișoc
9d2de519b2
[NTOS:SE] NtQueryInformationToken: implement TokenGroupsAndPrivileges
TokenGroupsAndPrivileges is the younger sister of two TokenGroups and TokenPrivileges classes. In its purpose there's no huge substantial differences apart that this class comes with its own structure, TOKEN_GROUPS_AND_PRIVILEGES, and that this structure comes with extra information.
2022-06-19 17:22:04 +02:00
George Bișoc
8e0da736b7
[NTOS:SE] Fix MSVC build 2022-06-13 20:12:32 +02:00
George Bișoc
93381263a1
[NTOS:SE] Remove redundant ReturnLength NULL check
In NtQueryInformationToken function, remove the useless and redundant NULL check for two primary reasons. First, DefaultQueryInfoBufferCheck already does the necessary probing validation checks and second, ReturnLength must NEVER be NULL!
If the caller does not respect the calling rules of NtQueryInformationToken, the caller is expected to be miserably punished.
2022-06-13 19:28:12 +02:00
George Bișoc
5e1f292062
[NTOS:SE] NtQueryInformationToken: implement token sandbox inert querying 2022-06-13 18:17:10 +02:00
George Bișoc
d0d86ab588
[NTOSKRNL] Force a probe against ReturnLength on query & Misc ICIF stuff
NtQueryInformationToken is by far the only system call in NT where ReturnLength simply cannot be optional. On Windows this parameter is always probed and an argument to NULL directly leads to an access violation exception.
This is due to the fact of how tokens work, as its information contents (token user, owner, primary group, et al) are dynamic and can vary throughout over time in memory.

What happens on current ReactOS master however is that ReturnLength is only probed if the parameter is not NULL. On a NULL case scenario the probing checks succeed and NtQueryInformationToken fails later. For this, just get rid of CompleteProbing
parameter and opt in for a bit mask flag based approach, with ICIF_FORCE_RETURN_LENGTH_PROBE being set on DefaultQueryInfoBufferCheck which NtQueryInformationToken calls it to do sanity checks.

In addition to that...

- Document the ICIF probe helpers
- Annotate the ICIF prope helpers with SAL
- With the riddance of CompleteProbing and adoption of flags based approach, add ICIF_PROBE_READ_WRITE and ICIF_PROBE_READ flags alongside with ICIF_FORCE_RETURN_LENGTH_PROBE
2022-06-12 11:05:05 +02:00
Tuur Martens
d31642c712 [NTOS:MM] Fix memory leak in NtAllocateVirtualMemory
When an allocated VAD's insertion fails, the VAD is not freed. This commit attempts to fix this behaviour.
2022-06-04 22:44:27 +02:00
George Bișoc
9a2c62b544
[NTOS:SE] Reorganize the security manager component
The current state of Security manager's code is kind of a mess. Mainly, there's code scattered around places where they shouldn't belong and token implementation (token.c) is already of a bloat in itself as it is. The file has over 6k lines and it's subject to grow exponentially with improvements, features, whatever that is.

With that being said, the token implementation code in the kernel will be split accordingly and rest of the code moved to appropriate places. The new layout will look as follows (excluding the already existing files):

- client.c (Client security implementation code)
- objtype.c (Object type list implementation code -- more code related to object types will be put here when I'm going to implement object type access checks in the future)
- subject.c (Subject security context support)

The token implementation in the kernel will be split in 4 distinct files as shown:

- token.c (Base token support routines)
- tokenlif.c (Life management of a token object -- that is Duplication, Creation and Filtering)
- tokencls.c (Token Query/Set Information Classes support)
- tokenadj.c (Token privileges/groups adjusting support)

In addition to that, tidy up the internal header and reorganize it as well.
2022-05-29 20:22:19 +02:00
Tuur Martens
cc99b9d96e [NTOS:MM] Fix MiInsertSharedUserPageVad preventing boot on x64
Fix MiInsertSharedUserPageVad to not charge the system process pool quota.
Even though PsChargeProcessNonPagedPoolQuota itself checks if the process specified is the system process, this doesn't work here as we're too early into boot for the kernel to know what the system process is.
2022-05-29 13:28:27 +02:00
Victor Perevertkin
f155b9377f
[CMAKE] Elimitate the use of GCC and CLANG variables 2022-05-27 01:37:34 +03:00
George Bișoc
064a35dc67
[NTOS:KE] Fully implement FPU Save/Restore mechanism
This commit fully implements the inner logic of KeSaveFloatingPointState and KeRestoreFloatingPointState routines. On ReactOS we're currently simply doing a FNSAVE operation whereas on Windows it is a lot more than that.

On Windows Server 2003 the logic more or less goes like this. In order to save the FPU state the NPX state of the current thread has to be checked first, that is, if NPX is loaded and currently charged for the current thread then the system will acquire the NPX registers actively present. From that point it performs either a FNSAVE or FXSAVE
if FX is actually supported. Otherwise the control word and MXCsr registers are obtained.

FXSAVE/FNSAVE operation is done solely if the FX save area is held up in a pool allocation. Pool allocation occurs if it's been found out that the NPX IRQL of the thread is not the same as the current thread which from where it determines if the interrupt level is APC then allocate some pool memory and hold the save area there, otherwise
the save area in question is grabbed from the current processor control region. If NPX is not loaded for the current thread then the FPU state is obtained from the NPX frame.

In our case we'll be doing something way simpler. Only do a FXSAVE/FNSAVE directly of the FPU state registers, in this way we are simplifying the code and the actual logic of Save/Restore mechanism.
2022-05-24 18:39:45 +02:00
George Bișoc
c020966091
[NTOS:KE] Implement the internal FPU state context structure
This is needed to store FPU state information when saving or restoring the floating point state of a system due to a call to KeSaveFloatingPointState or KeRestoreFloatingPointState.
2022-05-24 18:39:45 +02:00
George Bișoc
d88cd0eefc
[NTOS:KE] Move related FPU instrunctions to internal intrinsic file 2022-05-24 18:39:45 +02:00
George Bișoc
657bc083dc
[NTOSKRNL] Add FPU pool tags 2022-05-24 18:39:45 +02:00
Victor Perevertkin
505ac6565a
[NTOS:PNP] Misc IoInvalidateDeviceState fixes
- Add a check for correct PDO before doing anything
- Process the request only for started devices
- Send the request synchronously during the start sequence

This makes Windows' i8042prt.sys work on ReactOS.
Addendum to cf0bc1c132
2022-05-24 05:04:11 +03:00
Hermès Bélusca-Maïto
985468d08a
[NTOS:SE] Replace a bunch of RtlCopyLuid() calls into direct assignations (#4523)
Nowadays' compilers support such direct structure assignations,
and our existing codebase already uses that in other places.
2022-05-23 19:30:37 +02:00
Hermès Bélusca-Maïto
487d8601f9
[NTOS:SE] SepPerformTokenFiltering(): Fix corruption of DynamicPart (#4523)
The problem is that EndMem is changed to point to the DynamicPart of
the token, but the code after that expects it to still point into the
VariablePart instead.

Problem fixed by moving the insertion of RestrictedSids much sooner
(where the original ones are also being copied).
2022-05-23 19:30:36 +02:00
Hermès Bélusca-Maïto
9676188543
[NTOS:SE] NtAdjustGroupsToken(): Avoid double-free on ObReferenceObjectByHandle failure path (#4523) 2022-05-23 19:30:36 +02:00
Hermès Bélusca-Maïto
3370652dfc
[NTOS:SE] Fix locking in SepDuplicateToken() and SepPerformTokenFiltering() (#4523)
Shared locking must be used on the source token as it is accessed for
reading only. This fixes in particular the kmtest SeTokenFiltering that
would hang otherwise on a (wrong) exclusive locking.

- SepPerformTokenFiltering(): Always shared-lock the source token.
  Its callers (NtFilterToken and SeFilterToken) just need to sanitize and
  put the parameters in correct form before calling this helper function.

- Sync comments in NtFilterToken() with SeFilterToken().
2022-05-23 19:30:35 +02:00
Hermès Bélusca-Maïto
b33911b93d
[NTOS:SE] SepPerformTokenFiltering(): Remove useless SEH handling (#4523)
This function is either called inter-kernel (in which case, all
parameters must be valid, and if not, we have to bugcheck), or, it
is called with **captured** parameters (from NtFilterToken) and those
latter ones are now expected to be valid and reside in kernel-mode.
Finally, data copied between token structures reside in kernel-mode
only and again are expected to be valid (if not, we bugcheck).
2022-05-23 19:30:34 +02:00
Hermès Bélusca-Maïto
389a2da7ff
[NTOS:SE] SepCaptureAcl(): Add missing validation of the captured ACL (#4523)
- The ACL is however not validated when the function is called within
  kernel mode and no capture is actually being done.

- Simplify aspects of the function (returning early when possible).
2022-05-23 19:30:34 +02:00
Hermès Bélusca-Maïto
a0bcf90f35
[NTOS:SE] SeValidSecurityDescriptor(): Add missing validation aspects (#4523)
- Add extra bounds checks.
- Add missing RtlValidAcl() calls for verifying the DACL and SACL.
2022-05-23 19:30:33 +02:00
Tuur Martens
4f8bbd141e [NTOS:MM] Fix memory leak in MiMapViewOfDataSection
If inserting the allocated VAD fails, MiMapViewOfDataSection will make no attempt to free the allocated VAD. Nor will it call MiDereferenceControlArea(ControlArea); like other failure return paths. This commit fixes this behavior.
Co-authored-by: Hermès BÉLUSCA - MAÏTO <hermes.belusca-maito@reactos.org>
2022-05-18 12:31:31 +02:00
Tuur Martens
884356a06e [NTOS:MM] Charge and free quotas for VAD allocations
Charge quotas for VAD allocations and free the quotas again when the VADs are freed.

CORE-18028
2022-05-14 15:09:50 +02:00
Marcus Boillat
fa52f2fae0
[NTOS:KE] Fix CPU extended family and model detection
Based on documentation from Geoff Chappell:
https://www.geoffchappell.com/studies/windows/km/cpu/cpuid/00000001h/eax.htm

CORE-17974
2022-05-09 21:50:24 +03:00
Marcus Boillat
00b3e4bc68
[NTOS:KE] Use bitfield structure for x86 CPU signature in EAX register
This makes code a lot more readable. CORE-17974
2022-05-09 21:50:24 +03:00