Commit graph

1724 commits

Author SHA1 Message Date
George Bișoc
d2b8b9ec96
[NTOS:CM] Use the appropriate flags on functions that will call CmCheckRegistry & add missing CmCheckRegistry calls
In addition to that, in some functions like CmFlushKey, CmSaveKey and CmSaveMergedKeys we must validate the underlying hives as a matter of precaution that everything is alright and we don't fuck all the shit up.
2023-11-19 20:44:27 +01:00
George Bișoc
f33da480af
[SDK][CMLIB] Implement CmCheckRegistry and validation private helpers
CmCheckRegistry is a function that provides the necessary validation checks for a registry hive. This function usually comes into action when logs have been replayed for example, or when a registry hive internals have changed such as when saving a key, loading a key, etc.

This commit implements the whole Check Registry infrastructure (cmcheck.c) in CMLIB library for ease of usage and wide accessibility across parts of the OS. In addition, two more functions for registry checks are also implemented -- HvValidateHive and HvValidateBin.

Instead of having the CmCheckRegistry implementation in the kernel, it's better to have it in the Configuration Manager library instead (aka CMLIB). The benefits of having it in the library are the following:

- CmCheckRegistry can be used in FreeLdr to fix the SYSTEM hive
- It can be used on-demand in the kernel
- It can be used for offline registry repair tools
- It makes the underlying CmCheckRegistry implementation code debug-able in user mode

CORE-9195
CORE-6762
2023-11-19 20:44:27 +01:00
George Bișoc
bfcb28787d
[NTOS:CM] Disable hard errors when setting up a new size for a hive file / annotate CmpFileSetSize parameters with SAL
During a I/O failure of whatever kind the upper-level driver, namely a FSD, can raise a hard error and a deadlock can occur. We wouldn't want that to happen for particular files like hives or logs so in such cases we must disable hard errors before toying with hives until we're done.

In addition to that, annotate the CmpFileSetSize function's parameters with SAL.
2023-11-19 20:44:26 +01:00
George Bișoc
0d776beac9
[NTOS:CM] Ignore syncing/flushing requests after registry shutdown
When shutting down the registry of the system we don't want that the registry in question gets poked again, such as flushing the hives or syncing the hives and respective logs for example. The reasoning behind this is very simple, during a complete shutdown the system does final check-ups and stuff until the computer
shuts down.

Any writing operations done to the registry can lead to erratic behaviors. CmShutdownSystem call already invokes a final flushing of all the hives on the backing storage which is more than enough to ensure consistency of the last session configuration. So after that final flushing, mark HvShutdownComplete as TRUE indicating
that any eventual flushing or syncying (in the case where HvSyncHive gets called) request is outright ignored.
2023-11-19 20:44:26 +01:00
Timo Kreuzer
bf95b7e8e5 [NTOS:CC] Do not access VACB after decrementing it's reference count
It might already be deleted by a different thread.
2023-11-17 20:07:55 +02:00
George Bișoc
6438b85605
[NTOS:EX] Bail out on an invalid locale or language ID
NtSetDefaultLocale and ExpSetCurrentUserUILanguage do not probe the given locale or language ID,
and as a result of that these functions would happily take any given argument. This is problematic
because overwriting NLS data (specifically the Default registry key value as its gets set by the
NtSetDefaultLocale syscall itself) with garbage stuff, rendering the system completely unbootable.

In addition to that, these functions do not check the captured language/locale ID against pre-determined
locales or languages pre-installed in the system. This basically means an ID of 1, for example, is still
valid because it is not bogus albeit there is no such a locale of an ID of 1. That value would get passed
to the Default value key and that renders the system unbootable as well.

CORE-18100
2023-11-16 21:09:05 +01:00
Hermès Bélusca-Maïto
cef9f5c4a6
[RTL] Minor formatting, remove redundant 'return'. 2023-11-16 17:06:40 +01:00
Serge Gautherie
3fb5957de1
[NTOS:EX][CSRSRV][WIN32K] Make a few #define more explicit/strict (#5907)
- Add parentheses around macro parameters.
- Add casts on return value for the Interlocked*UL ("Unsigned Long") macros.
2023-11-13 20:55:48 +01:00
Timo Kreuzer
4bd1e81998 [RTL] Get rid of x86 asm version of RtlpGetStackLimits
There is no point in writing this function in asm.
2023-11-10 19:00:41 +02:00
Timo Kreuzer
d831bc4fab [NTOS:MM] Add ASSERTs for VAD table locking 2023-10-24 21:45:27 +03:00
Timo Kreuzer
23589e9bf1 [NTOS:MM] Lock kernel address space in MiInitSystemMemoryAreas
This is required to satisfy VAD locking rules.
2023-10-24 21:45:27 +03:00
Timo Kreuzer
07ad8c4c11 [NTOS:MM] Attach to the target process in MmMapViewOfSection
This is required to satisfy VAD locking rules.
2023-10-24 21:45:27 +03:00
Timo Kreuzer
601bb49c0d [NTOS:MM] Fix MmFreeMemoryArea
- Stay attached while deleting the VAD node
- Acquire the appropriate working set lock when deleting a VAD node
- Both are needed for locking correctness
2023-10-24 21:45:27 +03:00
Timo Kreuzer
de3958dc2b Revert "[NTOS:MM/x64] Temporarily release AddressCreationLock in MmCreateVirtualMappingUnsafeEx"
This reverts commit e685b25e35.
2023-10-24 21:45:27 +03:00
Timo Kreuzer
a662bedab8 [NTOS:MM] Fix bugs in MmAccessFault
- Acquire the appropriate working set lock when calling MmLocateMemoryAreaByAddress
- Do not access MemoryArea without holding the lock (otherwise it can be pulled away under our feet)
- Fix range check for paged pool
2023-10-24 21:45:27 +03:00
Timo Kreuzer
84d0586ca4 [NTOS:MM] Handle page table faults in MmArmAccessFault
These faults are handled by ARM³ and we don't need to check for a memory area. They can be recursive faults (e.g. from MiDeleteSystemPageableVm), so we might be holding the WS lock already. Passing it straight to ARM³ allows to acquire the WS lock below to look up the memory area.
2023-10-24 21:45:27 +03:00
Timo Kreuzer
a8b57f0a6b [NTOS:MM] Fix address space locking in MiProtectVirtualMemory 2023-10-24 21:45:27 +03:00
Timo Kreuzer
6d701b4b05 [NTOS:MM] Add ASSERTS to MmLockAddressSpace to guarantee lock ordering 2023-10-24 21:45:27 +03:00
Hermès Bélusca-Maïto
501c2bdd63
[NTOS:LPC] Fix input parameter for ProbeAndCaptureUnicodeString (#5815)
Addendum to commit b3c55b9e6 (PR #4399).

Passing &CapturedObjectName as pointer to be probed and captured would
fail if e.g. PreviousMode == UserMode, since that pointer is always in
kernel space. Instead, pass the original user-mode pointer.

Bug caught by Timo Kreuzer ;)
2023-10-23 18:18:45 +02:00
Timo Kreuzer
e685b25e35 [NTOS:MM/x64] Temporarily release AddressCreationLock in MmCreateVirtualMappingUnsafeEx
This is a hack, because the kernel mode path can incur a recursive page fault with the AddressCreationLock acquired, which would lead to a recursive acquisition, once we do proper locking in MmAccessFault.
To properly fix this the PDE must be made valid, similar to the user mode path, but that is not that simple...
2023-10-07 10:58:30 +03:00
George Bișoc
d72025649b
[NTOS:SE] Mute the access denied DPRINTs
They can be spammy. Also clarify these debug prints, because some people
think that "failed to grant access rights" means there's something wrong
in the core access check functions.
2023-10-04 18:04:30 +02:00
George Bișoc
09bfd96f3b
[NTOS:SE] HACK: Temporarily add the Local group SID to the system token
Temporarily add the local group to the system token so that Virtualbox
GA services can properly set up network drives for shared folders.

What happens is that a security descriptor has a DACL with only one ACE
that grants access to Local SID (presumably coming from Vbox?)
but the client token is that of the service which is a SYSTEM token.
Perhaps we are not impersonating the right user or whatever else.

This is only a temporary placebo, until a proper solution is found.

CORE-18250
2023-10-04 18:04:30 +02:00
George Bișoc
4b4638dc55
[NTOS:SE] HACK: Temporarily grant access to the client if empty generic mapping was passed
Certain apps such as AIM installer passes an empty generic mapping (this can
be understood with their generic masks set to 0) and our code tries to map
the access right from an ACE with the mapping provided by AccessCheck.

This can lead to a bug where we would not be able to decode the generic right
from an ACE as we need a proper generic mapping in order to do so. A mask
right that is not decoded it cannot be used to mask out the remaining rights,
further resulting into a denied access right.

What Windows does instead is they are mapping the ACE's rights in another place,
presumably when setting security data to an object, and they are using the
generic mapping passed by the kernel.

What we can do for the time being is to temporarily grant access to the client,
but only if they are an administrator.

CORE-18576
2023-10-04 18:04:29 +02:00
Timo Kreuzer
410b1030c0 [NTOS:KE/x64] Implement detection of more KF_* feature flags
- Detect KF_SSSE3, KF_SSE4_1, KF_SSE4_2, KF_RDRAND, KF_BRANCH, KF_SLAT, KF_GENUINE_INTEL, KF_AUTHENTICAMD, KF_ACNT2, KF_SMEP, KF_SMAP, KF_RDWRFSGSBASE, KF_XSAVEOPT, KF_XSAVES, KF_HUGEPAGE, KF_RDTSCP
2023-10-03 19:45:44 +03:00
Timo Kreuzer
1a7ab2fe68 [NTOS:KE/x64] Use structures for CPUID 2023-10-03 19:45:44 +03:00
Timo Kreuzer
70f6ed8ee3 [NTOS:KE/x64] Improve CPU feature detection
- Use 64 bit feature flags (with a hack in the PRCB)
- Improve setting up SharedUserData->ProcessorFeatures
2023-10-03 19:45:44 +03:00
Timo Kreuzer
47c1dcd023 [NDK] Update kernel feature bits constants
- Move them into architecture specific headers.
- Add missing constants based on https://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kprcb/featurebits.htm
- Yes, they are 64 bits
2023-10-03 19:45:44 +03:00
George Bișoc
50f367fa58
[NTOS:CM] Use COMPUTE_HASH_CHAR to compute the conv hash key
We have a dedicated macro definition for that so just use it.
2023-10-03 11:01:21 +02:00
George Bișoc
c0ea1f96ef
[NTOS:CM][DOCUMENTATION] Provide documentation for newly added functions 2023-10-01 20:06:03 +02:00
George Bișoc
f4de5ceb9e
[NTOS:CM] Implement cache lookup and cleanup subkey information for cache consistency
During an open or create procedure of a registry key, the registry parser grabs
a key control block (KCB) from the parser object and uses its information to do the
necessary work in order to obtain a pointer to the newly created or opened registry key.

However, the registry parsers faces several issues. First, we don't do subkey cache cleaning
information against gathered KCBs so whenever we do a registry parse we end up with KCBs
that have cache inconsistencies. Moreover we don't do any locking of whatever KCB we
are grabing during a parse procedure.

=== PROPOSED CHANGES ===

* Implement CmpComputeHashValue and CmpLookInCache functions. With CmpComputeHashValue we can
compute the convkey hashes of each subkey in the path name of a key so we can lock them
with CmpBuildAndLockKcbArray. CmpLookInCache is a function that searches for the suitable
KCB in the cache. The factors that determine if a KCB is "suitable" are:

-- the currently found KCB in the hash list has the same levels as that of the
given KCB from the parse object;

-- The key names from the computed hash values match with the block name of
the KCB;

-- The currently found KCB is not deleted.

The KCB will be changed if the key path name points to a partial match name in
the cache. The KCB from the parse object will be used if we have a full match
of remaining levels.

* Add missing CMP_LOCK_HASHES_FOR_KCB flags on CmpCreateKeyControlBlock calls
that create KCBs during a parse procedure. Such lock has to be preserved until
we're done with the registry parsing.

* On CmpDoCreateChild, preserve the exclusive lock of the KCB when we are
enlisting the key body.

* On CmpDoCreate, make sure that the passed parent KCB is locked exclusively and
lock the hiver flusher as we don't want the flusher to kick in during a key
creation on the given hive. Cleanup the subkey info when we're creating a key
object. Also implement missing cleanup path codes. Furthermore, avoid key
object creation if the parent KCB is protected with a read-only switch.

* Soft rewrite the CmpDoOpen function, namely how we manage a direct open vs
create KCB on open scenario. When a KCB is found in cache avoid touching
the key node. If the symbolic link has been resolved (aka found) then lock
exclusively the symbolic KCB. Otherwise just give the cached KCB to the caller.

If it were for the caller to request a KCB creation, we must check the passed
KCB from the parser object is locked exclusively, unlike on the case above
the caller doesn't want to create a KCB because there's already one in the cache.
We don't want anybody to touch our KCB while we are still toying with it during
its birth. Furthermore, enlist the key body but mind the kind of lock it's been
used.

* On CmpCreateLinkNode, avoid creating a key object if the parent KCB is protected
with a read-only switch. In addition, add missing hive flusher locks for both
the target hive and its child. Cleanup the subkey information of the KCB when
creating a link node, this ensures our cached KCB data remains consistent.

* Do a direct open on CmpParseKey if no remaining subkey levels have been found
during hash computation and cache lookup, in this case the given KCB is the
block that points to the exact key. This happens when for example someone tried
to call RegOpenKeyExW but submitting NULL to the lpSubKey argument parameter.

CORE-10581
ROSTESTS-198
2023-10-01 20:06:02 +02:00
George Bișoc
8cb56e77a6
[NTOS:CM] Do not call CmpSecurityMethod when assigning a security descriptor
CmpSecurityMethod is a method used by the Object Manager and called by this
subsystem whenever a security operation has to be done against a key object.

As CmpSecurityMethod is a specific OB construct we should not make any direct
call attempts to CmpSecurityMethod, only OB is responsible for that. This fixes
a deadlock where CmpSecurityMethod acquires a push lock for exclusive access
even though such lock is already acquired by the same calling thread in
CmpDoCreateChild.
2023-10-01 20:06:02 +02:00
George Bișoc
7fd6f86803
[NTOS:CM] Do not acquire a KCB lock twice when deleting a key object
This prevents a deadlock in DelistKeyBodyFromKCB when we delete a key
object because of an access check failure during a open procedure of a
registry key, as we are already holding a lock against the target KCB of
the key body.
2023-10-01 20:06:02 +02:00
George Bișoc
697a52aa33
[NTOS:CM] Do not acquire the lock twice when the Object Manager calls CmpSecurityMethod
Whenever a security request is invoked into a key object, such as when requesting
information from its security descriptor, the Object Manager will execute
the CmpSecurityMethod method to do the job.

The problem is that CmpSecurityMethod is not aware if the key control block
of the key body already has a lock acquired which means the function will attempt
to acquire a lock again, leading to a deadlock. This happens if the same
calling thread locks the KCB but it also wants to acquire security information
with ObCheckObjectAccess in CmpDoOpen.

Windows has a hack in CmpSecurityMethod where the passed KCB pointer is ORed
with a bitfield mask to avoid locking in all cases. This is ugly because it negates
every thread to acquire a lock if at least one has it.
2023-10-01 20:06:02 +02:00
George Bișoc
08fcf0c58b
[NTOS:CM] Implement locking/unlocking of KCBs in an array
The CmpUnLockKcbArray, CmpLockKcbArray and CmpBuildAndLockKcbArray routines
help us to lock KCBs within array so that information remains consistent when
we are doing a cache lookup during a parse procedure of the registry database.
2023-10-01 20:06:01 +02:00
George Bișoc
c6230ba255
[NTOS:CM] Add KCB array lock function prototypes & Other Stuff
Implement CmpBuildAndLockKcbArray and CmpUnLockKcbArray prototypes, we'll gonna need these
to do the locking/unlocking of KCBs stacked up in an array. In addition implement some CM
constructs specifically for cache lookup implementation (more at documentation remarks).

=== DOCUMENTATION REMARKS ===

CMP_SUBKEY_LEVELS_DEPTH_LIMIT -- This is the limit of up to 32 subkey levels
that the registry can permit. This is used in CmpComputeHashValue to ensure
that we don't compute more than the limit of subkeys we're allowed to.

CMP_KCBS_IN_ARRAY_LIMIT -- This is equal to CMP_SUBKEY_LEVELS_DEPTH_LIMIT
plus the addition by 2. This construct is used as a limit of KCB elements
the array can hold. 2 serves as an additional space for the array (one for
the root object and another one as extra space so we don't blow up the stack
array).

CMP_LOCK_KCB_ARRAY_EXCLUSIVE & CMP_LOCK_KCB_ARRAY_SHARED -- These flags are used exclusively
for CmpBuildAndLockKcbArray and CmpLockKcbArray. Their meaning are obvious.

CM_HASH_CACHE_STACK -- A structure used to store the hashes of KCBs for locking. It is named
"stack" because the way we store the hashes of KCBs is within an auxilliary "outer stack array".
2023-10-01 20:06:01 +02:00
George Bișoc
8a335a3141
[NTOS:CM] Implement the shared lock macro for use
CmpAcquireKcbLockSharedByKey can come in handy for use to lock KCBs by their convkey with a shared lock, specifically we would need this for cache lookup stuff.
2023-10-01 20:06:00 +02:00
George Bișoc
26fe3616fe
[NTOS:CM] Implement COMPUTE_HASH_CHAR macro definition
Wrap the hash computation formula in a macro so that we don't have to copy
the logic over the places again and again.
2023-10-01 20:06:00 +02:00
George Bișoc
a4213d491d
[NTOS:CM] Add surrounding parentheses to GET_HASH_INDEX definition 2023-10-01 20:05:57 +02:00
Joachim Henze
8c76870639 [NTOS:MM] Fix missing \n in unimplemented codepath DPRINT
We can hit that unimplemented code-path-line in NtQuerySection()
when browsing youtube.com with Chromium 49.
2023-09-30 19:06:30 +02:00
Serge Gautherie
c84b5007d0
[NTOS:CM] Simplify CmpDelayAllocBucketLock code a bit (#5729)
- Remove duplicate CmpDelayAllocBucketLock definition.
- Remove an else.
2023-09-28 11:39:13 +02:00
Timo Kreuzer
03283371c1 [NTOS/Mm] Fix SWAPENTRY bit-check in MmCreatePageFileMapping
Test for the highest bit, not for bit 3 / 7.
2023-09-28 01:19:47 +03:00
Serge Gautherie
9ca88bef80
[NTOS:MM] Fix 'eanbled' typo in a comment (#5728) 2023-09-27 17:31:42 +00:00
Timo Kreuzer
8227c5d380 [NTOS] Implement support for opting out of NX policy
Fixes crash in ntdll_winetest info on x64.
2023-09-26 18:04:19 +03:00
Timo Kreuzer
df053d4e43 [RTL] Improve usage of absolte vs self-relative security descriptors
- RtlpQuerySecurityDescriptor: Change argument type of first parameter from PISECURITY_DESCRIPTOR to PSECURITY_DESCRIPTOR, since it handles both absolute and self-relative SDs.
- RtlMakeSelfRelativeSD: rename first parameter from AbsoluteSD to SecurityDescriptor, since it handles both absolute and self-relative SDs.
- SepGetGroupFromDescriptor/SepGetOwnerFromDescriptor/SepGetDaclFromDescriptor/SepGetSaclFromDescriptor: Change parameter type from PVOID to PSECURITY_DESCRIPTOR for clarity.
2023-09-26 18:01:45 +03:00
Timo Kreuzer
ed06c06dcb [NTOS:CM] Fix lock leak
Triggered by low available pool memory during kmtest ExPools.
2023-09-23 18:34:00 +03:00
Hermès Bélusca-Maïto
4bdfee8e8b
[NTOS:EX] Initialize ExpResourceTimeoutCount also via the "Session Manager/ResourceTimeoutCount" registry value (#4089)
For more details, see
http://systemmanager.ru/win2k_regestry.en/29859.htm
https://www.betaarchive.com/wiki/index.php/Microsoft_KB_Archive/102985#ResourceTimeoutCount_REG_DWORD
2023-09-21 13:33:28 +02:00
Hermès Bélusca-Maïto
b5c75ce506
[NTOS:EX] Minor header formatting. 2023-09-21 13:33:25 +02:00
Timo Kreuzer
26a64324e7 [NTOSKRNL/x64] Fix a bug in KeSwitchKernelStack
Don't safe anything in the callee's home space, because the callee can overwrite it. Use the functions home space instead.
2023-09-17 10:37:50 +03:00
Ratin Gao
4c8a2a8815
[KERNEL32][KERNEL32_APITEST] Implement user-mode UEFI / Firmware API (#5149)
- Implement firmware environment variable read/write APIs
- Add, fix and improve related definitions and declarations
- Add kernel32:UEFIFirmware apitest

CORE-11954
2023-09-14 22:14:07 +03:00
Timo Kreuzer
9666f00572 [WIN32K][NTOS] Fix parameter to MmMapViewOfSection
The code was passing 0 instead of SECTION_INHERIT::ViewUnmap (2). 0 isn't even a proper constant to be used here. It worked, because MmMapViewOfSection only compares against ViewShare (1) and treats everything else as ViewUnmap.
2023-09-09 12:15:24 +03:00
Timo Kreuzer
583be404dd [NTOSKRNL/x64] Fix bug in KiInitializeContextThread
The function set CtxSwitchFrame->ApcBypass to FALSE, preventing APCs (like when user mode sets the context while the thread is suspended) from being delivered as soon as the thread lowers IRQL to PASSIVE_LEVEL. This resulted in the SetContext APC to be delivered only after the user mode APC was initialized, overwriting the user mode APC context in the trap frame. This caused kernel32_winetest process to break.
2023-09-07 01:16:14 +03:00
Joachim Henze
195c491880 [NTOSKRNL] Mute some good-path log-spam, no functional change
Now that the Memory Management is a bit more under control again,
and branching releases/0.4.15 is near,
do mute some frequent log-spam that got introduced during 0.4.15-dev'ing
regarding lazy-flushes and MM balancing.
It frequently logged even while being idle.
Slightly improve the headers of the two touched files.
No rocket-science.
2023-09-06 14:53:53 +02:00
Doug Lyons
2b14056600
[NTOS:CC][NTOS:MM] Add back CcRosTrimCache and add Delay for MM to work. (#5630)
MM/CC Add back CcRosTrimCache as suggested by Thomas Faber which was removed in 0.4.15-dev-1717-g 	d8cdb89fb0
and call it once in a while also during read-operations.

fixes JIRA issue: CORE-17624 'Cannot copy files > RAMsize anymore using TotalCommander'


1st testbot results on top of 0.4.15-dev-6526-g8d35887
VBox: https://reactos.org/testman/compare.php?ids=89111,89120 (additional random reboot in winhttp:winhttp)
KVM: https://reactos.org/testman/compare.php?ids=89110,89119
We do assume that reboot to be unrelated.

2nd testbot results on top of 0.4.15-dev-6526-g8d35887
VBox: https://reactos.org/testman/compare.php?ids=89111,89232
KVM: https://reactos.org/testman/compare.php?ids=89110,89233
2023-09-06 13:34:25 +02:00
Hermès Bélusca-Maïto
c66a1582ac
[NTOS:EX] Add some missing PoNotifySystemTimeSet() calls. Stub out NtSetSystemTime() with NULL parameter.
- They notify, via the "\\Callback\\SetSystemTime" callback, components
  of a change of system time (for example, Win32k).
  Note, that our Win32k currently does not handle power callouts, so
  it isn't affected by these changes (yet).

- NtSetSystemTime(NULL, ...) means "update system time using the current
  time-zone information", which is something we don't implement yet.
  (And, nothing was previously protecting this call from a NULL parameter...)
2023-09-03 17:39:39 +02:00
Hermès Bélusca-Maïto
b2294b4c84
[NTOS:KD] Fix release builds. 2023-08-31 17:10:34 +02:00
Hermès Bélusca-Maïto
0d0ffb7d7d
[NTOS:KD:KDBG] Integration into KD framework (Part 2/3)
Add redirections for KdSave/KdRestore and KdD0Transition/KdD3Transition.

Both KDBG and KD(TERM) need those since they will become external
transport DLLs later.
2023-08-31 16:09:49 +02:00
Hermès Bélusca-Maïto
2046a17ef4
[NTOS:KD:KDBG] Integration into KD framework (Part 1/3)
Split KdSendPacket and KdReceivePacket into those that manipulate the
KDBG state proper (reside in kdbg/kdbg.c), and those that deal only with
debug input/output that will reside in a KDTERM "KD Terminal Driver" DLL.

Based on some previous preparatory work by Hervé Poussineau in PR #4600.
(Equivalents of commits 5162bf106 and partly e9bcf7275.)
2023-08-31 16:07:51 +02:00
Hermès Bélusca-Maïto
8c0c2e2be7
[NTOS:KDBG] Temporarily HACK-remove the duplicated kdb:> when displaying the interactive KDBG prompt. 2023-08-30 12:24:36 +02:00
Hermès Bélusca-Maïto
86e0d5e9b8
[NTOS:MM/PS] Remove code duplication between LookupEntryPoint/MiLocateExportName/MiFindExportedRoutineByName. (#4918)
As it turns out, those three functions were duplicating the same code
between each other. Reimplement these in terms of a common helper,
RtlFindExportedRoutineByName().
Indeed: MiFindExportedRoutineByName() was just MiLocateExportName()
but taking a PANSI_STRING instead of a NULL-terminated string.

A similar state of affairs also existed in Windows <= 2003, and the
MS guys also noticed it. Both routines have been then merged and renamed
to MiFindExportedRoutineByName() on Windows 8 (taking a PCSTR instead),
and finally renamed and exported as RtlFindExportedRoutineByName()
on Windows 10.
2023-08-29 17:26:57 +02:00
Hermès Bélusca-Maïto
d8695eee1e
[NTOS:MM] Add missing validation of Ordinal in MiLocateExportName (#4918) 2023-08-29 17:26:57 +02:00
Hermès Bélusca-Maïto
4e55236662
[NTOS:MM/PS] De-duplicate export name-to-ordinal functionality (#4918)
It was implemented in psmgr.c but in a recursive way. That implementation
is replaced, in the NameToOrdinal() helper, by the better non-recursive one
found in the MiLocateExportName() and MiFindExportedRoutineByName() functions.

This NameToOrdinal() helper is then called in lieu of the duplicated code
in MiLocateExportName() and MiFindExportedRoutineByName(). In addition,
one block of code in MiSnapThunk() is simplified in a similar manner.
2023-08-29 17:26:56 +02:00
Hermès Bélusca-Maïto
e8b048a282
[NTOS:MM] Reformat MmCallDllInitialize and MiCallDllUnloadAndUnloadDll. 2023-08-29 17:26:55 +02:00
unknown
310563aece
[NTOS:SE] Let SepGetSidFromAce figure out the ACE type
As the commit title says. Instead of having the caller figuring out what
the ACE type should be of the ACE.
2023-08-23 17:54:47 +02:00
George Bișoc
8289de6ef7
[NTOS:SE] Cast the ACE to known ACE type variants on SepGetSidFromAce
ACCESS_DENIED_ACE_TYPE, ACCESS_ALLOWED_ACE_TYPE, SYSTEM_AUDIT_ACE_TYPE and
SYSTEM_ALARM_ACE_TYPE belong to the same commonly internal ACE type, aka KNOWN_ACE,
as each of these ACEs have the same structure field offsets.

The only difference are ACCESS_DENIED_OBJECT_ACE_TYPE and ACCESS_ALLOWED_OBJECT_ACE_TYPE
as they have their own internal ACE type variant, the KNOWN_OBJECT_ACE structure.

The general guideline is that public ACE structure variants have to be used elsehwere
such as in UM whilst the kernel has to use the internal known ACE type variants when possible.
2023-08-22 17:54:18 +02:00
George Bișoc
a42f642ea1
[NTOS:SE] Implement access security checks by type
- Implement SepDenyAccessObjectTypeResultList, SepAllowAccessObjectTypeResultList,
SepDenyAccessObjectTypeList and SepAllowAccessObjectTypeList. These routines will
be used to grant or deny access to sub-objects of an object in the list.

- Refactor SepAnalyzeAcesFromDacl and SepAccessCheck to accomodate the newly
implemented access check by type mechanism.

- SepAccessCheck will now be SepAccessCheckWorker, a worker helper function that further
abstracts the access check mechanism in the kernel. Whereas the SepAccessCheck name will be
used as a centralized function used by the access check NT system calls.

- Deprecate SepGetSDOwner and SepGetSDGroup in favor of SepGetOwnerFromDescriptor and
SepGetGroupFromDescriptor. The former functions were buggy as they might potentially
return garbage data if either the owner or group were passed as NULL to a security
descriptor, hence a second chance exception fault. This was caught when writing tests
for NtAccessCheckByType.

- Shorten the debug prints by removing the name of the functions, the person who reads
the debugger output has to look at the source code anyway.
2023-08-22 17:54:17 +02:00
George Bișoc
e38f4c2b36
[NTOS:SE] Implement object type list utilities
This implements various private kernel routines for object type list management
needed for access check code infrastructure. In addition, update the code documentation
and add missing comments.
2023-08-22 17:54:17 +02:00
George Bișoc
5f3fab72a9
[NTOS:SE] Implement SepDumpAccessAndStatusList
This function will dump all the access status and granted access rights
of each object list of a list whenever an access check by type (or by type
result list) fails. This is for debugging purposes.
2023-08-22 17:54:17 +02:00
George Bișoc
5654ce7b9a
[NTOS:SE] Declare function prototypes & add OBJECT_TYPE_LIST_INTERNAL
OBJECT_TYPE_LIST_INTERNAL will serve as an internal kernel data structure
to hold validated object type contents that are copied from UM.

The difference between the public and the internal one is that the internal structure has
an additional member for access check rights that have been granted on each
object element in the list.
2023-08-22 17:54:17 +02:00
Hermès Bélusca-Maïto
5472c3e853
[NTOS:MM] MiResolveImageReferences: Use boolean values for GdiLink and NormalLink. 2023-08-19 19:06:20 +02:00
Doug Lyons
e6ca3952e0
[NTOS:CC] Fix locking of CcRosVacbIncRefCount in CcRosCreateVacb (#5527)
CORE-17624
2023-08-12 19:10:34 +02:00
Timo Kreuzer
9bc5b8357a [NTOS:MM] Fix use-after-free error
The VAD / memory area can get deleted when calling MmUnmapViewOfSegment, so it must not be used after that.
2023-08-05 11:57:58 +03:00
Joachim Henze
53b30e3f3b [NTOSKRNL][NTGDI] Formatting addendum, no functional change
I intend to port back the combined work of Thomas Faber and Serge Gautherie in context of CORE 14271.
Both developers fixed wrong retval evaluations for SeSinglePrivilegeCheck() and RtlCreateUnicodeString().
Both functions do return a BOOLEAN, and therefore using NTSTATUS() on them is wrong.
Those bugs have been fixed at multiple places. That is long gone.

But Serge fixed his locations a bit more elegantly, without the need for additional variables.
Therefore this addendum adapts a few of Thomas locations to the improved Serge-ified style.

Yes: I intentionally used a space instead of a minus after the mentioned CORE 14271,
as I don't want that pure stylistic addendum to be linked with the initial ticket anymore.
That would be overkill.
2023-08-01 22:32:25 +02:00
Timo Kreuzer
539c316589 [NTOS:Mm] Fix some 64 bit issues 2023-07-29 14:00:44 +03:00
Jérôme Gardou
69daff72d2 NTOS:CC Free some VACBs when we're under memory pressure 2023-07-29 14:00:44 +03:00
Jérôme Gardou
470ad18825 Revert "[NTOS:CC] Wake up lazy scan after inserting elements in the list."
This reverts commit 6e4f83da70.
2023-07-29 14:00:44 +03:00
Timo Kreuzer
876769fdd5 [NTOS:Mm] Use MmRebalanceMemoryConsumersAndWait in the page fault handler 2023-07-29 14:00:44 +03:00
Timo Kreuzer
047dc9729f [NTOS:Mm] Implement MmRebalanceMemoryConsumersAndWait 2023-07-29 14:00:44 +03:00
Timo Kreuzer
7c6e4d38c7 [NTOS:Mm] Handle failure to allocate pages in the page fault handler 2023-07-29 14:00:44 +03:00
Timo Kreuzer
3ae12d5a8c [NTOS:Mm] Fail gracefully when no pages are available 2023-07-29 14:00:44 +03:00
Timo Kreuzer
d7de53b6d5 [NTOS:Mm] Bail out in MmTrimUserMemory, when all LRU pages have been looped through 2023-07-29 14:00:44 +03:00
Timo Kreuzer
5f014e421b [NTOS:Mm] Handle RosMm pages in MiDecrementReferenceCount
This is required, when RosMm unmaps locked pages and they later get unlocked.
2023-07-29 14:00:44 +03:00
Timo Kreuzer
80dd9f5a90 [NTOS:Mm] Add PFN ShareCount handling to old Mm 2023-07-29 14:00:44 +03:00
Timo Kreuzer
73de609917 [NTOS:Mm] Implement MmCreatePhysicalMapping and MmDeletePhysicalMapping to handle pyhsical memory sections 2023-07-29 14:00:44 +03:00
Timo Kreuzer
918e331970 [NTOS:Mm] Fix race condition in _MmSetPageEntrySectionSegment
The function updates the entry in the section page table and updates the section association rmaps for it. In the page-in path, when the new section association is set before the entry is updated, a concurrent attempt to unmap the page would find an inconsistent entry, where there is an rmap, but the section page table entry is still an MM_WAIT_ENTRY.
2023-07-29 14:00:44 +03:00
Timo Kreuzer
54d1b39676 [NTOS:Mm] Fix locking for MmGetSectionAssociation
MmGetSectionAssociation races with _MmSetPageEntrySectionSegment without sharing a lock. So we need to hold the PFN lock, until we have referenced the section segment found in the RMAP. This prevents that a section segment, which still has associated RMAPs from being deleted behind our back.
2023-07-29 14:00:44 +03:00
Timo Kreuzer
477792856e [NTOS:Mm] Replace YieldProcessor() with KeDelayExecutionThread()
These are used in the paging path, when the page is currently in the process of being read from or written to the disk. While YieldProcessor() provides the chance to switch context to the other paging thread, it only does so, once the current thread's quantum has expired. On a single CPU system this effectively leads to busy waiting for the rest of the quantum. On SMP systems this could succeed earlier, thus reducing latency, but it would still contribute to high CPU usage, while waiting for the IO operation to complete, which is not what we want.
Using KeDelayExecutionThread() will instantly allow another thread to run, providing enough time to complete the IO operation.
2023-07-29 14:00:44 +03:00
Jérôme Gardou
57e018acf6 [NTOS:MM] Use FORCEINLINE instead of simple inline
inline implies an implementation must exist in another compilation unit
2023-07-23 23:58:42 +02:00
Stanislav Motylkov
e2a587c2ef [NTOS:KE/x64] Calculate the CPU frequency on AMD64
This should be performed early enough before CM initialization,
but after the TSC has been initialized and calibrated by HAL.

Based on existing i386 kiinit code. CORE-17971 CORE-14922
2023-07-15 20:50:12 +03:00
Justin Miller
dabe7fba46
[NTOS:IO] Implement IoConnectInterruptEx for fully specified interrupt types (#5416)
Implement IoConnectInterruptEx() for CONNECT_FULLY_SPECIFIED.
This gives ability to load various modern drivers that use IoConnectInterruptEx.

Various drivers work after this change, such as serial.sys MS sample driver when compiled with the reactos tree and many more KMDF drivers from later Windows versions.

Co-authored-by: Victor Perevertkin <victor@perevertkin.ru>
2023-07-14 16:17:27 -07:00
Stanislav Motylkov
5ae65ab7a7 [NTOS:KE] Add x86 CPU features reporting to AMD64
CORE-18023 CORE-14922
2023-07-02 21:00:32 +03:00
Stanislav Motylkov
6a6b383abd [NTOS:KE] Report x86 CPU features in a separate function
KiGetFeatureBits() is now being called in the early boot phase 0
when the Kernel Debugger is not yet initialized, so debug prints
are not available here. Move the debug prints into a new function
and call it at the right time. CORE-18023
2023-07-02 21:00:31 +03:00
Stanislav Motylkov
00715ccf8b [NTOS:KE] Fix magic constants for x86 CPU features
Do it the same way as in amd64 ke.h/cpu.c. CORE-18023
2023-07-02 21:00:31 +03:00
Eugen Podrug
8e01dee251 [NTOS:EX] Fix swapped values in ExGetCurrentProcessorCounts() (#4565)
The function should return the kernel time for the idle thread in the
first argument, and kernel time + user time for the current thread in
the second argument.

Also retrieve the processor number from the cached PRCB instead of
calling KeGetCurrentProcessorNumber() which retrieves the PRCB again
since the processor could switch in-between those calls.

NdisGetCurrentProcessorCounts() function follows the same prototype
which is the correct one.
2023-07-02 16:10:36 +03:00
Victor Perevertkin
8cfc4a3376
[NTOS:PNP] Complete the PlugPlayControlInitializeDevice control class
Besides creating the PDO and device node for it, it has to set up the
necessary registry keys, and register PDO at PnP root driver properly.

CORE-18989
2023-06-29 19:25:28 +03:00
Victor Perevertkin
6cac5b8c9e
[NTOS:PNP] Refactor PnpRootCreateDevice
- Remove unused "DriverObject" argument
- Make "FullInstancePath" mandatory
- Extract the PDO creation into separate function, it will be used later
2023-06-29 19:25:28 +03:00
Victor Perevertkin
bbf64c0cc4
[NTOS:PNP] Do not create an extra "PDO" device inside PnP root driver
The root device object is in fact a PDO and a FDO at the same time. Thus
there is no need in creating two device objects here, one is enough.
This commit also removes the explicit device extension for the root DO,
because the only reason it existed is to distinguish the root driver's
FDO from its PDOs. This can easily be done by comparing with
IopRootDeviceNode.

Also collect some unused garbage while we are here.
2023-06-29 19:25:25 +03:00
Hermès Bélusca-Maïto
6409f97bc4
[NTOS:CONFIG] Use correct "Interface" variable type; use InterfaceTypeUndefined instead of -1. 2023-06-25 21:25:06 +02:00
George Bișoc
0972f71d9a
[NTOS:PNP] Assert the presence of a device extension when handling PnP root power IRPs
Handling PnP root driver power IRPs requires that a device object must come up
with a device extension to determine whether it is a function driver and if so,
handle the IRP accordingly.

CORE-18989
2023-06-18 20:44:13 +02:00
Hermès Bélusca-Maïto
84b4a80beb
[NTOS:IO] Fix some bugs in the IoQueryDeviceDescription helpers (#5320)
- Add missing ExAllocatePool NULL checks.

- Fix order of KeBugCheckEx parameters for PNP_DETECTED_FATAL_ERROR.

- The Controller and Peripheral numbers are zero-based, so if the caller
  wants to inspect controller (or peripheral) zero, let it be so!
  The original code was treating controller number zero for enumerating
  controllers of a given class within the different buses, which is
  wrong. See the diff'ed trace below.
  Tested with Windows' videoprt.sys VideoPortGetDeviceData().

```diff
 IoQueryDeviceDescription()
     BusType:          0xB093C224 (0)
     BusNumber:        0xB093C228 (0)
     ControllerType:   0xF9D01030 (19)
     ControllerNumber: 0xF9D01038 (0)
     PeripheralType:   0x00000000 (4294967295)
     PeripheralNumber: 0x00000000 (4294967295)
     CalloutRoutine:   0xF9CF74E4
     Context:          0xF9D5A340
 --> Query: 0xF9D5A22C

 IopQueryBusDescription(Query: 0xF9D5A22C)
     RootKey: '\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM'
     RootKeyHandle: 0x00000598
     KeyIsRoot: TRUE
     Bus: 0xF9D5A290 (4294967295)
     Seen: 'CentralProcessor'
     Seen: 'FloatingPointProcessor'
     Seen: 'MultifunctionAdapter'
     SubRootRegName: '\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter'

 IopQueryBusDescription(Query: 0xF9D5A22C)
     RootKey: '\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter'
     RootKeyHandle: 0x00000590
     KeyIsRoot: FALSE
     Bus: 0xF9D5A290 (4294967295)
     Seen: '0'
     SubRootRegName: '\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0'
     Getting bus value: 'Identifier'
     Getting bus value: 'Configuration Data'
     Getting bus value: 'Component Information'
     --> Getting device on Bus #0 : '\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0'

 IopQueryDeviceDescription(Query: 0xF9D5A22C)
     RootKey: '\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0'
     RootKeyHandle: 0x00000590
     Bus: 0
-    Enumerating controllers in '\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\DisplayController'...
+    Getting controller #0
+    Retrieving controller '\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\DisplayController\0'
```
2023-06-14 11:20:56 +02:00
Stanislav Motylkov
7d5e159131 [NTOS:PNP] Assign correct PnP IDs to the devices detected by bootloader
Based on a commit by Vadim Galyant:
5ef5c11e7f

Also fix a minor type conversion warning. CORE-18963 CORE-17977

Co-authored-by: Vadim Galyant <vgal@rambler.ru>
2023-06-11 16:19:02 +03:00
Sophie Lemos
29a706fc5a [NTOS:PNP] Fix bug causing all devices be considered as already existing
We should compare against DeviceObject as DeviceInstance is never NULL.
Fix a resource leak as well. The bug CORE-18983 seems to lay somewhere
else though, I just stumbled upon this one while researching it.

Note there is a BSOD in the PnP manager on reboot after the driver
installation failure, but it seems it was uncovered by the fix
as opposed to caused by it.
2023-06-11 13:13:11 +03:00
George Bișoc
59e74584ac
[NTOS:SE] Refactor SeTokenCanImpersonate
- Refactor most of the code, since there's quite some stuff that don't make much sense.
For instance ImpersonationLevel is basically the requested impersonation level a
server asks for. PsImpersonateClient doesn't explicitly say that SecurityAnonymous
and SecurityIdentification are not allowed. If the server was to give such levels
it simply means it doesn't want to impersonate the client.

Another thing that doesn't make much sense is that we check if the client is
associated with an anonymous token, then avoid impersonating regular anonymous
tokens that weren't created by the system. Only system can create such tokens
and an anonymous token basically means a token with hidden security info.

- Check that the server is within the same client logon session.

- If the server is granted the SeImpersonatePrivilege privilege, allow impersonation
regardless of the conditions we want to check for.

- Update the documentation and code comments.
2023-06-09 11:53:56 +02:00
George Bișoc
8e2fe925f2
[NTOS:PS] Do not reference the copied token twice and properly assign the impersonation level in case the server can't impersonate
As it currently stands the PsImpersonateClient routine does the following approach.
If impersonation couldn't be granted to a client the routine will make a copy
of the client's access token. As it makes a copy of the said token PsImpersonateClient
will reference the copied token after impersonation info have been filled out.
In the same code path we are assigning the desired level for impersonation to thread
impersonation info.

This is wrong for two reasons:

- On a copy situation the SeCopyClientToken routine holds a reference as the object
has been created. Referencing it at the bottom of the PsImpersonateClient routine
will make it that the token is referenced twice and whenever a server stops
impersonation the token still has an extra reference count which keeps the token
still alive in object database and memory space.

- If client impersonation is not possible the thread impersonation info should
have been assigned SecurityIdentification level to further indicate that the
actual impersonation of the thread is not currently in force but instead we
are assigning the impersonation level that is supplied by the caller. For instance
if the requested level is SecurityDelegation but impersonation is not possible
the level will be assigned that of SecurityDelegation yet the token has an
impersonation level of SecurityIdentification. This could lead to erratic behaviors
as well as potential impersonation escalation.

Fix the aforementioned issues by avoiding a double reference and properly assign
the impersonation level to SecurityIdentification if the server is not able to
impersonate the target client.
2023-06-09 11:53:55 +02:00
George Bișoc
f483e42f89
[NTOS:SE] Grant the SYSTEM process the missing privileges
- Add the missing privileges to the SYSTEM privileges which might be needed,
notably SeUndockPrivilege, SeManageVolumePrivilege, SeCreateGlobalPrivilege and
SeImpersonatePrivilege.

Specifically SeImpersonatePrivilege is important here because with it we
allow system components of the core OS to perform certain system tasks.

- Declare the Groups array with a maximum of 3 elements in SepCreateSystemProcessToken
and 1 element in SepCreateSystemAnonymousLogonToken respectively, because previously
this array was oversized with most of free space left as a waste.

- Avoid hardcoding the size value of the Privilege array, instead initialize it
by hand and compute the exact number of elements with RTL_NUMBER_OF.
2023-06-09 11:53:51 +02:00
Hermès Bélusca-Maïto
0b695a6f70
[NTOS:IO] iorsrce.c: Add DBG traces for bus/device enumeration functions. 2023-06-04 21:40:08 +02:00
Hermès Bélusca-Maïto
2674e26cbb
[NTOS:IO] Reformat iorsrce.c, no functional code changes.
- Fix whitespace; add SAL annotations, doxygen documentation...

- Deduplicate the array of description strings corresponding to
  IO_QUERY_DEVICE_DATA_FORMAT.

- Unhardcode the "[3]" into 'IoQueryDeviceMaxData': the maximum number
  of device data queried.
2023-06-04 21:40:07 +02:00
Hermès Bélusca-Maïto
6db0d24fb6
Fix typo "managment" -> "management" in our codebase...
... except for 3rd-party code or "official" names.
2023-06-04 21:39:56 +02:00
George Bișoc
51279c3e44
[NTOS:SE] Refactor NtOpenThreadTokenEx
- Wrap most of the code into a new private routine, SepOpenThreadToken.
And properly fail gracefully if we fail to open a thread's token instead of just keeping going.

- Do not use the same thread object that we have referenced in NtOpenThreadTokenEx
to do a copy of the access token in case we can't open it directly.
Instead we must reference a new object with full access, solely used for
the purpose to do our required operations.

- Add debug prints

CORE-18986
2023-06-04 11:09:34 +02:00
George Bișoc
a389f8aa0c
[NTOS:SE] Make an access token effective after the end of token duplication
Removing any disabled privileges or groups in the middle of token dynamic
part allocation can pose problems. During the operation of making an access
token as effective, we are toying with the privileges and groups arrays
of the token.

After that we are allocating the dynamic part and set EndMem (the end tail
of the memory part) to that dynamic part, previously it was set to the
variable part. As a matter of fact we are making the token effective in
the middle where EndMem still points to VariablePart, thus DynamicPart
will end up with memory pool blocks butchered in the pool list.

Another problem, albeit not related to the DynamicPart corruption, is that
the code starts iterating over the UserAndGroups array from 0, which is
the actual user. One cannot simply remove the user from the array, so we
have to start looping right from the groups.

Move the token effective code part at the end of the SepDuplicateToken
function, which fixes the random pool corruptions caused by the butchered
DynamicPart.

CORE-18986
2023-06-04 11:09:22 +02:00
Stanislav Motylkov
85ca8afb60
[NTOS:PNP] IopEnumerateDetectedDevices(): General refactoring
CORE-18962

- Deduplicate a while-loop by adding one more recursive call.
- Add IopMapDetectedDeviceId() helper function with a structure
  in order to reduce hardcoded constants and checks.
2023-05-27 12:22:57 +02:00
Hermès Bélusca-Maïto
b3c55b9e6c
[NTOS:LPC] Ensure debug-traced pointer-given user-mode data is captured. (#4399)
CORE-18098
2023-05-17 17:40:37 +02:00
Hermès Bélusca-Maïto
e4d572a432
[NTOS:LPC] Turn a DPRINT1 into an LPCTRACE. (#4399)
CORE-18098
2023-05-17 17:40:29 +02:00
Timo Kreuzer
15fbcc19b9 [NTOS:KE/x64] Fix KiConvertToGuiThread
- Do not allocate a new stack, if the thread already has a large one. This prevents the function from freeing a large stack as a normal stack and subsequently leaking system PTEs.
- Fix the check for failure of PsConvertToGuiThread (test eax, not rax, for being negative, because by default rax is zero extended from eax, not sign extended). This fixes an infinite loop on failure.
2023-05-16 22:03:13 +03:00
Stanislav Motylkov
059d12a5ac
[NTOS:PNP] IopEnumerateDetectedDevices(): Fix CmResourceList leak
CORE-18962
2023-05-10 20:29:29 +02:00
Stanislav Motylkov
6e3ad0411a
[NTOS:PNP] IopEnumerateDetectedDevices(): Formatting only
CORE-18962
2023-05-08 16:07:11 +02:00
Stanislav Motylkov
484c26d99f
[NTOS:PNP] Move Firmware Mapper functions into new file
CORE-18962
2023-05-08 16:07:01 +02:00
Dmitry Borisov
8df1b53508
[NTOS:CM] Initialize the alternative system architecture field on PC-98 builds (#5136)
This is needed by some 3rd party drivers.
CORE-17977
2023-05-05 18:04:35 +02:00
Timo Kreuzer
df72bcd06c [NTOS:KDBG] Only load symbols on x86
Symbol loading leads to a hang on x64 boot in 2nd stage and KDBG symbols don't work on x64 anyway.
2023-05-04 14:09:14 +03:00
George Bișoc
8e7b22a631
[NTOS:OB] Fix the SAL2 annotation of ObQueryTypeInfo
The data has to be written into ObjectTypeInfo based on the return length,
not only what is provided by the input buffer length. Fix suggested by
Hermès.
2023-04-22 17:18:57 +02:00
George Bișoc
00c69bcd15
[NTOS:OB] Properly calculate the return length in ObQueryTypeInfo
On a x86 system aligning the return length pointer to a 4-byte boundary
works best since pointers in general are 4-byte aligned for x86 systems.

However, what happens on a AMD64 system is that we still align this pointer
to 4-byte, ObjectTypeInfo is a 8-byte pointer and we might write into
the return length past the 4-byte boundary.

If one were to allocate a pool of memory with that length and query all
the object types info and free the said pool of memory thereafter, the
system will crash with BAD_POOL_HEADER because ObQueryTypeInfo overwrote
the return length past the 4-byte boundary length therefore leading up with
corrupted memory blocks in the pool header.

This symptom of BAD_POOL_HEADER happens exactly the same in Windows Server
2003 x64 Edition. Newer versions of Windows like 10 aren't affected.

But, Windows has another bug where they are using MaximumLength for the
calculation of the needed length to be returned to caller. MaximumLength
does not guarantee you that it includes the NULL-terminator in the length
and that potentially leads to a buffer overrun.

Also annotate the ObQueryTypeInfo function with SAL2.

https://processhacker.sourceforge.io/doc/object_8c_source.html (read the
comment in KphObjectTypeInformation).
2023-04-21 12:45:31 +02:00
Adam Słaboń
6eb8fe4f82
[NTOS:MM] MmCanFileBeTruncated: Check whether second (optional) parameter was passed (#5248)
Second parameter is optional, so mark it as such and check whether it was passed. Fixes a sporadic 0x24 bugcheck caused by access violation when running ReactOS on NTFS volume with WinXP ntfs.sys.
2023-04-19 23:12:11 +02:00
Timo Kreuzer
cb74d9e24e [NTOS/CC] Fix broken usage of _SEH2_FINALLY
Finally handlers are - unlike except blocks - not part of the function they are in, but separate functions, which are called during unwind. PSEH implements them on GCC using nested functions. While "return" from a finally handler is allowed with native SEH, it's handled by the compiler through an extra unwinding operation using _local_unwind, WHICH IS NOT SUPPORTED BY PSEH! With PSEH, returning from a finally handler does not return from the function, instead it will only return from the finally handler and the function will continue below the finally handler as if there was no return at all. To fix this, the return is removed and an additional success check is added.
Also use _SEH_VOLATILE to make sure the variable assignment is not optimized away by the compiler and add zero out the result parameters on error.
2023-04-14 11:56:08 +03:00
Timo Kreuzer
b2fcd27aaa [NTOS/CC] Fix calls to CcRosEnsureVacbResident
The function returns BOOLEAN, not NTSTATUS! Also wrap it in SEH, because it can throw an exception on failure.
2023-04-14 11:56:08 +03:00
Hermès Bélusca-Maïto
99b0e4b9a9
[NTOS:KDBG] Only use the direct KdbPrintf instead of KdbpPrint (pager) inside the exception handler (outside the debugger main loop). 2023-04-12 19:30:57 +02:00
Hermès Bélusca-Maïto
9808d32f4a
[NTOS:KDBG] Use local KdbPrintf function for DPRINT1 instead of DbgPrint...
... that would otherwise cause a debugger re-entry.

Also use KdbPuts/Printf instead of KdpDprintf that won't be available
once KDBG is moved out of it.
2023-04-12 19:30:56 +02:00
Hermès Bélusca-Maïto
f620ce7705
[NTOS:KDBG] Introduce local versions of KdpPrintString, KdpDprintf and KdpPromptString...
... since the original ones are internal to the kernel and won't be
available once KDBG is moved out of it.

Use these functions in the pager/prompt support.
2023-04-12 19:30:54 +02:00
Hermès Bélusca-Maïto
fdf4814ebb
[NTOS:KDBG] Correctly balance KeStackAttachProcess with KeUnstackDetachProcess, instead of KeDetachProcess. 2023-04-11 00:44:11 +02:00
Hermès Bélusca-Maïto
579eab8a31
[NTOS] Include kdbg/kdb.h only in the files that really need it. 2023-04-11 00:44:10 +02:00
Hermès Bélusca-Maïto
30369b8005
[NTOS] "Bugzilla" --> "Jira" 2023-04-05 03:33:41 +02:00
Hermès Bélusca-Maïto
dfc2cc4e42
[NTOS:KD] Fix buffer overflow for the signon in KdPortInitializeEx.
The built string can be:
°°Kernel Debugger: Serial port found: COM1 (Port 0x000003F8) BaudRate 115200°°°°
(with ° representing the \r and \n in the message)
and you can verify that this is more than 80 characters in total.
2023-04-05 03:33:39 +02:00
Hermès Bélusca-Maïto
2b27d08576
Grmbl... 2023-04-05 01:53:32 +02:00
Hermès Bélusca-Maïto
143f8549a5
[NTOS:IO] ... and fix build by adding missing header. 2023-04-05 01:45:32 +02:00
Hermès Bélusca-Maïto
4c6f7c01e5
[NTOS:IO] Avoid magic value in LdrProcessDriverModule. 2023-04-05 01:39:32 +02:00
Jérôme Gardou
573d579873
[NTOSKRNL] Flush file to disk when deleting file mappings (#4302)
CORE-17627
When closing a file, fastfat zeroes it out from ValidDataLength up to the end of the file.
The ValidDataLength field is updated when the file content is actually written to disk.
There is currently a race between the file-close path and the page out path, leading to potential file corruptions when the zeroing happens after the memory has been flushed to disk.

Fix this by actually flushing the file to disk when unmapping files, with file lock acquired. This way, the FS driver cannot zero out the tail of the file while we're actually flushing it to disk.
2023-04-01 23:56:49 +09:00
Hermès Bélusca-Maïto
1bb4167211
[NTOS:KD] Fix build, addendum to commit f3dd7133.
This one was more subtle because the prompt (KdIoReadLine) functionality
makes a call-back to KDBG own command history getter function KdbGetHistoryEntry.
It is planned for this to become a registered optional callback pointer.
2023-03-29 03:36:24 +02:00
Hermès Bélusca-Maïto
3c0ba6b22c
Fix build, addendum to commit 35180b3a 2023-03-29 02:55:06 +02:00
Hermès Bélusca-Maïto
35180b3ad2
[NTOS:KDBG] Isolate terminal and input-related routines from the rest of KDBG. (#5188)
This is done in preparation for moving all this functionality in a
separate KDTERM "KD Terminal Driver" DLL.

Additionally:

- Flush the terminal input before sending ANSI escape sequences.

- In KDBG pager, always use the correct reading-key function (the
  same used also for reading keys for a line of user input), and not
  the simplistic two-call KdbpGetCharSerial + KdbpTryGetCharSerial
  that would split the \r \n across calls.

- Call KdbpGetCommandLineSettings() in KdbInitialize() at BootPhase 0,
  which is indirectly called by KdDebuggerInitialize0(). And fix its
  command-line parsing too.
2023-03-29 02:42:31 +02:00
Hermès Bélusca-Maïto
f3dd713382
[NTOS:KD:KDBG] Isolate the read-line (prompt) functionality in a separate file.
Rename KdbpReadCommand as KdIoReadLine. Extract the last-command
repetition functionality out of KdIoReadLine and put it where it
belongs: only in the KDBG command main loop KdbpCliMainLoop.
2023-03-28 16:14:40 +02:00
Hermès Bélusca-Maïto
430d7ebb93
[NTOS:KDBG] Use KdbpSendCommandSerial() to send specific ANSI escape sequences.
Use this function instead of KdpDprintf(), otherwise, we send them to
**ALL** the display providers, including for example dmesg. Replaying
the listing with dmesg would then cause the terminal to misbehave later.
For example, it would send the answer of a "Query Device Attributes"
command, as the response to a query for terminal size...
2023-03-28 16:14:39 +02:00
Katayama Hirofumi MZ
3b82b8370d [NTOSKRNL] Fix build in Release; #include 'kd.h' 2023-03-28 17:20:42 +09:00
Hermès Bélusca-Maïto
412037a2e2
[NTOS:KD] Use local print-like functions for output, instead of the kernel-internal KdpDprintf.
Indeed, the latter won't be accessible once those KD IO functions
get moved out into a separate KDTERM.DLL.
2023-03-28 02:42:53 +02:00
Hermès Bélusca-Maïto
6084da8c84
[NTOS:KDBG] Move command history management in a separate file. Simplify duplicated code in KdbpReadCommand. 2023-03-27 23:31:34 +02:00
Hermès Bélusca-Maïto
eb02a85214
[NTOS:KD] Split internal/kd.h into a part shared in the whole kernel and a private part only used within ntoskrnl/kd. 2023-03-27 23:31:34 +02:00
Hermès Bélusca-Maïto
bfd07a02f1
[NTOS:KD] Update file headers. 2023-03-27 23:31:33 +02:00
Hermès Bélusca-Maïto
6fafe54f89
[NTOS:KD:KDBG] Move some files to a better place. 2023-03-27 23:31:28 +02:00
George Bișoc
29fc7bb33e
[NTOS:OB] Implement name information querying on ObjectBasicInformation case
Currently there is no implementation support for object name information
querying when someone queries information about an object with ObjectBasicInformation
class case. Some device drivers may take use of such information.

NameInfoSize is a size that is the sum of all name directories of an object,
including path separators. TypeInfoSize is a size that is pointed by
the size of a type object itself, therefore this size remains pretty much
fixed depending on the kind of an object.

For more information:
https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/api/ntobapi/object_basic_information.htm
http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FType%20independed%2FNtQueryObject.html
2023-03-25 11:55:11 +01:00
Hermès Bélusca-Maïto
fe81656776
[NTOS:KD] DbgKdGetStringApi implementation: Ensure the returned string is NULL-terminated.
Addendum to commit 84e32e4e.

Explain more accurately what's going on regarding the returned string
and the inaccurate claims made in the official DbgPrompt documentation
in MSDN. (Has been verified by looking through the traffic in WinDbg
debugging of Windows and ReactOS.)
2023-03-22 19:58:01 +01:00
Hermès Bélusca-Maïto
9d9536d431
[NTOS:KD64] Format string of KdpDprintf can be const. 2023-03-22 19:57:59 +01:00
Hermès Bélusca-Maïto
942b0221e8
[NTOS:KDBG] Temporarily HACK-work-around symbols loading by disabling them at BootPhase 0.
Of course, now that we **correctly** set the LoadSymbools setting,
we attempt loading symbols at BootPhase 0 and everything goes awry!
So introduce that hack to fallback to our old behaviour.

A proper fix (and removal of the hack) will be done in future commits.
2023-03-20 03:10:14 +01:00
Hermès Bélusca-Maïto
934812c4b2
[NTOS:KDBG] Fix parsing the boot command line for the (NO)LOADSYMBOLS options.
Addendum to commit de892d5b.

The boot options get stripped of their optional command switch '/'
(and replaced by whitspace separation) by the NT loader. Also, forbid
the presence of space between the optional '=' character following
(NO)LOADSYMBOLS.

In addition, fix the default initialization of LoadSymbols in KdbSymInit():
we cannot rely on MmNumberOfPhysicalPages in BootPhase 0 since at this point,
the Memory Manager hasn't been initialized and this variable is not yet set.
(We are called by KdInitSystem(0) -> KdDebuggerInitialize0 at kernel init.)
It gets initialized later on between BootPhase 0 and 1.

Also display a nice KDBG signon showing the status of symbols loading.
2023-03-20 02:44:41 +01:00