Commit graph

93 commits

Author SHA1 Message Date
George Bișoc
fe23a4aaeb
[NTOS:CM] Lock the entire registry down when we unload a hive
The PR #6649 which fixed an issue with orphaned KCBs leaking in memory which also pointed to unloaded registry hives, it also brought a problem.
In CmpEnumerateOpenSubKeys there is a risk of getting hit by a deadlock as we enumerate the cache table to remove empty cache entries.

Fundamentally CmpEnumerateOpenSubKeys locks down a KCB from cache for exclusive use in order to tear down its contents from memory but it doesn't address the fact a KCB might have already been locked in the same calling thread, leading to a recursion.
This leads to random hangs when unloading a hive during system startup (tipically on a clean install).

The solution here is to simply lock the whole registry when we unload a hive so that we don't have to worry the KCBs are getting tampered by anybody else. This also simplifies the code.
Although locking the entire registry while other apps are doing registry related operations to other hives can cause overhead. If this turns out to be bad then we have to rethink the locking mechanism here.

CORE-19539
2024-06-01 16:17:47 +02:00
George Bișoc
5d0117de90
[NTOS:CM] Annotate CmUnloadKey with SAL2 2024-06-01 16:17:47 +02:00
Timo Kreuzer
4fb2fdbac6 [NTOS:CM] Properly unlock registry on failure in NtUnloadKey2 2024-05-23 21:21:35 +02:00
Gleb Surikov
fc6bf61e4c
[NTOS:CM] Avoid unnecessary ObDereferenceObject when handling an ObInsertObject failure (#6673)
In case of failure, ObInsertObject itself dereferences the object, so calling ObDereferenceObject one more time in the failure handler is redundant.

- Remove ObDereferenceObject call from CmpCreateRegistryRoot in case ObInsertObject fails.
- Add missing RootKey dereference if CmpCreateRegistryRoot failed to get the key cell (KeyCell).

CORE-17904
2024-03-30 22:10:17 +03:00
George Bișoc
7dd8a30cf9
[NTOS:CM] Remove orphaned KCBs of keys during normal hive unload
A hive whose KCBs have a reference count of 0, meaning nobody is using these keys anymore, will not get removed from the cache table.
As a result during a normal hive unloading operation you will get orphaned KCBs which results in an unload failure.

This is wrong, because this is what a normal hive unloading is supposed to do. What it cannot do of course is that it cannot
scramble the references of opened keys by the users who use the Registry, as it is the job of force unloading mechanism to do that.

Also remove a misleading debug print. Force unloading works as intended by scrambling the references of keys and marking the KCB for deletion,
which is what how a force unload works. Namely Windows does exactly that.

CORE-10705
2024-03-24 19:03:47 +01:00
George Bișoc
f1d2a44859
[NTOS:CM] Lock the cached KCB before removing it from cache entries
- Annotate the CmpEnumerateOpenSubKeys function with SAL2
- When removing an orphaned cached KCB, ensure that it is locked before clearing it from cache table entries
2024-03-24 19:03:43 +01:00
Hermès Bélusca-Maïto
feb67576dd
[NTOS:CM][CMLIB] In PE mode, allow registry hives (except system ones) to use read/write access.
+ Improve related comments.

Registry hives are opened in shared read access when NT is loaded in PE
mode (MININT) or from network (the hives residing on a network share).
This is true in particular for the main system hives (SYSTEM, SOFTWARE,
DEFAULT, ...).

However, in PE mode, we can allow other hives, e.g. those loaded by the
user (with NtLoadKey) to be loaded with full read/write access, since we
boot from a local computer.
2024-01-17 22:13:03 +01:00
Hermès Bélusca-Maïto
793ee786cd
[NTOS:CM] Initially start the registry in read-only mode.
Disable registry hive writes, until the IO subsystem is initialized
and disk access is enabled (when the SM signals so after AUTOCHK).
2024-01-17 22:09:45 +01:00
Hermès Bélusca-Maïto
76f1da5631
[NTOS:CM][CMLIB] Minor code styling
In particular remove some extra-parentheses around single code tokens,
and replace few "DPRINT1 + while (TRUE);" by UNIMPLEMENTED_DBGBREAK.

+ Improve some comments.
2024-01-17 22:09:37 +01:00
George Bișoc
f3141fb29e
[NTOS:CM] Implement support for alternate registry hives
Sometimes repairing a broken hive with a hive log does not always guarantee the hive
in question has fully recovered. In worst cases it could happen the LOG itself is even
corrupt too and that would certainly lead to a total unbootable system. This is most likely
if the victim hive is the SYSTEM hive.

This can be anyhow solved by the help of a mirror hive, or also called an "alternate hive".
Alternate hives serve the purpose as backup hives for primary hives of which there is still
a risk that is not worth taking. For now only the SYSTEM hive is granted the right to have
a backup alternate hive.

=== NOTE ===

Currently the SYSTEM hive can only base upon the alternate SYSTEM.ALT hive, which means the
corresponding LOG file never gets updated. When time comes the existing code must be adapted
to allow the possibility to use .ALT and .LOG hives simultaneously.
2023-11-19 20:44:29 +01:00
George Bișoc
27917c14ed
[NTOS:CM] Flush the dirty data to disk if the SYSTEM hive has been recovered by FreeLdr
If FreeLdr performed recovery against the SYSTEM hive with a log, all of its data is only present in volatile memory thus dirty. So the kernel is responsible to flush all the data that's been recovered within the SYSTEM hive into the backing storage.
2023-11-19 20:44:29 +01:00
George Bișoc
d2b8b9ec96
[NTOS:CM] Use the appropriate flags on functions that will call CmCheckRegistry & add missing CmCheckRegistry calls
In addition to that, in some functions like CmFlushKey, CmSaveKey and CmSaveMergedKeys we must validate the underlying hives as a matter of precaution that everything is alright and we don't fuck all the shit up.
2023-11-19 20:44:27 +01:00
George Bișoc
f33da480af
[SDK][CMLIB] Implement CmCheckRegistry and validation private helpers
CmCheckRegistry is a function that provides the necessary validation checks for a registry hive. This function usually comes into action when logs have been replayed for example, or when a registry hive internals have changed such as when saving a key, loading a key, etc.

This commit implements the whole Check Registry infrastructure (cmcheck.c) in CMLIB library for ease of usage and wide accessibility across parts of the OS. In addition, two more functions for registry checks are also implemented -- HvValidateHive and HvValidateBin.

Instead of having the CmCheckRegistry implementation in the kernel, it's better to have it in the Configuration Manager library instead (aka CMLIB). The benefits of having it in the library are the following:

- CmCheckRegistry can be used in FreeLdr to fix the SYSTEM hive
- It can be used on-demand in the kernel
- It can be used for offline registry repair tools
- It makes the underlying CmCheckRegistry implementation code debug-able in user mode

CORE-9195
CORE-6762
2023-11-19 20:44:27 +01:00
George Bișoc
bfcb28787d
[NTOS:CM] Disable hard errors when setting up a new size for a hive file / annotate CmpFileSetSize parameters with SAL
During a I/O failure of whatever kind the upper-level driver, namely a FSD, can raise a hard error and a deadlock can occur. We wouldn't want that to happen for particular files like hives or logs so in such cases we must disable hard errors before toying with hives until we're done.

In addition to that, annotate the CmpFileSetSize function's parameters with SAL.
2023-11-19 20:44:26 +01:00
George Bișoc
0d776beac9
[NTOS:CM] Ignore syncing/flushing requests after registry shutdown
When shutting down the registry of the system we don't want that the registry in question gets poked again, such as flushing the hives or syncing the hives and respective logs for example. The reasoning behind this is very simple, during a complete shutdown the system does final check-ups and stuff until the computer
shuts down.

Any writing operations done to the registry can lead to erratic behaviors. CmShutdownSystem call already invokes a final flushing of all the hives on the backing storage which is more than enough to ensure consistency of the last session configuration. So after that final flushing, mark HvShutdownComplete as TRUE indicating
that any eventual flushing or syncying (in the case where HvSyncHive gets called) request is outright ignored.
2023-11-19 20:44:26 +01:00
George Bișoc
50f367fa58
[NTOS:CM] Use COMPUTE_HASH_CHAR to compute the conv hash key
We have a dedicated macro definition for that so just use it.
2023-10-03 11:01:21 +02:00
George Bișoc
c0ea1f96ef
[NTOS:CM][DOCUMENTATION] Provide documentation for newly added functions 2023-10-01 20:06:03 +02:00
George Bișoc
f4de5ceb9e
[NTOS:CM] Implement cache lookup and cleanup subkey information for cache consistency
During an open or create procedure of a registry key, the registry parser grabs
a key control block (KCB) from the parser object and uses its information to do the
necessary work in order to obtain a pointer to the newly created or opened registry key.

However, the registry parsers faces several issues. First, we don't do subkey cache cleaning
information against gathered KCBs so whenever we do a registry parse we end up with KCBs
that have cache inconsistencies. Moreover we don't do any locking of whatever KCB we
are grabing during a parse procedure.

=== PROPOSED CHANGES ===

* Implement CmpComputeHashValue and CmpLookInCache functions. With CmpComputeHashValue we can
compute the convkey hashes of each subkey in the path name of a key so we can lock them
with CmpBuildAndLockKcbArray. CmpLookInCache is a function that searches for the suitable
KCB in the cache. The factors that determine if a KCB is "suitable" are:

-- the currently found KCB in the hash list has the same levels as that of the
given KCB from the parse object;

-- The key names from the computed hash values match with the block name of
the KCB;

-- The currently found KCB is not deleted.

The KCB will be changed if the key path name points to a partial match name in
the cache. The KCB from the parse object will be used if we have a full match
of remaining levels.

* Add missing CMP_LOCK_HASHES_FOR_KCB flags on CmpCreateKeyControlBlock calls
that create KCBs during a parse procedure. Such lock has to be preserved until
we're done with the registry parsing.

* On CmpDoCreateChild, preserve the exclusive lock of the KCB when we are
enlisting the key body.

* On CmpDoCreate, make sure that the passed parent KCB is locked exclusively and
lock the hiver flusher as we don't want the flusher to kick in during a key
creation on the given hive. Cleanup the subkey info when we're creating a key
object. Also implement missing cleanup path codes. Furthermore, avoid key
object creation if the parent KCB is protected with a read-only switch.

* Soft rewrite the CmpDoOpen function, namely how we manage a direct open vs
create KCB on open scenario. When a KCB is found in cache avoid touching
the key node. If the symbolic link has been resolved (aka found) then lock
exclusively the symbolic KCB. Otherwise just give the cached KCB to the caller.

If it were for the caller to request a KCB creation, we must check the passed
KCB from the parser object is locked exclusively, unlike on the case above
the caller doesn't want to create a KCB because there's already one in the cache.
We don't want anybody to touch our KCB while we are still toying with it during
its birth. Furthermore, enlist the key body but mind the kind of lock it's been
used.

* On CmpCreateLinkNode, avoid creating a key object if the parent KCB is protected
with a read-only switch. In addition, add missing hive flusher locks for both
the target hive and its child. Cleanup the subkey information of the KCB when
creating a link node, this ensures our cached KCB data remains consistent.

* Do a direct open on CmpParseKey if no remaining subkey levels have been found
during hash computation and cache lookup, in this case the given KCB is the
block that points to the exact key. This happens when for example someone tried
to call RegOpenKeyExW but submitting NULL to the lpSubKey argument parameter.

CORE-10581
ROSTESTS-198
2023-10-01 20:06:02 +02:00
George Bișoc
8cb56e77a6
[NTOS:CM] Do not call CmpSecurityMethod when assigning a security descriptor
CmpSecurityMethod is a method used by the Object Manager and called by this
subsystem whenever a security operation has to be done against a key object.

As CmpSecurityMethod is a specific OB construct we should not make any direct
call attempts to CmpSecurityMethod, only OB is responsible for that. This fixes
a deadlock where CmpSecurityMethod acquires a push lock for exclusive access
even though such lock is already acquired by the same calling thread in
CmpDoCreateChild.
2023-10-01 20:06:02 +02:00
George Bișoc
7fd6f86803
[NTOS:CM] Do not acquire a KCB lock twice when deleting a key object
This prevents a deadlock in DelistKeyBodyFromKCB when we delete a key
object because of an access check failure during a open procedure of a
registry key, as we are already holding a lock against the target KCB of
the key body.
2023-10-01 20:06:02 +02:00
George Bișoc
697a52aa33
[NTOS:CM] Do not acquire the lock twice when the Object Manager calls CmpSecurityMethod
Whenever a security request is invoked into a key object, such as when requesting
information from its security descriptor, the Object Manager will execute
the CmpSecurityMethod method to do the job.

The problem is that CmpSecurityMethod is not aware if the key control block
of the key body already has a lock acquired which means the function will attempt
to acquire a lock again, leading to a deadlock. This happens if the same
calling thread locks the KCB but it also wants to acquire security information
with ObCheckObjectAccess in CmpDoOpen.

Windows has a hack in CmpSecurityMethod where the passed KCB pointer is ORed
with a bitfield mask to avoid locking in all cases. This is ugly because it negates
every thread to acquire a lock if at least one has it.
2023-10-01 20:06:02 +02:00
George Bișoc
08fcf0c58b
[NTOS:CM] Implement locking/unlocking of KCBs in an array
The CmpUnLockKcbArray, CmpLockKcbArray and CmpBuildAndLockKcbArray routines
help us to lock KCBs within array so that information remains consistent when
we are doing a cache lookup during a parse procedure of the registry database.
2023-10-01 20:06:01 +02:00
Serge Gautherie
c84b5007d0
[NTOS:CM] Simplify CmpDelayAllocBucketLock code a bit (#5729)
- Remove duplicate CmpDelayAllocBucketLock definition.
- Remove an else.
2023-09-28 11:39:13 +02:00
Timo Kreuzer
ed06c06dcb [NTOS:CM] Fix lock leak
Triggered by low available pool memory during kmtest ExPools.
2023-09-23 18:34:00 +03:00
Hermès Bélusca-Maïto
4bdfee8e8b
[NTOS:EX] Initialize ExpResourceTimeoutCount also via the "Session Manager/ResourceTimeoutCount" registry value (#4089)
For more details, see
http://systemmanager.ru/win2k_regestry.en/29859.htm
https://www.betaarchive.com/wiki/index.php/Microsoft_KB_Archive/102985#ResourceTimeoutCount_REG_DWORD
2023-09-21 13:33:28 +02:00
Joachim Henze
195c491880 [NTOSKRNL] Mute some good-path log-spam, no functional change
Now that the Memory Management is a bit more under control again,
and branching releases/0.4.15 is near,
do mute some frequent log-spam that got introduced during 0.4.15-dev'ing
regarding lazy-flushes and MM balancing.
It frequently logged even while being idle.
Slightly improve the headers of the two touched files.
No rocket-science.
2023-09-06 14:53:53 +02:00
Joachim Henze
53b30e3f3b [NTOSKRNL][NTGDI] Formatting addendum, no functional change
I intend to port back the combined work of Thomas Faber and Serge Gautherie in context of CORE 14271.
Both developers fixed wrong retval evaluations for SeSinglePrivilegeCheck() and RtlCreateUnicodeString().
Both functions do return a BOOLEAN, and therefore using NTSTATUS() on them is wrong.
Those bugs have been fixed at multiple places. That is long gone.

But Serge fixed his locations a bit more elegantly, without the need for additional variables.
Therefore this addendum adapts a few of Thomas locations to the improved Serge-ified style.

Yes: I intentionally used a space instead of a minus after the mentioned CORE 14271,
as I don't want that pure stylistic addendum to be linked with the initial ticket anymore.
That would be overkill.
2023-08-01 22:32:25 +02:00
Hermès Bélusca-Maïto
6409f97bc4
[NTOS:CONFIG] Use correct "Interface" variable type; use InterfaceTypeUndefined instead of -1. 2023-06-25 21:25:06 +02:00
Dmitry Borisov
8df1b53508
[NTOS:CM] Initialize the alternative system architecture field on PC-98 builds (#5136)
This is needed by some 3rd party drivers.
CORE-17977
2023-05-05 18:04:35 +02:00
Hermès Bélusca-Maïto
30369b8005
[NTOS] "Bugzilla" --> "Jira" 2023-04-05 03:33:41 +02:00
George Bișoc
0bdae2114a
[NTOS:CM] Cleanup the hive in case linking it to master fails (#4969)
Currently the failure code path doesn't do any kind of cleanup against
the hive that was being linked to master. The cleanup is pretty
straightforward as you just simply close the hive file handles and free
the registry kernel structures.

CORE-5772
CORE-17263
CORE-13559
2023-01-03 16:48:03 +01:00
George Bișoc
9385830b33
[NTOS:CM] Enable verbose debug output of registry lazy flushing component
Log debug output of the lazy flusher as much information as possible so that we can examine how does the lazy flusher behave, since it didn't work for almost a decade. Verbose debugging will be disabled once we're confident enough the registry implementation in ReactOS is rock solid.
2022-12-23 19:45:25 +01:00
George Bișoc
578f2fc512
[NTOS:CM] Don't lazy flush the registry during unlocking operation
Whenever ReactOS finishes its operations onto the registry and unlocks it, a lazy flush is invoked to do an eventual flushing of the registry to the backing storage of the system. Except that... lazy flushing never comes into place.

This is because whenever CmpLazyFlush is called that sets up a timer which needs to expire in order to trigger the lazy flusher engine worker. However, registry locking/unlocking is a frequent occurrence, mainly when on desktop. Therefore as a matter of fact, CmpLazyFlush keeps removing and inserting the timer and the lazy flusher will never kick in that way.

Ironically the lazy flusher actually does the flushing when on USETUP installation phase because during text-mode setup installation in ReactOS the frequency of registry operations is actually less so the timer has the opportunity to expire and fire up the flusher.

In addition to that, we must queue a lazy flush when marking cells as dirty because such dirty data has to be flushed down to the media storage of the system. Of course, the real place where lazy flushing operation is done should be in a subset helper like HvMarkDirty that marks parts of a hive as dirty but since we do not have that, we'll be lazy flushing the registry during cells dirty marking instead for now.

CORE-18303
2022-12-23 19:45:13 +01:00
Thomas Faber
79b0fce5dc
[NTOS:CM] Consistently use synchronous I/O for registry hives.
Our current CmpFileRead/CmpFileWrite do not wait for completion,
so will cause stack corruption if used on files opened in async
mode.
2022-11-20 16:02:39 -05:00
Hermès Bélusca-Maïto
6ff0232368
[NTOS:CM] Adapt cmboot.c for usage in NT/ReactOS bootloader.
- Add a new cmboot.h header to isolate the boot-support definitions
  shared with the NT/ReactOS bootloader.

- Move CmpFreeDriverList() to cmboot.c so that we can use it for
  cleanup paths in the NT/ReactOS bootloader.

- CmpFindControlSet(): Directly build the control set name in UNICODE,
  instead of doing an ANSI->UNICODE conversion.

- Directly assign the CurrentControlSet\Services constant string,
  instead of going the route of init-empty-string + append-string.
  This is possible since that string is not modified later.

- Remove ASSERT(FALSE), replacing them with correct failure handling.

- Add cleanup paths in CmpAddDriverToList().

- Simplify and fix CmpFreeDriverList(): it's the full DriverNode
  that needs to be freed; not the LIST_ENTRY pointer.

- Add other validity checks:
  * Registry value types and data sizes;
  * For multi-strings, verify that they are NULL-terminated.
  * For (multi-)strings, check whether they are NULL-terminated before
    optionally removing their trailing NULL character from the count.
    Check also whether they are of zero-length and take appropriate
    action where necessary.

- Add CmpIsDriverInList() for future usage in CMBOOT compiled in
  bootloader mode.

- Add SAL annotations and Doxygen documentation.

- Add debug traces.

- Formatting / code style fixes.

** TODO: Fix SafeBoot support **
2022-04-16 18:37:45 +02:00
Hermès Bélusca-Maïto
ce641de1e0
[NTOS:CONFIG] Add missing HvGetCell casts. Addendum to a4cad7be6. 2022-03-27 19:38:53 +02:00
Hermès Bélusca-Maïto
a4cad7be6b
[SDK:CMLIB][MKHIVE][BOOT:ENVIRON][NTOS:CONFIG] Add missing HvGetCell casts. Replace some ASSERT(FALSE). 2022-03-27 18:37:16 +02:00
Stanislav Motylkov
77fd33c99c
[NTOS:CM] Refactor full CPU identifier values
Dedicated to Victor Perevertkin.
2022-01-05 18:28:40 +03:00
Stanislav Motylkov
84cc81ee29
[NTOS:KE/x64] Detect CPU vendor properly and store value in PRCB
Also generate processor identifier properly based on this value
on the Configuration Manager machine-dependent initialization.

Update processor driver INF file accordingly.

CORE-17970 CORE-14922
2022-01-05 18:28:40 +03:00
Victor Perevertkin
6ef6fabfc5
[FREELDR][NTOS][HALPPC][SDK] Remove PowerPC code
Remove PowerPC-related code from the kernel, HAL, SDK and
Freeloader.
2021-08-15 15:35:51 +03:00
Jérôme Gardou
d924cb8271 [NTOS:CONFIG] Do not ignore Rtl*String functions return value
CORE-17637
2021-06-28 10:20:57 +02:00
Victor Perevertkin
34593d933b
[FORMATTING][NTOS][HAL][DRIVERS][SDK] Fix trailing spaces 2021-06-11 15:33:08 +03:00
Jérôme Gardou
3adf450867 [REACTOS] Addendum to 5c7ce4475e - Fix MSVC 2015 build
Put data into PAGEDATA or INITDATA sections
Keep section declaration for prototypes

CORE-17540
2021-05-12 11:04:29 +02:00
Victor Perevertkin
f3e1697c2b
[NDK] DATA_SEG requires an extra #pragma on MSVC 2021-04-09 04:38:35 +03:00
Eric Kohl
9ff015f770 [NTOS:CM] Report key creation to the notify code 2021-02-21 15:49:06 +01:00
Stanislav Motylkov
f234cb6e59
[NTOS:CM] Do not create ProcessorNameString value if there is no Brand String
If the CPU does support CPUID instruction but does not have the Brand String,
the legacy name detection should be performed either in CIM_Processor (WMI),
in the Processor device driver, or in the application itself.

The deleted Intel CPU name detection code can go to the WMI at some point.
In fact Windows XP and 2003 kernels do not have any strings of that kind.

This effectively reverts the hack committed 6 years ago in 7a985425 (r63798)
that was intended to workaround CORE-7952.

CORE-17413
2020-12-30 19:38:41 +03:00
Victor Perevertkin
016dc28793
[NTOS:CONFIG] Release the lock in a failure case in CmLoadKey
This is a workaround, the real issue is still not resolved
CORE-17263
2020-12-08 13:44:27 +03:00
Victor Perevertkin
9eafb2971f
[NTOS:CONFIG] Comment out the assertion until fixed
CORE-17263
2020-12-05 22:17:08 +03:00
Thomas Faber
507c442473
[NTOS:CM] Implement support for KeyValuePartialInformationAlign64. CORE-17358 2020-11-14 15:11:00 +01:00
Victor Perevertkin
5c7ce4475e
[REACTOS] Cleanup INIT and some PAGE section allocations
- Change INIT_FUNCTION and INIT_SECTION to CODE_SEG("INIT") and DATA_SEG("INIT") respectively
- Remove INIT_FUNCTION from function prototypes
- Remove alloc_text pragma calls as they are not needed anymore
2020-11-02 21:45:31 +03:00