VC1 Linker fills BSS.SizeOfRawData with data in IMAGE_OPTIONAL_HEADER.SizeOfUninitializedData but keeps PointerToRawData to zero.
Fixes CORE-18797 and some duplicates of that. (Apps, e.g. Doom95, compiled with Watcom-C-compilers wouldn't run otherwise.)
which regressed by
0.4.10-dev-136-g c7eb46d9fd
fix picked from
0.4.15-dev-5589-g 0d4a8d0ea6
----------
Port back also some unrelated formatting-improvements within section.c, e.g.: return(xyz) -> return xyz
A *partial* port of
0.4.15-dev-1793-g b7eb0fddf3
All releases/0.4.8 until and including releases/0.4.14 were affected by the following logspam
during shutdown:
(../ntoskrnl/mm/section.c:4839) SectionObject has ImageSection
triggered 2 times for bootcd, but triggered 83 times for livecd.
Today I found out by chance, that we started to trigger it with the switch from CDFS to CDFS_NEW with
0.4.8-dev-164-g ec6b3ecbe4
We 'suffered' from that logspam for many years now and it did never help us in any way.
And during 0.4.15-dev'ing with the MM rewrite, the logging was entirely removed in the NTOSKRNL.
Both most likely was introduced by activating feature
MiWriteProtectSystemImage() once.
Imho this feature is not stable yet, therefore I disable
it for releases.
Confirmation of reporters will have to be collected after
the commit.
Both problems most likely got visible by 0.4.12-dev-386-g
65dbfc2868
Master remains affected for now.
If no fix will appear during 0.4.14-dev'ing, then I will
commit this to master as well in 3months.
which caused images to be loaded up to MmHighestUserAddress,
thus overwriting the shared user page.
This is now fixed by using MM_HIGHEST_VAD_ADDRESS as the margin instead.
This commit allows again to load WIN32K.sys of Win2K3SP2
which regressed by SVN 67793 == git
3565260212
cherry picked from commit 0.4.14-dev-143-g
56da95671c
This allows setting the memory protection of the kernel's resource
section as will. MmMakeKernelResourceSectionWritable() is re-implemented
around this helper.
- MiLocateKernelSections(): Fix the calculation of MiKernelResourceEndPte,
MmPoolCodeEnd and MmPteCodeEnd.
- MmMakeKernelResourceSectionWritable(): Fix PTE looping upper limit;
use MI_MAKE_HARDWARE_PTE_KERNEL to build the updated read-write PTE.
- Introduce the MmMakeKernelResourceSectionWritable() helper for
making the kernel resource memory section writable, and use it
in KeGetBugMessageText(). Indeed, this latter function patches
in place the bugcheck resource message to trim any trailing
newlines before displaying the message on screen.
See also https://github.com/osresearch/uxen/blob/83bad53/dm/introspection-win7.c#L286
that mentions it too.
This fixes bugcheck text display (e.g. the MANUALLY_INITIATED_CRASH one)
when using (at least) MSVC-built ReactOS, avoiding a Page-Fault
exception during the bugcheck.
- Cover KeGetBugMessageText() in SEH since we are accessing kernel
resources that could also be corrupted in bugcheck scenarii, and we
don't want to further bugcheck.
- Fix newline trimming loop.
- KiDoBugCheckCallbacks():
* Wrap the bugcheck CallbackRoutine call in SEH.
* Add a FIXME concerning the need of further memory validation of CurrentRecord.
- Add a FIXME concerning the need to run the bugcheck-reason callbacks
with the KbCallbackReserved1 reason, in KeBugCheckWithTf().
Mentioned in http://blog.ptsecurity.com/2012/06/customizing-blue-screen-of-death.html
"Release" builds should not BSoD on 'Freeing pool - invalid tag specified' case,
this is compatible with Windows behaviour.
Nothing changes otherwise concerning the "Debug" builds, where pool-tag mismatch
triggers a BSoD as expected.
CORE-15446
- Correctly probe the FileName user pointer before capturing its contents.
- A paging file name with zero length is invalid too.
- Remember (TODO!) in the code that the lower bounds of the Safe*Size values
need to be checked too!
* The previous version was overcomplicated and broken and therefore disabled.
* The new version also enforces NX protection on x64.
* Now that protecting works, also protect the boot loaded images.
This allows avoiding one of the previous implementation limits:
leaked IRP not queued to a thread are now totally visible since
we look directly in the memory pool.
For now, it allows searching for pool allocations in
both paged and non paged pool.
It is based on Andreas Schuster work to identify POOL_HEADER
structures.
* Add an NDK header to define INIT_FUNCTION/INIT_SECTION globally
* Use _declspec(allocate(x)) and _declspec(code_seg(x)) on MSVC versions that support it
* Use INIT_FUNCTION on functions only and INIT_SECTION on data only (required by MSVC)
* Place INIT_FUNCTION before the return type (required by MSVC)
* Make sure declarations and implementations share the same modifiers (required by MSVC)
* Add a global linker option to suppress warnings about defined but unused INIT section
* Merge INIT section into .text in freeldr
Short: The code was suffering from an off-by-one bug (inconsistency between inclusive end exclusive end address), which could lead to freeing one page above the initialization code. This led to freeing part of the kernel import section on x64. Now it is consistently using the aligned/exclusive end address.
Long:
* Initialization sections are freed both for the boot loaded images as well as for drivers that are loaded later. Obviously the second mechanism needs to be able to run at any time, so it is not initialization code itself. For some reason someone decided though, it would be a smart idea to implement the code twice, once for the boot loaded images, once for drivers and concluding that the former was initialization code itself and had to be freed.
* Since freeing the code that frees the initialization sections, while it is doing that is not possible, it uses a "smart trick", initially skipping that range, returning its start and end to the caller and have the caller free it afterwards.
* The code was using the end address in an inconsistent way, partly aligning it to the start of the following section, sometimes pointing to the last byte that should be freed. The function that freed each chunk was assuming the latter (i.e. that the end was included in the range) and thus freed the page that contained the end address. The end address for the range that was returned to the caller was aligned to the start of the next section, and the caller used it to free the range including the following page. On x64 this was the start of the import section of ntoskrnl. How that worked on x86 I don't even want to know.
