Commit graph

1527 commits

Author SHA1 Message Date
George Bișoc
0972f71d9a
[NTOS:PNP] Assert the presence of a device extension when handling PnP root power IRPs
Handling PnP root driver power IRPs requires that a device object must come up
with a device extension to determine whether it is a function driver and if so,
handle the IRP accordingly.

CORE-18989
2023-06-18 20:44:13 +02:00
Hermès Bélusca-Maïto
84b4a80beb
[NTOS:IO] Fix some bugs in the IoQueryDeviceDescription helpers (#5320)
- Add missing ExAllocatePool NULL checks.

- Fix order of KeBugCheckEx parameters for PNP_DETECTED_FATAL_ERROR.

- The Controller and Peripheral numbers are zero-based, so if the caller
  wants to inspect controller (or peripheral) zero, let it be so!
  The original code was treating controller number zero for enumerating
  controllers of a given class within the different buses, which is
  wrong. See the diff'ed trace below.
  Tested with Windows' videoprt.sys VideoPortGetDeviceData().

```diff
 IoQueryDeviceDescription()
     BusType:          0xB093C224 (0)
     BusNumber:        0xB093C228 (0)
     ControllerType:   0xF9D01030 (19)
     ControllerNumber: 0xF9D01038 (0)
     PeripheralType:   0x00000000 (4294967295)
     PeripheralNumber: 0x00000000 (4294967295)
     CalloutRoutine:   0xF9CF74E4
     Context:          0xF9D5A340
 --> Query: 0xF9D5A22C

 IopQueryBusDescription(Query: 0xF9D5A22C)
     RootKey: '\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM'
     RootKeyHandle: 0x00000598
     KeyIsRoot: TRUE
     Bus: 0xF9D5A290 (4294967295)
     Seen: 'CentralProcessor'
     Seen: 'FloatingPointProcessor'
     Seen: 'MultifunctionAdapter'
     SubRootRegName: '\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter'

 IopQueryBusDescription(Query: 0xF9D5A22C)
     RootKey: '\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter'
     RootKeyHandle: 0x00000590
     KeyIsRoot: FALSE
     Bus: 0xF9D5A290 (4294967295)
     Seen: '0'
     SubRootRegName: '\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0'
     Getting bus value: 'Identifier'
     Getting bus value: 'Configuration Data'
     Getting bus value: 'Component Information'
     --> Getting device on Bus #0 : '\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0'

 IopQueryDeviceDescription(Query: 0xF9D5A22C)
     RootKey: '\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0'
     RootKeyHandle: 0x00000590
     Bus: 0
-    Enumerating controllers in '\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\DisplayController'...
+    Getting controller #0
+    Retrieving controller '\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\DisplayController\0'
```
2023-06-14 11:20:56 +02:00
Stanislav Motylkov
7d5e159131 [NTOS:PNP] Assign correct PnP IDs to the devices detected by bootloader
Based on a commit by Vadim Galyant:
5ef5c11e7f

Also fix a minor type conversion warning. CORE-18963 CORE-17977

Co-authored-by: Vadim Galyant <vgal@rambler.ru>
2023-06-11 16:19:02 +03:00
Sophie Lemos
29a706fc5a [NTOS:PNP] Fix bug causing all devices be considered as already existing
We should compare against DeviceObject as DeviceInstance is never NULL.
Fix a resource leak as well. The bug CORE-18983 seems to lay somewhere
else though, I just stumbled upon this one while researching it.

Note there is a BSOD in the PnP manager on reboot after the driver
installation failure, but it seems it was uncovered by the fix
as opposed to caused by it.
2023-06-11 13:13:11 +03:00
George Bișoc
59e74584ac
[NTOS:SE] Refactor SeTokenCanImpersonate
- Refactor most of the code, since there's quite some stuff that don't make much sense.
For instance ImpersonationLevel is basically the requested impersonation level a
server asks for. PsImpersonateClient doesn't explicitly say that SecurityAnonymous
and SecurityIdentification are not allowed. If the server was to give such levels
it simply means it doesn't want to impersonate the client.

Another thing that doesn't make much sense is that we check if the client is
associated with an anonymous token, then avoid impersonating regular anonymous
tokens that weren't created by the system. Only system can create such tokens
and an anonymous token basically means a token with hidden security info.

- Check that the server is within the same client logon session.

- If the server is granted the SeImpersonatePrivilege privilege, allow impersonation
regardless of the conditions we want to check for.

- Update the documentation and code comments.
2023-06-09 11:53:56 +02:00
George Bișoc
8e2fe925f2
[NTOS:PS] Do not reference the copied token twice and properly assign the impersonation level in case the server can't impersonate
As it currently stands the PsImpersonateClient routine does the following approach.
If impersonation couldn't be granted to a client the routine will make a copy
of the client's access token. As it makes a copy of the said token PsImpersonateClient
will reference the copied token after impersonation info have been filled out.
In the same code path we are assigning the desired level for impersonation to thread
impersonation info.

This is wrong for two reasons:

- On a copy situation the SeCopyClientToken routine holds a reference as the object
has been created. Referencing it at the bottom of the PsImpersonateClient routine
will make it that the token is referenced twice and whenever a server stops
impersonation the token still has an extra reference count which keeps the token
still alive in object database and memory space.

- If client impersonation is not possible the thread impersonation info should
have been assigned SecurityIdentification level to further indicate that the
actual impersonation of the thread is not currently in force but instead we
are assigning the impersonation level that is supplied by the caller. For instance
if the requested level is SecurityDelegation but impersonation is not possible
the level will be assigned that of SecurityDelegation yet the token has an
impersonation level of SecurityIdentification. This could lead to erratic behaviors
as well as potential impersonation escalation.

Fix the aforementioned issues by avoiding a double reference and properly assign
the impersonation level to SecurityIdentification if the server is not able to
impersonate the target client.
2023-06-09 11:53:55 +02:00
George Bișoc
f483e42f89
[NTOS:SE] Grant the SYSTEM process the missing privileges
- Add the missing privileges to the SYSTEM privileges which might be needed,
notably SeUndockPrivilege, SeManageVolumePrivilege, SeCreateGlobalPrivilege and
SeImpersonatePrivilege.

Specifically SeImpersonatePrivilege is important here because with it we
allow system components of the core OS to perform certain system tasks.

- Declare the Groups array with a maximum of 3 elements in SepCreateSystemProcessToken
and 1 element in SepCreateSystemAnonymousLogonToken respectively, because previously
this array was oversized with most of free space left as a waste.

- Avoid hardcoding the size value of the Privilege array, instead initialize it
by hand and compute the exact number of elements with RTL_NUMBER_OF.
2023-06-09 11:53:51 +02:00
Hermès Bélusca-Maïto
0b695a6f70
[NTOS:IO] iorsrce.c: Add DBG traces for bus/device enumeration functions. 2023-06-04 21:40:08 +02:00
Hermès Bélusca-Maïto
2674e26cbb
[NTOS:IO] Reformat iorsrce.c, no functional code changes.
- Fix whitespace; add SAL annotations, doxygen documentation...

- Deduplicate the array of description strings corresponding to
  IO_QUERY_DEVICE_DATA_FORMAT.

- Unhardcode the "[3]" into 'IoQueryDeviceMaxData': the maximum number
  of device data queried.
2023-06-04 21:40:07 +02:00
Hermès Bélusca-Maïto
6db0d24fb6
Fix typo "managment" -> "management" in our codebase...
... except for 3rd-party code or "official" names.
2023-06-04 21:39:56 +02:00
George Bișoc
51279c3e44
[NTOS:SE] Refactor NtOpenThreadTokenEx
- Wrap most of the code into a new private routine, SepOpenThreadToken.
And properly fail gracefully if we fail to open a thread's token instead of just keeping going.

- Do not use the same thread object that we have referenced in NtOpenThreadTokenEx
to do a copy of the access token in case we can't open it directly.
Instead we must reference a new object with full access, solely used for
the purpose to do our required operations.

- Add debug prints

CORE-18986
2023-06-04 11:09:34 +02:00
George Bișoc
a389f8aa0c
[NTOS:SE] Make an access token effective after the end of token duplication
Removing any disabled privileges or groups in the middle of token dynamic
part allocation can pose problems. During the operation of making an access
token as effective, we are toying with the privileges and groups arrays
of the token.

After that we are allocating the dynamic part and set EndMem (the end tail
of the memory part) to that dynamic part, previously it was set to the
variable part. As a matter of fact we are making the token effective in
the middle where EndMem still points to VariablePart, thus DynamicPart
will end up with memory pool blocks butchered in the pool list.

Another problem, albeit not related to the DynamicPart corruption, is that
the code starts iterating over the UserAndGroups array from 0, which is
the actual user. One cannot simply remove the user from the array, so we
have to start looping right from the groups.

Move the token effective code part at the end of the SepDuplicateToken
function, which fixes the random pool corruptions caused by the butchered
DynamicPart.

CORE-18986
2023-06-04 11:09:22 +02:00
Stanislav Motylkov
85ca8afb60
[NTOS:PNP] IopEnumerateDetectedDevices(): General refactoring
CORE-18962

- Deduplicate a while-loop by adding one more recursive call.
- Add IopMapDetectedDeviceId() helper function with a structure
  in order to reduce hardcoded constants and checks.
2023-05-27 12:22:57 +02:00
Hermès Bélusca-Maïto
b3c55b9e6c
[NTOS:LPC] Ensure debug-traced pointer-given user-mode data is captured. (#4399)
CORE-18098
2023-05-17 17:40:37 +02:00
Hermès Bélusca-Maïto
e4d572a432
[NTOS:LPC] Turn a DPRINT1 into an LPCTRACE. (#4399)
CORE-18098
2023-05-17 17:40:29 +02:00
Timo Kreuzer
15fbcc19b9 [NTOS:KE/x64] Fix KiConvertToGuiThread
- Do not allocate a new stack, if the thread already has a large one. This prevents the function from freeing a large stack as a normal stack and subsequently leaking system PTEs.
- Fix the check for failure of PsConvertToGuiThread (test eax, not rax, for being negative, because by default rax is zero extended from eax, not sign extended). This fixes an infinite loop on failure.
2023-05-16 22:03:13 +03:00
Stanislav Motylkov
059d12a5ac
[NTOS:PNP] IopEnumerateDetectedDevices(): Fix CmResourceList leak
CORE-18962
2023-05-10 20:29:29 +02:00
Stanislav Motylkov
6e3ad0411a
[NTOS:PNP] IopEnumerateDetectedDevices(): Formatting only
CORE-18962
2023-05-08 16:07:11 +02:00
Stanislav Motylkov
484c26d99f
[NTOS:PNP] Move Firmware Mapper functions into new file
CORE-18962
2023-05-08 16:07:01 +02:00
Dmitry Borisov
8df1b53508
[NTOS:CM] Initialize the alternative system architecture field on PC-98 builds (#5136)
This is needed by some 3rd party drivers.
CORE-17977
2023-05-05 18:04:35 +02:00
Timo Kreuzer
df72bcd06c [NTOS:KDBG] Only load symbols on x86
Symbol loading leads to a hang on x64 boot in 2nd stage and KDBG symbols don't work on x64 anyway.
2023-05-04 14:09:14 +03:00
George Bișoc
8e7b22a631
[NTOS:OB] Fix the SAL2 annotation of ObQueryTypeInfo
The data has to be written into ObjectTypeInfo based on the return length,
not only what is provided by the input buffer length. Fix suggested by
Hermès.
2023-04-22 17:18:57 +02:00
George Bișoc
00c69bcd15
[NTOS:OB] Properly calculate the return length in ObQueryTypeInfo
On a x86 system aligning the return length pointer to a 4-byte boundary
works best since pointers in general are 4-byte aligned for x86 systems.

However, what happens on a AMD64 system is that we still align this pointer
to 4-byte, ObjectTypeInfo is a 8-byte pointer and we might write into
the return length past the 4-byte boundary.

If one were to allocate a pool of memory with that length and query all
the object types info and free the said pool of memory thereafter, the
system will crash with BAD_POOL_HEADER because ObQueryTypeInfo overwrote
the return length past the 4-byte boundary length therefore leading up with
corrupted memory blocks in the pool header.

This symptom of BAD_POOL_HEADER happens exactly the same in Windows Server
2003 x64 Edition. Newer versions of Windows like 10 aren't affected.

But, Windows has another bug where they are using MaximumLength for the
calculation of the needed length to be returned to caller. MaximumLength
does not guarantee you that it includes the NULL-terminator in the length
and that potentially leads to a buffer overrun.

Also annotate the ObQueryTypeInfo function with SAL2.

https://processhacker.sourceforge.io/doc/object_8c_source.html (read the
comment in KphObjectTypeInformation).
2023-04-21 12:45:31 +02:00
Adam Słaboń
6eb8fe4f82
[NTOS:MM] MmCanFileBeTruncated: Check whether second (optional) parameter was passed (#5248)
Second parameter is optional, so mark it as such and check whether it was passed. Fixes a sporadic 0x24 bugcheck caused by access violation when running ReactOS on NTFS volume with WinXP ntfs.sys.
2023-04-19 23:12:11 +02:00
Timo Kreuzer
cb74d9e24e [NTOS/CC] Fix broken usage of _SEH2_FINALLY
Finally handlers are - unlike except blocks - not part of the function they are in, but separate functions, which are called during unwind. PSEH implements them on GCC using nested functions. While "return" from a finally handler is allowed with native SEH, it's handled by the compiler through an extra unwinding operation using _local_unwind, WHICH IS NOT SUPPORTED BY PSEH! With PSEH, returning from a finally handler does not return from the function, instead it will only return from the finally handler and the function will continue below the finally handler as if there was no return at all. To fix this, the return is removed and an additional success check is added.
Also use _SEH_VOLATILE to make sure the variable assignment is not optimized away by the compiler and add zero out the result parameters on error.
2023-04-14 11:56:08 +03:00
Timo Kreuzer
b2fcd27aaa [NTOS/CC] Fix calls to CcRosEnsureVacbResident
The function returns BOOLEAN, not NTSTATUS! Also wrap it in SEH, because it can throw an exception on failure.
2023-04-14 11:56:08 +03:00
Hermès Bélusca-Maïto
99b0e4b9a9
[NTOS:KDBG] Only use the direct KdbPrintf instead of KdbpPrint (pager) inside the exception handler (outside the debugger main loop). 2023-04-12 19:30:57 +02:00
Hermès Bélusca-Maïto
9808d32f4a
[NTOS:KDBG] Use local KdbPrintf function for DPRINT1 instead of DbgPrint...
... that would otherwise cause a debugger re-entry.

Also use KdbPuts/Printf instead of KdpDprintf that won't be available
once KDBG is moved out of it.
2023-04-12 19:30:56 +02:00
Hermès Bélusca-Maïto
f620ce7705
[NTOS:KDBG] Introduce local versions of KdpPrintString, KdpDprintf and KdpPromptString...
... since the original ones are internal to the kernel and won't be
available once KDBG is moved out of it.

Use these functions in the pager/prompt support.
2023-04-12 19:30:54 +02:00
Hermès Bélusca-Maïto
fdf4814ebb
[NTOS:KDBG] Correctly balance KeStackAttachProcess with KeUnstackDetachProcess, instead of KeDetachProcess. 2023-04-11 00:44:11 +02:00
Hermès Bélusca-Maïto
579eab8a31
[NTOS] Include kdbg/kdb.h only in the files that really need it. 2023-04-11 00:44:10 +02:00
Hermès Bélusca-Maïto
30369b8005
[NTOS] "Bugzilla" --> "Jira" 2023-04-05 03:33:41 +02:00
Hermès Bélusca-Maïto
dfc2cc4e42
[NTOS:KD] Fix buffer overflow for the signon in KdPortInitializeEx.
The built string can be:
°°Kernel Debugger: Serial port found: COM1 (Port 0x000003F8) BaudRate 115200°°°°
(with ° representing the \r and \n in the message)
and you can verify that this is more than 80 characters in total.
2023-04-05 03:33:39 +02:00
Hermès Bélusca-Maïto
2b27d08576
Grmbl... 2023-04-05 01:53:32 +02:00
Hermès Bélusca-Maïto
143f8549a5
[NTOS:IO] ... and fix build by adding missing header. 2023-04-05 01:45:32 +02:00
Hermès Bélusca-Maïto
4c6f7c01e5
[NTOS:IO] Avoid magic value in LdrProcessDriverModule. 2023-04-05 01:39:32 +02:00
Jérôme Gardou
573d579873
[NTOSKRNL] Flush file to disk when deleting file mappings (#4302)
CORE-17627
When closing a file, fastfat zeroes it out from ValidDataLength up to the end of the file.
The ValidDataLength field is updated when the file content is actually written to disk.
There is currently a race between the file-close path and the page out path, leading to potential file corruptions when the zeroing happens after the memory has been flushed to disk.

Fix this by actually flushing the file to disk when unmapping files, with file lock acquired. This way, the FS driver cannot zero out the tail of the file while we're actually flushing it to disk.
2023-04-01 23:56:49 +09:00
Hermès Bélusca-Maïto
1bb4167211
[NTOS:KD] Fix build, addendum to commit f3dd7133.
This one was more subtle because the prompt (KdIoReadLine) functionality
makes a call-back to KDBG own command history getter function KdbGetHistoryEntry.
It is planned for this to become a registered optional callback pointer.
2023-03-29 03:36:24 +02:00
Hermès Bélusca-Maïto
3c0ba6b22c
Fix build, addendum to commit 35180b3a 2023-03-29 02:55:06 +02:00
Hermès Bélusca-Maïto
35180b3ad2
[NTOS:KDBG] Isolate terminal and input-related routines from the rest of KDBG. (#5188)
This is done in preparation for moving all this functionality in a
separate KDTERM "KD Terminal Driver" DLL.

Additionally:

- Flush the terminal input before sending ANSI escape sequences.

- In KDBG pager, always use the correct reading-key function (the
  same used also for reading keys for a line of user input), and not
  the simplistic two-call KdbpGetCharSerial + KdbpTryGetCharSerial
  that would split the \r \n across calls.

- Call KdbpGetCommandLineSettings() in KdbInitialize() at BootPhase 0,
  which is indirectly called by KdDebuggerInitialize0(). And fix its
  command-line parsing too.
2023-03-29 02:42:31 +02:00
Hermès Bélusca-Maïto
f3dd713382
[NTOS:KD:KDBG] Isolate the read-line (prompt) functionality in a separate file.
Rename KdbpReadCommand as KdIoReadLine. Extract the last-command
repetition functionality out of KdIoReadLine and put it where it
belongs: only in the KDBG command main loop KdbpCliMainLoop.
2023-03-28 16:14:40 +02:00
Hermès Bélusca-Maïto
430d7ebb93
[NTOS:KDBG] Use KdbpSendCommandSerial() to send specific ANSI escape sequences.
Use this function instead of KdpDprintf(), otherwise, we send them to
**ALL** the display providers, including for example dmesg. Replaying
the listing with dmesg would then cause the terminal to misbehave later.
For example, it would send the answer of a "Query Device Attributes"
command, as the response to a query for terminal size...
2023-03-28 16:14:39 +02:00
Katayama Hirofumi MZ
3b82b8370d [NTOSKRNL] Fix build in Release; #include 'kd.h' 2023-03-28 17:20:42 +09:00
Hermès Bélusca-Maïto
412037a2e2
[NTOS:KD] Use local print-like functions for output, instead of the kernel-internal KdpDprintf.
Indeed, the latter won't be accessible once those KD IO functions
get moved out into a separate KDTERM.DLL.
2023-03-28 02:42:53 +02:00
Hermès Bélusca-Maïto
6084da8c84
[NTOS:KDBG] Move command history management in a separate file. Simplify duplicated code in KdbpReadCommand. 2023-03-27 23:31:34 +02:00
Hermès Bélusca-Maïto
eb02a85214
[NTOS:KD] Split internal/kd.h into a part shared in the whole kernel and a private part only used within ntoskrnl/kd. 2023-03-27 23:31:34 +02:00
Hermès Bélusca-Maïto
bfd07a02f1
[NTOS:KD] Update file headers. 2023-03-27 23:31:33 +02:00
Hermès Bélusca-Maïto
6fafe54f89
[NTOS:KD:KDBG] Move some files to a better place. 2023-03-27 23:31:28 +02:00
George Bișoc
29fc7bb33e
[NTOS:OB] Implement name information querying on ObjectBasicInformation case
Currently there is no implementation support for object name information
querying when someone queries information about an object with ObjectBasicInformation
class case. Some device drivers may take use of such information.

NameInfoSize is a size that is the sum of all name directories of an object,
including path separators. TypeInfoSize is a size that is pointed by
the size of a type object itself, therefore this size remains pretty much
fixed depending on the kind of an object.

For more information:
https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/api/ntobapi/object_basic_information.htm
http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FType%20independed%2FNtQueryObject.html
2023-03-25 11:55:11 +01:00
Hermès Bélusca-Maïto
fe81656776
[NTOS:KD] DbgKdGetStringApi implementation: Ensure the returned string is NULL-terminated.
Addendum to commit 84e32e4e.

Explain more accurately what's going on regarding the returned string
and the inaccurate claims made in the official DbgPrompt documentation
in MSDN. (Has been verified by looking through the traffic in WinDbg
debugging of Windows and ReactOS.)
2023-03-22 19:58:01 +01:00