[NTOSKRNL]: Add a helper function such that user-mode cannot pass certain kernel-only object attributes to ObOpenObjectByPointer.
[NTOSKRNL]: Make \Device\PhysicalMemory OBJ_KERNEL_EXCLUSIVE
[NTOSKRNL]: Deny access to user-mode when opening a handle to an object with OBJ_KERNEL_EXCLUSIVE
[NTOSKRNL]: Fix NtOpenProcess, NtOpenThread, NtOpenThreadTokenEx, NtOpenProcessTokenEx to use the helper function. Should fix Rtl using OBJ_KERNEL_HANDLE in user-mode.
Thanks to ThFabba for finding out these bugs, and the hbelusca for adding a missing check to NtOpenProcessTokenEx.
svn path=/trunk/; revision=69340
- Fix disabling impersonation in PsDisableImpersonation, and
- Fix how we do restore impersonation in NtOpenThreadTokenEx.
Patch by Thomas Faber,
CORE-7476 #comment Patch committed in revision 60301, thanks :). Please retest the bug.
svn path=/trunk/; revision=60301
[NTOSKRNL]: Set MiSessionSpaceWs address and use where needed.
[NTOSKRNL]: Initialize the session working set, and add support to MiLockWorkingSet and MiUnlockWorkingSet for session WS.
[NTOSKRNL]: Implement MiSessionAddProcess and MiSessionRemoveProcess which does the work required for this.
[NTOSKRNL]: Fix IoGetIrpRequestorProcess.
In my private branch, MmMapViewInSessionSpace is working fine for the user and GDI heaps. Will enable after TestBot tests.
svn path=/trunk/; revision=57011
Impersonation failed because NtImpersonateThread was actually inverting the THREAD_IMPERSONATE rights, asking the client thread for the server's permissions, and vice versa. Fixing this resulted in yet another failure.
Analysis of this failure showed that even opening the server (ie: current) thread for THREAD_DIRECT_IMPERSONATION failed, which is unusual since the current thread should have access to all its rights. This is determined in PspCreateThread when the ETHREAD->GrantedAccess field is set.
Continuing onto this path, tracing revealed that GrantedAccess was merely 0x1607F and not 0x1F3FF as expected, meaning that not all rights were given, including the impersonate right (0x200), explaining the failure, but not the deeper reason behind it.
Attempting to identify which code path set this GrantedAccess, the SepAccessCheck routine came to light. A bug there caused MAXIMUM_ALLOWED accesses to fail in certain scenarios, such as when the object had no security descriptor, because MAXIMUM_ALLOWED would be granted as an absolute value, when instead of it is a flag that should grant GENERIC_ALL. Fixing that bug, the failure continued.
Further analysis identified that the Administrators SID was being found with GENERIC_READ + WRITE + EXECUTE access, and no SID was found for GENERIC_ALL access. This happened when searching the system token's default DACL, which is assigned to the kernel (but for kernel-mode callers, this check was skipped), smss, winlogon, etc.
The code for creating this system token was heavily hacked, so the function to create the system token, as well as NtCreateToken were refactored to use a common piece of token-creating code. Furthermode, the system token was correctly created with Local System as the user, and Administrators as one of the groups. Finally, SeDefaultDacl was used (already setup properly) instead of a badly configured Default DACL. The new shared code also correctly sets the SE_GROUP_ENABLED flag on all SE_GROUP_MANDATORY groups, and scans tokens to set the TOKEN_HAS_ADMIN_GROUP and TOKEN_HAS_TRAVERSE_PRIVILEGE flags which were not previously set.
With the correct system token and default DACL, the Local System SID was now found, but the failure continued. This was revealed to be due to an even deeper rooted problem, as the SepIsSidInToken routine checked for SE_GROUP_ENABLED before listing a SID as "present". Although this is correct for actual groups, the User SID will never have the SE_GROUP_ENABLED flag as it is not a group. This caused any granted access ACE belonging to a user (instead of a group) to be ignored, causing either access check failures, or limited rights returned (in the MAXIMUM_ALLOWED case).
Upon fixing this bug, the NtImpersonateThread call finally returned success, since the rights were now correct. Promptly upon calling NtOpenThreadToken to query the LUID however, the system ASSERTED with FALSE.
The code at fault was a line in NtOpenThreadTokenEx which forcefully ASSERTed if the impersonation code path was taken, presumably because this was never tested, and ReactOS would actually always fail impersonation attempts due to the bugs fixed above. This routine was thus quickly reworked to fix some mistakes (such as forgetting to actually impersonate the client, incorrect referencing/dereferencing of thread/tokens, and assumptions about DACL creation success).
Having fixed the NtOpenThreadTokenEx routine, the LUID query now went through for the impersonated token, but soon causing a user-mode crash, due to an incorrect parameter reference in the CsrGetProcessLuid function in the csrsrv code by Alex (which I copy/pasted to reduce code duplication).
Fixing this final bug finally allowed the correct LUID to be queried and I was able to continue development of not-yet-commited user-mode shutdown code.
svn path=/trunk/; revision=46028
34969 Some ULONG / SIZE_T fixes, handle amd64 in PspCreateThread
34986 Fix several 64 bit issues
35968 Fix Size parameter of CmpAllpcate (ULONG->SIZE_T).
35970 Fix pointer <-> ULONG cast
35971 Fix pointer <-> ULONG cast fixes
36332 fix 64 bit warnings
37435 Fix several ULONG/ULONG_PTR issues. Add a parameter to DefaultQueryInfoBufferCheck for ULONG_PTR/SIZE_T ResultLength
39522 ExInitializeSystemlookasideList: Use InitializeSListHead instead of directly accessing the members. ExpAllocateLocallyUniqueId: use InterlockedCompareExchange64 instead of non-portable ExfInterlockedCompareExchange64
37433 fix InterlockedExchangePointer usage
38105 Use KeGetCurrentPrcb() instead of KeGetPcr()->Prcb / KeGetPcr()->CurrentPrcb
39160 Use wbinvd instruction for amd64, too.
svn path=/trunk/; revision=45066
- Don't call ExSystemExceptionFilter() if we know the caller is user mode.
- Get rid of a couple of dependencies on the NTSTATUS being initialized with STATUS_SUCCESS -- indicate success where properly instead.
svn path=/trunk/; revision=42942
Migrate ntoskrnl to PSEH 2.0. The code should speak for itself
modified ntoskrnl/ex/atom.c
_SEH_LEAVE was used improperly in NtQueryInformationAtom. As a free bonus, the upgrade to PSEH 2.0 (and to _SEH2_LEAVE) fixes the potential bug
modified ntoskrnl/fsrtl/fastio.c
Corrected exception filter logic
modified ntoskrnl/include/internal/ex.h
Goodbye _SEH_ExSystemExceptionFilter, you won't be missed
modified ntoskrnl/include/internal/ntoskrnl.h
Don't FORCEINLINE functions that use SEH, it's bad form and the compiler doesn't like
modified ntoskrnl/ke/i386/usercall.c
Dispatch the correct EXCEPTION_RECORD in case of exception inside KiInitializeUserApc
modified ntoskrnl/ke/powerpc/exp.c
Removed bogus, unused SEH code
modified ntoskrnl/ntoskrnl-generic.rbuild
Sources using PSEH 2.0 must be compiled with -fno-unit-at-a-time due to a GCC bug. See also http://gcc.gnu.org/bugzilla/show_bug.cgi?id=17982 and http://gcc.gnu.org/bugzilla/show_bug.cgi?id=38054
Apparently, -fno-unit-at-a-time makes GCC crash when using precompiled headers. Disable precompiled headers for ntoskrnl
svn path=/trunk/; revision=37615
- WlxStartApplication: Fix handle leaks.
- Make userinit.exe exit when it's done everything. No need to wait for explorer to exit first.
svn path=/trunk/; revision=35013
- Implement KeReadStateThread.
- Fix PspTerminateProcess to handle case where there's no threads in the process.
- Fix check in PspTerminateProcess. ObClearProcessHandleTable gets called if there's a debug port, not if there's an object table.
- Simplfy PspReapRoutine.
- Fix PspExitThread to wait for all other threads before continuing to kill the last thread. Should fix lots of race/wait conditions.
- PspExitThread should check for !DeadThread and not !Terminated before determining if it should free the TEB. Also, the DbgK handle should only be closed if the thread isn't already dead.
- Fixup formatting of some code to warn less on MSVC.
- Fail various APIs if acquiring rundown protection failed.
- Fix Process Quantum/Priority settings.
- Grant PROCESS_TERMINATE by default.
- Add PROCESS_SET_INFORMATION, STANDARD_RIGHTS_ALL and PROCESS_SET_QUOTA to the default process granted access mask.
- Initialize process/thread/image notification callbacks durin phase 0 Ps initialization.
- The Audit Name belongs to the system process, not the idle process.
- Detect more failures in phase 0 startup.
- Fix various race conditions/incorrect checks in ps/security.c related to impersonation information. Also allow PspAssignPrimaryToken to be called directly with the token pointer and not only the handle.
- Wrap system thread startup stub in SEH and write a SEH filter function to print out debug information when a system thread dies unexpectedly.
svn path=/trunk/; revision=25504
- Implemented SeAssignPrimaryToken.
- Setup Boot/System Token for Idle Process in SeInit2.
- Remove ROS hack in SeCaptureSubjectContextEx.
- Call SeAssignPrimaryToken in PspInitializeProcessSecurty when called for the Initial Process creation.
- Implement PsInitiailizeQuotaSystem and set PspDefauptQuotaBlock for the idle process so that it can be used for the initial process.
- Rewrite Process Manager Phase 0 initialization from scratch, to create a new initial system process and thread which will be used for Phase 1 (in ROS, phase 2) initialization of the executive.
- Fix a bug in PspCreateProcess which was using an uninitialized value of SectionObject in some cases, instead of NULL.
- Call PsInitailizeQuotaSystem from ObInit, and also create the system handle table inside the idle process, and make it the ObpKernelHandleTable.
- Do Executive Phase 0 Initialization at APC_LEVEL.
- Start idle thread at HIGH_PRIORITY then lower it to 0 once the Initial Thread is setup, so that it can run, then keep priority to 0 at DISPATCH_LEVEL and jump into idle loop code.
- Add NtYieldExecution to idle loop code since it's now being used.
- Fix IoGetCurrentProcess which was previously hacked.
- Remove some checks for Thread == NULL in ke_x.h, since this is now impossible.
- Split Phase 0/1 initialization in ex\init.c, since one runs in a separate thread now. Also don't lower IRQL to PASSIVE_LEVEL anymore (run at APC_LEVEL).
svn path=/trunk/; revision=24148
- Implement PspSetCrossThreadFlag and PspClearCrossThreadFlag and use them. Thanks to Thomas for the idea.
- Fix a bug in Fast Referencing, thanks to Thomas.
svn path=/trunk/; revision=23260
- Implement PspWriteTebImpersonationInfo for setting the impersonation locale and impersonation status in the TEB (since User-mode needs to read this value and we don't want to NtQueryInformationThread for it each time to read the ETHERAD flag).
- Complete the implementation of PspSetPrimaryToken to recalculate a process's access rights to itself based on a new primary token.
- Reorganize ps.h header like ob.h and io.h, implement Tracing support but not the tracing itself yet.
- Get rid of some deprecated cruft.
svn path=/trunk/; revision=23233
- Added Process and Thread locking inlined functions for Ps Security functions.
- Thread safety is your friend! Huge rework of almost all the functions in ps/security.c to use the process/thread pushlocks and use interlocked operations when dealing with the ActiveImpersonationInfo thread flag.
- Added PAGED_CODE().
- Added checks for Processes with Jobs for the day that will happen.
- PsAssignImpersoonationToken with a NULL token handle means simply to revert to self.
- Don't ignore the HandleAttributes in NtOpenProcessTokenEx.
- Use SeTokenType to make sure the token passed is an impersonation token.
- Remove some fixed bugs in krnlfun.c, add more TODOs.
svn path=/trunk/; revision=23231
- PspAssignPrimaryToken was good enough for actually *assigning* the token, but when NtSetInfoProcess is called with ProcessPrimaryToken, we want to do a lot more then just randomly assigning it. Added PspSetPrimaryToken which first verifies if the token being assigned is a child token and if not, checks for SeAssignPrimaryTokenPrivilege. Also added a fixme for more code that's needed, to actually re-calculate the process's granted access towards itself. Also added thread-safety.
svn path=/trunk/; revision=23226
[FORMATTING] Re-formatted file properly, ordered functions and annotated them, added proper programmer credits, etc.
- Pushlocks need to be acquired in a -critical-, not -guarded- region.
- PsDisableImpersonation should return FALSE if it was already disbled.
- Don't forget to reference the token in PsReferenceEffectiveToken.
- PsImpersonateClient should still return success if it was given no token.
- PsImperstonateClient should de-reference the token if there is already active impersonation info.
svn path=/trunk/; revision=23152
- Implement ObReferenceEx and ObDereferenceEx.
- Split off ObpDeferObjectCompletion. A new win2003/vista API requires direct acess to being able to defer deletes.
- Fix some bugs in Process Token management and make it all properly use Fast Referencing.
- When duplicating a token in a new process, don't de-reference it before it's even created, and also insert it.
- Change ExpChangeRundown macro to fix warnings in msvc.
svn path=/trunk/; revision=23013
- Architectural changes to match information in Windows Internals 4 and other documented sources of information (Windows Internals II by Probert). Code should match Win2003 layout.
- Handle almost any possible process/thread sub structure and add its cleanup code stubs, so that when we actually implement them, we won't forget to clean them up in the process code.
- Add interlocked usage of process and thread flags in order to make everything more thread-safe.
- Better handle cases where threads die instantly, race conditions, and other weird issues.
- Better handle process termination and thread termination.
- Implement NtCreateProcessEx and update PspCreateProcess/NtCreateProcess.
- Improve cleanup of process object in PspProcessDelete.
- Optimize some things like User Thread startup.
- Add some extra asserts, paged_code checks and also user-mode security check.
- Implement helper API PsGetNextProcessThread
- Optimize thread reaper (thanks Filip)
- Do proper referencing/dereferencing of thread/processes (thanks Thomas)
- Document FIXMEs needed for Ps code to be up to standards and complete.
svn path=/trunk/; revision=22976
- Make ObpCreateHandle internal to Ob as it should be. Change NtCreateProcessTokenEx to use ObOpenObjectByPointer, it has no business manually trying to create a handle. Same goes for ExpLoadInitialProcess.
svn path=/trunk/; revision=22264
- Subsystemization of Process Creation code. Memory code done by new Mm functions (not all used yet),
Kernel code done by Ke*, etc.
- Written to be compatible with the information in "Windows Internals".
- Optimized and cleaned up.
- ObInsertObject is now called at the end, fixing a plethora of wrong things that were covered with FIXMEs.
- PEB is allocated with a Memory Area, and so will TEB soon, which allows 4KB allocation without 64KB gra
nularity.
- System DLL Mapping/Loading has been changed to be cached at system bootup, resulting in faster code.
Also changed Peb to report NT 5.0
NOTE: Messy, more to come soon. The full benefits of this patch won't be realized until the complete changes
are in.
svn path=/trunk/; revision=14660
---------------------------------------------------
- ps/cid.c:
* Moved CID Lookup functions here
- ps/security.c:
* Moved all security related functions here. Makes other files neater and security functions
easier to locate.
- ps/thread.c:
* Moved most of the Thread Scheduling/Dispatching code that belongs in the Kernel to /ke and
renamed functions from Ps to Ki.
* Implemented PsIsSystemThread.
* Removed Reaper Thread Init (now obsolete).
* Renamed PiDeleteThread to PspDeleteThread.
* Moved Thread State functions from tinfo.c to here.
- ps/process.c:
* Removed Query/Set Process functions and moved to ps/query.c
* Renamed PiDeletePRocess to PspDeleteProcess
* Removed obsoleted Process Termination functions, moved persistent one to kill.c
- ps/create.c:
* Moved the security APIs to security.c
* Correctly implemented PsCreateSystemThread to actually create system threads.
- ps/suspend.c
* Rewrote Nt Executive functions to use Kernel functions.
* Moved Ps* Routines into ke/kthread.c and fixed them. The implementation was wrong in
some aspects, especially the issue of the APC looping around the KeWaitXxx call and the
fact that the routines excluded/ignored the FreezeCount.
- ps/debug.c
* Fixed completely broken implementation of Get/SetThreadContext. The old version crashed
when called and did not work at all. Suspend Regression test now works.
* Moved Context<->TrapFrame functions to ke/i386/
* Combined Set/GetThreadContext APCs into a single one, and used special context structure.
- ps/query.c:
* Moved Thread/Process Query/Set Routines here.
- ps/tinfo.c:
* Removed.
- ps/kill.c
* Removed complicated Process Termination semantics and useless Attach/Detach in favor for
a much more lightweight function which performs the same tasks as before and actually works.
TaskManager can now terminate foreign processes.
* Rewrote Thread Reaping to use the HyperCritical Work Queue instead of manually controlled
thread. This results in much less code as well as an increase in speed and less micro
management. The reaper is PspReapRoutine. Closing CMD.EXE now works properly without
requiring masks that were added as hacks to allow it.
* Renamed PiTerminateProcessThreads to PspTerminateProcessThreads. Fixed it to work with new
termination code.
* Added PspDeleteProcess to handle Process Object deletion. Kills the CID Handle here as done
by Hartmut.
* Added PspDeletethread here.
* Renamed and rewrote PsTerminateCurrentThread to PspExitThread. Used NT Implementation out-
lined in Windows Internals, Chapter 13. Uses less locks, a more concise order of actions,
actually parses the Termination Ports, handles Dbgk notification. Timers are now rundown,
and Mutex rundown is in a dedicated Kernel function. Final termination handled by KeTerminate
Thread as documented.
* Renamed PsTerminateOtherThread to PspTerminateThreadByPointer and modified implementation to
be compatible with the changes above.
* Renamed and regrouped Process Termination into PspExitProcess. Also implemented as described
above, and moved each subsystem specific termination helper into its own subsytem.
* Improved NtTerminateProcess and added more debugging messages.
* Improved NtTerminateThread and added check against System Thread and made it compatible with
new implementation.
* Corrected PsTerminateSystemThread now that we support System Threads.
* Corrected NtRegisterThreadTerminatePort to use same structure name as on windows for the
port, and added tag to pool allocation (documented in pooltag.txt)
include/internal/*.h:
* Defined Scheduler Functions and misc new functions or renamed functions.
ke/apc.c:
* Fixed critical bug where APCs were not delivered at all if the thread wastion and cancels any timers that are associated
to a thread, as well as their APCs and DPCs.
REGRESSIONS FOUND: NONE
BUGS/REGRESSIOSN FIXED:
* Thread/Get Set Context now works.
* Suspend Regression test now works.
* Task manager can now kill foreign processes, even hung ones (like it should).
* ExitProcess/closing cmd.exe with the 'x' button now works correctly without hacks.
KNOWN ISSUES: I left a bit of a mess in the headers and some stuff still needs to be moved into the right
places. I just wanted to have this first part ready first, so that it won't get too big.
svn path=/trunk/; revision=14174
