Le vendredi 06 août 2010 19:03:57, Timo Kreuzer a écrit :
Hi,
Please take care about proper protection of the user mode buffer. The current solution: probe and forget is not safe.
Possibilities are:
- SEH protected copying of the buffer, pass the copy of the buffer to
lower level functions -> Easy to do, large overhead for large bitmaps. 2) SEH protected call to a lower level function, passing the user mode buffer. -> Not possible if the lower level function is either allocating any resources (unless also protected by SEH + finally) or can pass execution to 3rd party provided code, like drivers. 3) Be sure to have SEH at the lowest level (DIB) -> Not possible as the function might end up in a driver. 4) Use Mm to protect the buffer. Either with MmSecureVirtualMemory or double mapping using MmProbeAndLockPages + MmGetSystemAddressForMdlSafe.
I think 4 is the way to go. While the overhead of remapping should be relatively small compared to a full copy, we are still wasting large ammounts of system address space. MmSecureVirtualMemory might at first sound like a good solution, but beware, it has some pitfalls. While it protects a memory range from being freed, it doesn't protect it from being paged out. That wouldn't be a problem, unless the memory is not backed by the page file, but let say a network resource, which becomes unavailable after a page was paged out. In this case we would get an in page error when trying to access the page, leading to a kernel crash. So unless we can be sure that the memory is backed by the page file, we need to additionally lock the pages into memory to be safe. Final thing to note is that MmSecureVirtualMemory is not implemented yet, but I hope with current work on the VAD code, we'll soon get a present (hint).
Regards, Timo
I'm OK for 4. Looking for MmSecureVirtualMemory to be implemented. Please note that for now, SURFACE::hSecure is hacked to be (HANDLE)1 so we can detect if the bitmap is a DIB. As now all **DIB** functions create a DIB, it will be securised in the process. Others bits can be PSEH-accessed during the DIB creation, as it the only place it's used.
Regards. Jérôme.