Author: fireball
Date: Mon Aug 7 02:02:02 2006
New Revision: 23509
URL: http://svn.reactos.org/svn/reactos?rev=23509&view=rev
Log:
Relax restriction on the segment in NtSetLdtEntries(). Look into diff for details. Thanks to Myria for providing information.
There were no reasons found which can proof that this change could lead to security issues.
Modified:
trunk/reactos/ntoskrnl/ke/i386/ldt.c
Modified: trunk/reactos/ntoskrnl/ke/i386/ldt.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/ke/i386/ldt.c?rev…
==============================================================================
--- trunk/reactos/ntoskrnl/ke/i386/ldt.c (original)
+++ trunk/reactos/ntoskrnl/ke/i386/ldt.c Mon Aug 7 02:02:02 2006
@@ -58,8 +58,20 @@
SegLimit=(SegLimit << 12) | 0xfff;
}
- return ((Base + SegLimit > (ULONG) MmHighestUserAddress) ||
- (Base > Base+SegLimit) ? FALSE : TRUE);
+ if ((Base + SegLimit > (ULONG_PTR) MmHighestUserAddress) ||
+ (Base > Base+SegLimit))
+ {
+ DPRINT1("WARNING: Windows would mark this descriptor invalid!");
+ }
+
+ /*
+ Certain "DOS32" programs expect to be able to create DPMI selectors
+ that wrap the address space. Windows NT does not allow user-created
+ selectors to reach into kernel memory. However, there is no security
+ risk in allowing it; the page table will prevent access anyway.
+ */
+ return (/*(Base + SegLimit > (ULONG_PTR) MmHighestUserAddress) ||
+ (Base > Base+SegLimit) ? FALSE : TRUE*/ TRUE);
}
NTSTATUS STDCALL
Author: fireball
Date: Mon Aug 7 01:15:55 2006
New Revision: 23508
URL: http://svn.reactos.org/svn/reactos?rev=23508&view=rev
Log:
Goodbye REGISTRY_ERROR bsod!
- Change UserMode -> KernelMode in ObReferenceObject*() calls, because that calls failed
- Remove Cm-specific hack from Ob
"advapi32_winetest.exe registry" shows 0 failures on the first run and 2 failures on further runs.
I suppose there might be a leakage in the CM. To be investigated further (or wait till complete Cm rewrite in October).
Modified:
trunk/reactos/ntoskrnl/cm/regobj.c
trunk/reactos/ntoskrnl/ob/obhandle.c
Modified: trunk/reactos/ntoskrnl/cm/regobj.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/cm/regobj.c?rev=2…
==============================================================================
--- trunk/reactos/ntoskrnl/cm/regobj.c (original)
+++ trunk/reactos/ntoskrnl/cm/regobj.c Mon Aug 7 01:15:55 2006
@@ -148,7 +148,7 @@
ObReferenceObjectByPointer(FoundObject,
STANDARD_RIGHTS_REQUIRED,
CmiKeyType,
- UserMode);
+ KernelMode);
if (End != NULL)
{
*End = L'\\';
@@ -790,7 +790,7 @@
ObReferenceObjectByPointer(ParentKey,
STANDARD_RIGHTS_REQUIRED,
CmiKeyType,
- UserMode);
+ KernelMode);
NewKey->ParentKey = ParentKey;
}
Modified: trunk/reactos/ntoskrnl/ob/obhandle.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/ob/obhandle.c?rev…
==============================================================================
--- trunk/reactos/ntoskrnl/ob/obhandle.c (original)
+++ trunk/reactos/ntoskrnl/ob/obhandle.c Mon Aug 7 01:15:55 2006
@@ -239,17 +239,8 @@
/* Dereference the object as well */
ASSERT(ObjectHeader->Type);
ASSERT(ObjectHeader->PointerCount != 0xCCCCCCCC);
- if (!wcscmp(ObjectHeader->Type->Name.Buffer, L"Key"))
- {
- //
- // WE DONT CLOSE REGISTRY HANDLES BECAUSE CM IS BRAINDEAD
- //
- DPRINT("NOT CLOSING THE KEY\n");
- }
- else
- {
- ObDereferenceObject(Body);
- }
+
+ ObDereferenceObject(Body);
/* Return to caller */
OBTRACE(OB_HANDLE_DEBUG,