https://git.reactos.org/?p=reactos.git;a=commitdiff;h=0129de218b6263301ed14…
commit 0129de218b6263301ed141795a8e5e45f03d6b39
Author: George Bișoc <george.bisoc(a)reactos.org>
AuthorDate: Mon Nov 1 20:35:21 2021 +0100
Commit: George Bișoc <george.bisoc(a)reactos.org>
CommitDate: Thu Nov 4 09:30:00 2021 +0100
[NTOS:SE] Mark the token as no longer belonging to admin group upon effective duplication
A scenario where it happens that an access token belongs to an administrators group but it's disabled (that is, SeAliasAdminsSid has no attributes or it doesn't have SE_GROUP_ENABLED turn ON), the function removes this group from the token but still has TOKEN_HAS_ADMIN_GROUP flag which can lead to erratic behavior across the kernel and security modules -- implying that the token still belongs to administrators group.
This is an oversight from my part.
---
ntoskrnl/se/token.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/ntoskrnl/se/token.c b/ntoskrnl/se/token.c
index 061c907957a..51ba71f8e22 100644
--- a/ntoskrnl/se/token.c
+++ b/ntoskrnl/se/token.c
@@ -1196,6 +1196,20 @@ SepDuplicateToken(
if (AccessToken->UserAndGroups[GroupsIndex].Attributes == 0 ||
(AccessToken->UserAndGroups[GroupsIndex].Attributes & SE_GROUP_ENABLED) == 0)
{
+ /*
+ * If this group is an administrators group
+ * and the token belongs to such group,
+ * we've to take away TOKEN_HAS_ADMIN_GROUP
+ * for the fact that's not enabled and as
+ * such the token no longer belongs to
+ * this group.
+ */
+ if (RtlEqualSid(SeAliasAdminsSid,
+ &AccessToken->UserAndGroups[GroupsIndex].Sid))
+ {
+ AccessToken->TokenFlags &= ~TOKEN_HAS_ADMIN_GROUP;
+ }
+
/*
* A group is not enabled, it's time to remove
* from the token and update the groups index
@@ -1203,6 +1217,7 @@ SepDuplicateToken(
*/
SepRemoveUserGroupToken(AccessToken, GroupsIndex);
GroupsIndex--;
+ continue;
}
}
@@ -1228,6 +1243,7 @@ SepDuplicateToken(
*/
SepRemovePrivilegeToken(AccessToken, PrivilegesIndex);
PrivilegesIndex--;
+ continue;
}
}
}
https://git.reactos.org/?p=reactos.git;a=commitdiff;h=9967d9aa4ce982308d7d9…
commit 9967d9aa4ce982308d7d9c00a6677313a5c1c9fa
Author: Hervé Poussineau <hpoussin(a)reactos.org>
AuthorDate: Sat Oct 30 11:10:08 2021 +0200
Commit: Hervé Poussineau <hpoussin(a)reactos.org>
CommitDate: Mon Nov 1 18:16:25 2021 +0100
[NTOS:IO] Do not crash when calling IopLegacyResourceAllocation with NULL ResourceRequirements
---
ntoskrnl/io/iomgr/iorsrce.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/ntoskrnl/io/iomgr/iorsrce.c b/ntoskrnl/io/iomgr/iorsrce.c
index 728832b1fca..d3e1abf3039 100644
--- a/ntoskrnl/io/iomgr/iorsrce.c
+++ b/ntoskrnl/io/iomgr/iorsrce.c
@@ -920,6 +920,15 @@ IopLegacyResourceAllocation(IN ARBITER_REQUEST_SOURCE AllocationType,
DPRINT1("IopLegacyResourceAllocation is halfplemented!\n");
+ if (!ResourceRequirements)
+ {
+ /* We can get there by calling IoAssignResources() with RequestedResources = NULL.
+ * TODO: not sure what we should do, but we shouldn't crash.
+ * */
+ UNIMPLEMENTED;
+ return STATUS_NOT_IMPLEMENTED;
+ }
+
Status = IopFixupResourceListWithRequirements(ResourceRequirements,
AllocatedResources);
if (!NT_SUCCESS(Status))