Ros-diffs May 2021

ros-diffs@reactos.org

21 participants
183 discussions

[reactos] 03/08: [NTOSKRNL] Move the ICIF related code and stuff into a separate header file

by George Bișoc

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=39b266b7284a7df7fb91a… commit 39b266b7284a7df7fb91a08dc28cf5cd28d4cbcc Author: George Bișoc <george.bisoc(a)reactos.org> AuthorDate: Sun May 2 20:49:06 2021 +0200 Commit: George Bișoc <george.bisoc(a)reactos.org> CommitDate: Sun May 2 20:49:06 2021 +0200 [NTOSKRNL] Move the ICIF related code and stuff into a separate header file For easier accessibility for the APITESTs and whatnot. --- ntoskrnl/include/internal/icif.h | 41 ++++++++++++++++++++++++++++++++++++ ntoskrnl/include/internal/ntoskrnl.h | 35 +----------------------------- 2 files changed, 42 insertions(+), 34 deletions(-) diff --git a/ntoskrnl/include/internal/icif.h b/ntoskrnl/include/internal/icif.h new file mode 100644 index 00000000000..119958e54b4 --- /dev/null +++ b/ntoskrnl/include/internal/icif.h @@ -0,0 +1,41 @@ +/* + * PROJECT: ReactOS Kernel + * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later) + * PURPOSE: Internal header for information classes info interface + * COPYRIGHT: Copyright ??? + * Copyright 2020 George Bișoc <george.bisoc(a)reactos.org> + */ + +#pragma once + +/* + * Implement generic information class probing code in a + * separate header within the NT kernel header internals. + * This makes it accessible to other sources by including + * the header. + */ + +#define ICIF_NONE 0x0 +#define ICIF_QUERY 0x1 +#define ICIF_SET 0x2 +#define ICIF_QUERY_SIZE_VARIABLE 0x4 +#define ICIF_SET_SIZE_VARIABLE 0x8 +#define ICIF_SIZE_VARIABLE (ICIF_QUERY_SIZE_VARIABLE | ICIF_SET_SIZE_VARIABLE) + +typedef struct _INFORMATION_CLASS_INFO +{ + USHORT RequiredSizeQUERY; + UCHAR AlignmentQUERY; + USHORT RequiredSizeSET; + UCHAR AlignmentSET; + USHORT Flags; +} INFORMATION_CLASS_INFO, *PINFORMATION_CLASS_INFO; + +#define IQS_SAME(Type, Alignment, Flags) \ + { sizeof(Type), sizeof(Alignment), sizeof(Type), sizeof(Alignment), Flags } + +#define IQS(TypeQuery, AlignmentQuery, TypeSet, AlignmentSet, Flags) \ + { sizeof(TypeQuery), sizeof(AlignmentQuery), sizeof(TypeSet), sizeof(AlignmentSet), Flags } + +#define IQS_NONE \ + { 0, 0, 0, 0, ICIF_NONE } diff --git a/ntoskrnl/include/internal/ntoskrnl.h b/ntoskrnl/include/internal/ntoskrnl.h index f0c754ffa40..a49bfb9b57e 100644 --- a/ntoskrnl/include/internal/ntoskrnl.h +++ b/ntoskrnl/include/internal/ntoskrnl.h @@ -78,43 +78,10 @@ #include "vdm.h" #include "hal.h" #include "hdl.h" +#include "icif.h" #include "arch/intrin_i.h" #include <arbiter.h> -/* - * generic information class probing code - */ - -#define ICIF_QUERY 0x1 -#define ICIF_SET 0x2 -#define ICIF_QUERY_SIZE_VARIABLE 0x4 -#define ICIF_SET_SIZE_VARIABLE 0x8 -#define ICIF_SIZE_VARIABLE (ICIF_QUERY_SIZE_VARIABLE | ICIF_SET_SIZE_VARIABLE) - -typedef struct _INFORMATION_CLASS_INFO -{ - ULONG RequiredSizeQUERY; - ULONG RequiredSizeSET; - ULONG AlignmentSET; - ULONG AlignmentQUERY; - ULONG Flags; -} INFORMATION_CLASS_INFO, *PINFORMATION_CLASS_INFO; - -#define ICI_SQ_SAME(Type, Alignment, Flags) \ - { Type, Type, Alignment, Alignment, Flags } - -#define ICI_SQ(TypeQuery, TypeSet, AlignmentQuery, AlignmentSet, Flags) \ - { TypeQuery, TypeSet, AlignmentQuery, AlignmentSet, Flags } - -// -// TEMPORARY -// -#define IQS_SAME(Type, Alignment, Flags) \ - { sizeof(Type), sizeof(Type), sizeof(Alignment), sizeof(Alignment), Flags } - -#define IQS(TypeQuery, TypeSet, AlignmentQuery, AlignmentSet, Flags) \ - { sizeof(TypeQuery), sizeof(TypeSet), sizeof(AlignmentQuery), sizeof(AlignmentSet), Flags } - /* * Use IsPointerOffset to test whether a pointer should be interpreted as an offset * or as a pointer

3 years, 4 months

[reactos] 02/08: [NTDLL_APITEST] Implement alignment probing library code

by George Bișoc

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=ae8ebe45d20b933a5890a… commit ae8ebe45d20b933a5890afa65e3e8d7e5c2f8a54 Author: George Bișoc <george.bisoc(a)reactos.org> AuthorDate: Sun May 2 20:45:57 2021 +0200 Commit: George Bișoc <george.bisoc(a)reactos.org> CommitDate: Sun May 2 20:45:57 2021 +0200 [NTDLL_APITEST] Implement alignment probing library code The probing library code only probes data types for threads/processes information classes in Process Structure subsystem for now. --- modules/rostests/apitests/ntdll/precomp.h | 23 +++ modules/rostests/apitests/ntdll/probelib.c | 320 +++++++++++++++++++++++++++++ 2 files changed, 343 insertions(+) diff --git a/modules/rostests/apitests/ntdll/precomp.h b/modules/rostests/apitests/ntdll/precomp.h index 82d3e0733b0..d476f1cc958 100644 --- a/modules/rostests/apitests/ntdll/precomp.h +++ b/modules/rostests/apitests/ntdll/precomp.h @@ -12,4 +12,27 @@ #include <ndk/ntndk.h> #include <strsafe.h> +/* probelib.c */ +typedef enum _ALIGNMENT_PROBE_MODE +{ + QUERY, + SET +} ALIGNMENT_PROBE_MODE; + +VOID +QuerySetProcessValidator( + _In_ ALIGNMENT_PROBE_MODE ValidationMode, + _In_ ULONG InfoClassIndex, + _In_ PVOID InfoPointer, + _In_ ULONG InfoLength, + _In_ NTSTATUS ExpectedStatus); + +VOID +QuerySetThreadValidator( + _In_ ALIGNMENT_PROBE_MODE ValidationMode, + _In_ ULONG InfoClassIndex, + _In_ PVOID InfoPointer, + _In_ ULONG InfoLength, + _In_ NTSTATUS ExpectedStatus); + #endif /* _NTDLL_APITEST_PRECOMP_H_ */ diff --git a/modules/rostests/apitests/ntdll/probelib.c b/modules/rostests/apitests/ntdll/probelib.c new file mode 100644 index 00000000000..e59b1f5284f --- /dev/null +++ b/modules/rostests/apitests/ntdll/probelib.c @@ -0,0 +1,320 @@ +/* + * PROJECT: ReactOS API Tests + * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later) + * PURPOSE: Small library with probing utilities for thread/process classes information + * COPYRIGHT: Copyright 2020 George Bișoc <george.bisoc(a)reactos.org> + */ + +#include "precomp.h" +#include <internal/ps_i.h> + +VOID +QuerySetProcessValidator( + _In_ ALIGNMENT_PROBE_MODE ValidationMode, + _In_ ULONG InfoClassIndex, + _In_ PVOID InfoPointer, + _In_ ULONG InfoLength, + _In_ NTSTATUS ExpectedStatus) +{ + NTSTATUS Status, SpecialStatus = STATUS_SUCCESS; + + /* Before doing anything, check if we want query or set validation */ + switch (ValidationMode) + { + case QUERY: + { + switch (InfoClassIndex) + { + case ProcessWorkingSetWatch: + { + SpecialStatus = STATUS_UNSUCCESSFUL; + break; + } + + case ProcessHandleTracing: + { + SpecialStatus = STATUS_INVALID_PARAMETER; + break; + } + + /* + * This class returns an arbitrary size pointed by InformationLength + * which equates to the image filename of the process. Such status + * is returned in an invalid address query (STATUS_ACCESS_VIOLATION) + * where the function expects STATUS_INFO_LENGTH_MISMATCH instead. + */ + case ProcessImageFileName: + { + SpecialStatus = STATUS_INFO_LENGTH_MISMATCH; + break; + } + + /* These classes don't belong in the query group */ + case ProcessBasePriority: + case ProcessRaisePriority: + case ProcessExceptionPort: + case ProcessAccessToken: + case ProcessLdtSize: + case ProcessIoPortHandlers: + case ProcessUserModeIOPL: + case ProcessEnableAlignmentFaultFixup: + case ProcessAffinityMask: + case ProcessForegroundInformation: + { + SpecialStatus = STATUS_INVALID_INFO_CLASS; + break; + } + + /* These classes don't exist in Server 2003 */ + case ProcessIoPriority: + case ProcessTlsInformation: + case ProcessCycleTime: + case ProcessPagePriority: + case ProcessInstrumentationCallback: + case ProcessThreadStackAllocation: + case ProcessWorkingSetWatchEx: + case ProcessImageFileNameWin32: + case ProcessImageFileMapping: + case ProcessAffinityUpdateMode: + case ProcessMemoryAllocationMode: + { + SpecialStatus = STATUS_INVALID_INFO_CLASS; + break; + } + } + + /* Query the information */ + Status = NtQueryInformationProcess(NtCurrentProcess(), + InfoClassIndex, + InfoPointer, + InfoLength, + NULL); + + /* And probe the results we've got */ + ok(Status == ExpectedStatus || Status == SpecialStatus || Status == STATUS_DATATYPE_MISALIGNMENT, + "0x%lx or special status (0x%lx) expected but got 0x%lx for class information %lu in query information process operation!\n", ExpectedStatus, SpecialStatus, Status, InfoClassIndex); + break; + } + + case SET: + { + switch (InfoClassIndex) + { + case ProcessIoPortHandlers: + { + SpecialStatus = STATUS_INVALID_PARAMETER; + break; + } + + /* + * This class returns STATUS_SUCCESS when testing + * for STATUS_ACCESS_VIOLATION (setting an invalid address). + */ + case ProcessWorkingSetWatch: + { + SpecialStatus = STATUS_PORT_ALREADY_SET; + break; + } + + case ProcessUserModeIOPL: + { + SpecialStatus = STATUS_PRIVILEGE_NOT_HELD; + break; + } + + /* These classes don't belong in the set group */ + case ProcessBasicInformation: + case ProcessIoCounters: + case ProcessVmCounters: + case ProcessTimes: + case ProcessDebugPort: + case ProcessPooledUsageAndLimits: + case ProcessHandleCount: + case ProcessWow64Information: + case ProcessImageFileName: + case ProcessLUIDDeviceMapsEnabled: + case ProcessDebugObjectHandle: + case ProcessCookie: + case ProcessImageInformation: + { + SpecialStatus = STATUS_INVALID_INFO_CLASS; + break; + } + + /* These classes don't exist in Server 2003 */ + case ProcessIoPriority: + case ProcessTlsInformation: + case ProcessCycleTime: + case ProcessPagePriority: + case ProcessInstrumentationCallback: + case ProcessThreadStackAllocation: + case ProcessWorkingSetWatchEx: + case ProcessImageFileNameWin32: + case ProcessImageFileMapping: + case ProcessAffinityUpdateMode: + case ProcessMemoryAllocationMode: + { + SpecialStatus = STATUS_INVALID_INFO_CLASS; + break; + } + + /* Alignment probing is not performed for these classes */ + case ProcessEnableAlignmentFaultFixup: + case ProcessPriorityClass: + case ProcessForegroundInformation: + { + SpecialStatus = STATUS_ACCESS_VIOLATION; + break; + } + } + + /* Set the information */ + Status = NtSetInformationProcess(NtCurrentProcess(), + InfoClassIndex, + InfoPointer, + InfoLength); + + /* And probe the results we've got */ + ok(Status == ExpectedStatus || Status == SpecialStatus || Status == STATUS_DATATYPE_MISALIGNMENT || Status == STATUS_SUCCESS, + "0x%lx or special status (0x%lx) expected but got 0x%lx for class information %lu in set information process operation!\n", ExpectedStatus, SpecialStatus, Status, InfoClassIndex); + break; + } + + default: + break; + } +} + +VOID +QuerySetThreadValidator( + _In_ ALIGNMENT_PROBE_MODE ValidationMode, + _In_ ULONG InfoClassIndex, + _In_ PVOID InfoPointer, + _In_ ULONG InfoLength, + _In_ NTSTATUS ExpectedStatus) +{ + NTSTATUS Status, SpecialStatus = STATUS_SUCCESS; + + /* Before doing anything, check if we want query or set validation */ + switch (ValidationMode) + { + case QUERY: + { + switch (InfoClassIndex) + { + /* These classes don't belong in the query group */ + case ThreadPriority: + case ThreadBasePriority: + case ThreadAffinityMask: + case ThreadImpersonationToken: + case ThreadEnableAlignmentFaultFixup: + case ThreadZeroTlsCell: + case ThreadIdealProcessor: + case ThreadSetTlsArrayAddress: + case ThreadHideFromDebugger: + case ThreadSwitchLegacyState: + { + SpecialStatus = STATUS_INVALID_INFO_CLASS; + break; + } + + /* These classes don't exist in Server 2003 SP2 */ + case ThreadEventPair_Reusable: + case ThreadLastSystemCall: + case ThreadIoPriority: + case ThreadCycleTime: + case ThreadPagePriority: + case ThreadActualBasePriority: + case ThreadTebInformation: + case ThreadCSwitchMon: + { + SpecialStatus = STATUS_INVALID_INFO_CLASS; + break; + } + } + + /* Query the information */ + Status = NtQueryInformationThread(NtCurrentThread(), + InfoClassIndex, + InfoPointer, + InfoLength, + NULL); + + /* And probe the results we've got */ + ok(Status == ExpectedStatus || Status == SpecialStatus || Status == STATUS_DATATYPE_MISALIGNMENT, + "0x%lx or special status (0x%lx) expected but got 0x%lx for class information %lu in query information thread operation!\n", ExpectedStatus, SpecialStatus, Status, InfoClassIndex); + break; + } + + case SET: + { + switch (InfoClassIndex) + { + /* This class is not implemented in Windows Server 2003 SP2 */ + case ThreadSwitchLegacyState: + { + SpecialStatus = STATUS_NOT_IMPLEMENTED; + break; + } + + /* + * This class doesn't take a strict type for size length. + * The function happily succeds on an information length + * mismatch scenario with STATUS_SUCCESS. + */ + case ThreadHideFromDebugger: + { + SpecialStatus = STATUS_INFO_LENGTH_MISMATCH; + break; + } + + /* These classes don't belong in the set group */ + case ThreadBasicInformation: + case ThreadTimes: + case ThreadDescriptorTableEntry: + case ThreadPerformanceCount: + case ThreadAmILastThread: + case ThreadIsIoPending: + case ThreadIsTerminated: + { + SpecialStatus = STATUS_INVALID_INFO_CLASS; + break; + } + + /* These classes don't exist in Server 2003 SP2 */ + case ThreadEventPair_Reusable: + case ThreadLastSystemCall: + case ThreadIoPriority: + case ThreadCycleTime: + case ThreadPagePriority: + case ThreadActualBasePriority: + case ThreadTebInformation: + case ThreadCSwitchMon: + { + SpecialStatus = STATUS_INVALID_INFO_CLASS; + break; + } + + /* Alignment probing is not performed for this class */ + case ThreadEnableAlignmentFaultFixup: + { + SpecialStatus = STATUS_ACCESS_VIOLATION; + break; + } + } + + /* Set the information */ + Status = NtSetInformationThread(NtCurrentThread(), + InfoClassIndex, + InfoPointer, + InfoLength); + + /* And probe the results we've got */ + ok(Status == ExpectedStatus || Status == SpecialStatus || Status == STATUS_DATATYPE_MISALIGNMENT || Status == STATUS_SUCCESS, + "0x%lx or special status (0x%lx) expected but got 0x%lx for class information %lu in set information thread operation!\n", ExpectedStatus, SpecialStatus, Status, InfoClassIndex); + } + + default: + break; + } +}

3 years, 4 months

[reactos] 01/08: [NTDLL_APITEST] Include the internal headers from the kernel and the probing library file

by George Bișoc

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=66007dee2bc137779fecd… commit 66007dee2bc137779fecd919b665b51923db4e71 Author: George Bișoc <george.bisoc(a)reactos.org> AuthorDate: Sun May 2 20:42:19 2021 +0200 Commit: George Bișoc <george.bisoc(a)reactos.org> CommitDate: Sun May 2 20:42:19 2021 +0200 [NTDLL_APITEST] Include the internal headers from the kernel and the probing library file --- modules/rostests/apitests/ntdll/CMakeLists.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/rostests/apitests/ntdll/CMakeLists.txt b/modules/rostests/apitests/ntdll/CMakeLists.txt index 24844b98f4b..ed0a199a903 100644 --- a/modules/rostests/apitests/ntdll/CMakeLists.txt +++ b/modules/rostests/apitests/ntdll/CMakeLists.txt @@ -2,6 +2,7 @@ add_subdirectory(load_notifications) include_directories($<TARGET_FILE_DIR:load_notifications>) +include_directories(${REACTOS_SOURCE_DIR}/ntoskrnl/include) spec2def(ntdll_apitest.exe ntdll_apitest.spec) list(APPEND SOURCE @@ -43,6 +44,7 @@ list(APPEND SOURCE NtSetVolumeInformationFile.c NtUnloadDriver.c NtWriteFile.c + probelib.c RtlAllocateHeap.c RtlBitmap.c RtlComputePrivatizedDllName_U.c

3 years, 4 months

[reactos] 02/02: [NTOS:PS] Make sure we can impersonate the given token first

by George Bișoc

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=242efae9a22cabf961a92… commit 242efae9a22cabf961a92785de4dde842862d388 Author: George Bișoc <george.bisoc(a)reactos.org> AuthorDate: Mon Apr 12 14:42:52 2021 +0200 Commit: George Bișoc <george.bisoc(a)reactos.org> CommitDate: Sun May 2 16:55:20 2021 +0200 [NTOS:PS] Make sure we can impersonate the given token first PsImpersonateClient blindly impersonates the requested client even though it doesn't know if the actual token given to the call can be impersonated for the thread of the client which we are going to begin impersonation. In the case where impersonation is not possible, make a copy of the given token and assign the newly one for impersonation instead. CORE-17539 --- ntoskrnl/ps/security.c | 53 ++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 47 insertions(+), 6 deletions(-) diff --git a/ntoskrnl/ps/security.c b/ntoskrnl/ps/security.c index 0b3f97fbf06..23145529743 100644 --- a/ntoskrnl/ps/security.c +++ b/ntoskrnl/ps/security.c @@ -614,8 +614,10 @@ PsImpersonateClient(IN PETHREAD Thread, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel) { PPS_IMPERSONATION_INFORMATION Impersonation, OldData; - PTOKEN OldToken = NULL; + PTOKEN OldToken = NULL, ProcessToken = NULL; + PACCESS_TOKEN NewToken, ImpersonationToken; PEJOB Job; + NTSTATUS Status; PAGED_CODE(); PSTRACE(PS_SECURITY_DEBUG, "Thread: %p, Token: %p\n", Thread, Token); @@ -670,7 +672,46 @@ PsImpersonateClient(IN PETHREAD Thread, } } - /* FIXME: If the process token can't impersonate, we need to make a copy instead */ + /* + * Assign the token we get from the caller first. The reason + * we have to do that is because we're unsure if we can impersonate + * in the first place. In the scenario where we cannot then the + * last resort is to make a copy of the token and assign that newly + * token to the impersonation information. + */ + ImpersonationToken = Token; + + /* Obtain a token from the process */ + ProcessToken = PsReferencePrimaryToken(Thread->ThreadsProcess); + if (!ProcessToken) + { + /* We can't continue this way without having the process' token... */ + return STATUS_UNSUCCESSFUL; + } + + /* Make sure we can impersonate */ + if (!SeTokenCanImpersonate(ProcessToken, + Token, + ImpersonationLevel)) + { + /* We can't, make a copy of the token instead */ + Status = SeCopyClientToken(Token, + SecurityIdentification, + KernelMode, + &NewToken); + if (!NT_SUCCESS(Status)) + { + /* We can't even make a copy of the token? Then bail out... */ + ObFastDereferenceObject(&Thread->ThreadsProcess->Token, ProcessToken); + return Status; + } + + /* Since we cannot impersonate, assign the newly copied token */ + ImpersonationToken = NewToken; + } + + /* We no longer need the process' token */ + ObFastDereferenceObject(&Thread->ThreadsProcess->Token, ProcessToken); /* Check if this is a job */ Job = Thread->ThreadsProcess->Job; @@ -678,14 +719,14 @@ PsImpersonateClient(IN PETHREAD Thread, { /* No admin allowed in this job */ if ((Job->SecurityLimitFlags & JOB_OBJECT_SECURITY_NO_ADMIN) && - SeTokenIsAdmin(Token)) + SeTokenIsAdmin(ImpersonationToken)) { return STATUS_ACCESS_DENIED; } /* No restricted tokens allowed in this job */ if ((Job->SecurityLimitFlags & JOB_OBJECT_SECURITY_RESTRICTED_TOKEN) && - SeTokenIsRestricted(Token)) + SeTokenIsRestricted(ImpersonationToken)) { return STATUS_ACCESS_DENIED; } @@ -716,8 +757,8 @@ PsImpersonateClient(IN PETHREAD Thread, Impersonation->ImpersonationLevel = ImpersonationLevel; Impersonation->CopyOnOpen = CopyOnOpen; Impersonation->EffectiveOnly = EffectiveOnly; - Impersonation->Token = Token; - ObReferenceObject(Token); + Impersonation->Token = ImpersonationToken; + ObReferenceObject(ImpersonationToken); /* Unlock the thread */ PspUnlockThreadSecurityExclusive(Thread);

3 years, 4 months

[reactos] 01/02: [NTOS:SE] Implement SeTokenCanImpersonate routine

by George Bișoc

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=18ddb6ba9248f1812b182… commit 18ddb6ba9248f1812b182277d28d6e86707cb91f Author: George Bișoc <george.bisoc(a)reactos.org> AuthorDate: Mon Apr 12 14:33:42 2021 +0200 Commit: George Bișoc <george.bisoc(a)reactos.org> CommitDate: Sun May 2 16:55:19 2021 +0200 [NTOS:SE] Implement SeTokenCanImpersonate routine SeTokenCanImpersonate ensures whether the client impersonation can occur, and if not, the call signals this to the caller. --- ntoskrnl/include/internal/se.h | 7 +++ ntoskrnl/se/token.c | 98 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 105 insertions(+) diff --git a/ntoskrnl/include/internal/se.h b/ntoskrnl/include/internal/se.h index 727060af822..0a8561d397a 100644 --- a/ntoskrnl/include/internal/se.h +++ b/ntoskrnl/include/internal/se.h @@ -248,6 +248,13 @@ SepSidInTokenEx( IN BOOLEAN Restricted ); +BOOLEAN +NTAPI +SeTokenCanImpersonate( + _In_ PTOKEN ProcessToken, + _In_ PTOKEN TokenToImpersonate, + _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel); + /* Functions */ BOOLEAN NTAPI diff --git a/ntoskrnl/se/token.c b/ntoskrnl/se/token.c index 1849a16c3a7..32842ebce99 100644 --- a/ntoskrnl/se/token.c +++ b/ntoskrnl/se/token.c @@ -2265,6 +2265,104 @@ SeTokenIsWriteRestricted(IN PACCESS_TOKEN Token) return (((PTOKEN)Token)->TokenFlags & SE_BACKUP_PRIVILEGES_CHECKED) != 0; } +/** + * @brief + * Ensures that client impersonation can occur by checking if the token + * we're going to assign as the impersonation token can be actually impersonated + * in the first place. The routine is used primarily by PsImpersonateClient. + * + * @param[in] ProcessToken + * Token from a process. + * + * @param[in] TokenToImpersonate + * Token that we are going to impersonate. + * + * @param[in] ImpersonationLevel + * Security impersonation level grade. + * + * @return + * Returns TRUE if the conditions checked are met for token impersonation, + * FALSE otherwise. + */ +BOOLEAN +NTAPI +SeTokenCanImpersonate( + _In_ PTOKEN ProcessToken, + _In_ PTOKEN TokenToImpersonate, + _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel) +{ + BOOLEAN CanImpersonate; + PAGED_CODE(); + + /* + * SecurityAnonymous and SecurityIdentification levels do not + * allow impersonation. If we get such levels from the call + * then something's seriously wrong. + */ + ASSERT(ImpersonationLevel != SecurityAnonymous || + ImpersonationLevel != SecurityIdentification); + + /* Time to lock our tokens */ + SepAcquireTokenLockShared(ProcessToken); + SepAcquireTokenLockShared(TokenToImpersonate); + + /* What kind of authentication ID does the token have? */ + if (RtlEqualLuid(&TokenToImpersonate->AuthenticationId, + &SeAnonymousAuthenticationId)) + { + /* + * OK, it looks like the token has an anonymous + * authentication. Is that token created by the system? + */ + if (TokenToImpersonate->TokenSource.SourceName != SeSystemTokenSource.SourceName && + !RtlEqualLuid(&TokenToImpersonate->TokenSource.SourceIdentifier, &SeSystemTokenSource.SourceIdentifier)) + { + /* It isn't, we can't impersonate regular tokens */ + DPRINT("SeTokenCanImpersonate(): Token has an anonymous authentication ID, can't impersonate!\n"); + CanImpersonate = FALSE; + goto Quit; + } + } + + /* Are the SID values from both tokens equal? */ + if (!RtlEqualSid(ProcessToken->UserAndGroups->Sid, + TokenToImpersonate->UserAndGroups->Sid)) + { + /* They aren't, bail out */ + DPRINT("SeTokenCanImpersonate(): Tokens SIDs are not equal!\n"); + CanImpersonate = FALSE; + goto Quit; + } + + /* + * Make sure the tokens aren't diverged in terms of + * restrictions, that is, one token is restricted + * but the other one isn't. + */ + if (SeTokenIsRestricted(ProcessToken) != + SeTokenIsRestricted(TokenToImpersonate)) + { + /* + * One token is restricted so we cannot + * continue further at this point, bail out. + */ + DPRINT("SeTokenCanImpersonate(): One token is restricted, can't continue!\n"); + CanImpersonate = FALSE; + goto Quit; + } + + /* If we've reached that far then we can impersonate! */ + DPRINT("SeTokenCanImpersonate(): We can impersonate.\n"); + CanImpersonate = TRUE; + +Quit: + /* We're done, unlock the tokens now */ + SepReleaseTokenLock(ProcessToken); + SepReleaseTokenLock(TokenToImpersonate); + + return CanImpersonate; +} + /* SYSTEM CALLS ***************************************************************/ /*

3 years, 4 months

[reactos] 01/01: [NTOS:PS] Revert 4d7062abb6bcdfefd1c25d391020d98cb6538576 on request

by Eric Kohl

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=a7d6483e65d565772f4df… commit a7d6483e65d565772f4df8ccc546502e005898f7 Author: Eric Kohl <eric.kohl(a)reactos.org> AuthorDate: Sun May 2 16:26:11 2021 +0200 Commit: Eric Kohl <eric.kohl(a)reactos.org> CommitDate: Sun May 2 16:26:11 2021 +0200 [NTOS:PS] Revert 4d7062abb6bcdfefd1c25d391020d98cb6538576 on request --- ntoskrnl/ps/query.c | 49 ++++++++++--------------------------------------- 1 file changed, 10 insertions(+), 39 deletions(-) diff --git a/ntoskrnl/ps/query.c b/ntoskrnl/ps/query.c index 0d2d1cd6e41..b25e6928422 100644 --- a/ntoskrnl/ps/query.c +++ b/ntoskrnl/ps/query.c @@ -2032,48 +2032,19 @@ NtSetInformationThread(IN HANDLE ThreadHandle, ULONG_PTR TlsIndex = 0; PVOID *ExpansionSlots; PETHREAD ProcThread; - ULONG Alignment; BOOLEAN HasPrivilege; PAGED_CODE(); - /* Check if we were called from user mode */ - if (PreviousMode != KernelMode) - { - /* Enter SEH */ - _SEH2_TRY - { - switch (ThreadInformationClass) - { - case ThreadPriority: - Alignment = sizeof(KPRIORITY); - break; - - case ThreadAffinityMask: - case ThreadQuerySetWin32StartAddress: - Alignment = sizeof(ULONG_PTR); - break; - - case ThreadEnableAlignmentFaultFixup: - Alignment = sizeof(BOOLEAN); - break; - - default: - Alignment = sizeof(ULONG); - break; - } - - /* Probe the buffer */ - ProbeForRead(ThreadInformation, - ThreadInformationLength, - Alignment); - } - _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) - { - /* Return the exception code */ - _SEH2_YIELD(return _SEH2_GetExceptionCode()); - } - _SEH2_END; - } + /* Verify Information Class validity */ +#if 0 + Status = DefaultSetInfoBufferCheck(ThreadInformationClass, + PsThreadInfoClass, + RTL_NUMBER_OF(PsThreadInfoClass), + ThreadInformation, + ThreadInformationLength, + PreviousMode); + if (!NT_SUCCESS(Status)) return Status; +#endif /* Check what kind of information class this is */ switch (ThreadInformationClass)

3 years, 4 months

[reactos] 01/01: [NTOS:PS] Add the missing privilege check to NtSetInformationThread:ThreadPriority

by Eric Kohl

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=9fa31e0f9b137df0d1377… commit 9fa31e0f9b137df0d13777ba153e5e9ff8dd4ab4 Author: Eric Kohl <eric.kohl(a)reactos.org> AuthorDate: Sun May 2 15:28:26 2021 +0200 Commit: Eric Kohl <eric.kohl(a)reactos.org> CommitDate: Sun May 2 15:28:26 2021 +0200 [NTOS:PS] Add the missing privilege check to NtSetInformationThread:ThreadPriority This fixes the remaining failure in the NtSetInformationThread test. --- ntoskrnl/ps/query.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/ntoskrnl/ps/query.c b/ntoskrnl/ps/query.c index ea343c51eab..0d2d1cd6e41 100644 --- a/ntoskrnl/ps/query.c +++ b/ntoskrnl/ps/query.c @@ -2033,6 +2033,7 @@ NtSetInformationThread(IN HANDLE ThreadHandle, PVOID *ExpansionSlots; PETHREAD ProcThread; ULONG Alignment; + BOOLEAN HasPrivilege; PAGED_CODE(); /* Check if we were called from user mode */ @@ -2110,6 +2111,20 @@ NtSetInformationThread(IN HANDLE ThreadHandle, break; } + /* Check for the required privilege */ + if (Priority >= LOW_REALTIME_PRIORITY) + { + HasPrivilege = SeCheckPrivilegedObject(SeIncreaseBasePriorityPrivilege, + ThreadHandle, + THREAD_SET_INFORMATION, + PreviousMode); + if (!HasPrivilege) + { + DPRINT1("Privilege to change priority to %lx lacking\n", Priority); + return STATUS_PRIVILEGE_NOT_HELD; + } + } + /* Reference the thread */ Status = ObReferenceObjectByHandle(ThreadHandle, THREAD_SET_INFORMATION,

3 years, 4 months

[reactos] 01/01: [NTOS:PS] Add ThreadInformation probing to NtSetInformationThread

by Eric Kohl

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=4d7062abb6bcdfefd1c25… commit 4d7062abb6bcdfefd1c25d391020d98cb6538576 Author: Eric Kohl <eric.kohl(a)reactos.org> AuthorDate: Sun May 2 13:55:29 2021 +0200 Commit: Eric Kohl <eric.kohl(a)reactos.org> CommitDate: Sun May 2 13:55:29 2021 +0200 [NTOS:PS] Add ThreadInformation probing to NtSetInformationThread Also get rid of unused buffer check code. This fixes two test failures. --- ntoskrnl/ps/query.c | 49 +++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 39 insertions(+), 10 deletions(-) diff --git a/ntoskrnl/ps/query.c b/ntoskrnl/ps/query.c index b8598a0b8a0..ea343c51eab 100644 --- a/ntoskrnl/ps/query.c +++ b/ntoskrnl/ps/query.c @@ -2032,18 +2032,47 @@ NtSetInformationThread(IN HANDLE ThreadHandle, ULONG_PTR TlsIndex = 0; PVOID *ExpansionSlots; PETHREAD ProcThread; + ULONG Alignment; PAGED_CODE(); - /* Verify Information Class validity */ -#if 0 - Status = DefaultSetInfoBufferCheck(ThreadInformationClass, - PsThreadInfoClass, - RTL_NUMBER_OF(PsThreadInfoClass), - ThreadInformation, - ThreadInformationLength, - PreviousMode); - if (!NT_SUCCESS(Status)) return Status; -#endif + /* Check if we were called from user mode */ + if (PreviousMode != KernelMode) + { + /* Enter SEH */ + _SEH2_TRY + { + switch (ThreadInformationClass) + { + case ThreadPriority: + Alignment = sizeof(KPRIORITY); + break; + + case ThreadAffinityMask: + case ThreadQuerySetWin32StartAddress: + Alignment = sizeof(ULONG_PTR); + break; + + case ThreadEnableAlignmentFaultFixup: + Alignment = sizeof(BOOLEAN); + break; + + default: + Alignment = sizeof(ULONG); + break; + } + + /* Probe the buffer */ + ProbeForRead(ThreadInformation, + ThreadInformationLength, + Alignment); + } + _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) + { + /* Return the exception code */ + _SEH2_YIELD(return _SEH2_GetExceptionCode()); + } + _SEH2_END; + } /* Check what kind of information class this is */ switch (ThreadInformationClass)

3 years, 4 months

[reactos] 01/01: [NTOS:PS] Rewrite NtSetInformationThread to match NtQueryInformationThread

by Eric Kohl

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=2e88e2b90448a8a320fa2… commit 2e88e2b90448a8a320fa293e95d8766a11a63a53 Author: Eric Kohl <eric.kohl(a)reactos.org> AuthorDate: Sun May 2 13:46:22 2021 +0200 Commit: Eric Kohl <eric.kohl(a)reactos.org> CommitDate: Sun May 2 13:46:22 2021 +0200 [NTOS:PS] Rewrite NtSetInformationThread to match NtQueryInformationThread The Information length must always be checked before referencing the thread object. This fixes a test failure. --- ntoskrnl/ps/query.c | 149 ++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 127 insertions(+), 22 deletions(-) diff --git a/ntoskrnl/ps/query.c b/ntoskrnl/ps/query.c index fa8d201c249..b8598a0b8a0 100644 --- a/ntoskrnl/ps/query.c +++ b/ntoskrnl/ps/query.c @@ -2018,7 +2018,6 @@ NtSetInformationThread(IN HANDLE ThreadHandle, IN ULONG ThreadInformationLength) { PETHREAD Thread; - ULONG Access; KPROCESSOR_MODE PreviousMode = ExGetPreviousMode(); NTSTATUS Status; HANDLE TokenHandle = NULL; @@ -2046,23 +2045,6 @@ NtSetInformationThread(IN HANDLE ThreadHandle, if (!NT_SUCCESS(Status)) return Status; #endif - /* Check what class this is */ - Access = THREAD_SET_INFORMATION; - if (ThreadInformationClass == ThreadImpersonationToken) - { - /* Setting the impersonation token needs a special mask */ - Access = THREAD_SET_THREAD_TOKEN; - } - - /* Reference the thread */ - Status = ObReferenceObjectByHandle(ThreadHandle, - Access, - PsThreadType, - PreviousMode, - (PVOID*)&Thread, - NULL); - if (!NT_SUCCESS(Status)) return Status; - /* Check what kind of information class this is */ switch (ThreadInformationClass) { @@ -2099,8 +2081,21 @@ NtSetInformationThread(IN HANDLE ThreadHandle, break; } + /* Reference the thread */ + Status = ObReferenceObjectByHandle(ThreadHandle, + THREAD_SET_INFORMATION, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Set the priority */ KeSetPriorityThread(&Thread->Tcb, Priority); + + /* Dereference the thread */ + ObDereferenceObject(Thread); break; case ThreadBasePriority: @@ -2145,8 +2140,21 @@ NtSetInformationThread(IN HANDLE ThreadHandle, } } + /* Reference the thread */ + Status = ObReferenceObjectByHandle(ThreadHandle, + THREAD_SET_INFORMATION, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Set the base priority */ KeSetBasePriorityThread(&Thread->Tcb, Priority); + + /* Dereference the thread */ + ObDereferenceObject(Thread); break; case ThreadAffinityMask: @@ -2180,6 +2188,16 @@ NtSetInformationThread(IN HANDLE ThreadHandle, break; } + /* Reference the thread */ + Status = ObReferenceObjectByHandle(ThreadHandle, + THREAD_SET_INFORMATION, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Get the process */ Process = Thread->ThreadsProcess; @@ -2214,7 +2232,8 @@ NtSetInformationThread(IN HANDLE ThreadHandle, Status = STATUS_PROCESS_IS_TERMINATING; } - /* Return status */ + /* Dereference the thread */ + ObDereferenceObject(Thread); break; case ThreadImpersonationToken: @@ -2240,8 +2259,21 @@ NtSetInformationThread(IN HANDLE ThreadHandle, } _SEH2_END; + /* Reference the thread */ + Status = ObReferenceObjectByHandle(ThreadHandle, + THREAD_SET_THREAD_TOKEN, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Assign the actual token */ Status = PsAssignImpersonationToken(Thread, TokenHandle); + + /* Dereference the thread */ + ObDereferenceObject(Thread); break; case ThreadQuerySetWin32StartAddress: @@ -2267,8 +2299,21 @@ NtSetInformationThread(IN HANDLE ThreadHandle, } _SEH2_END; + /* Reference the thread */ + Status = ObReferenceObjectByHandle(ThreadHandle, + THREAD_SET_INFORMATION, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Set the address */ Thread->Win32StartAddress = Address; + + /* Dereference the thread */ + ObDereferenceObject(Thread); break; case ThreadIdealProcessor: @@ -2302,6 +2347,16 @@ NtSetInformationThread(IN HANDLE ThreadHandle, break; } + /* Reference the thread */ + Status = ObReferenceObjectByHandle(ThreadHandle, + THREAD_SET_INFORMATION, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Set the ideal */ Status = KeSetIdealProcessorThread(&Thread->Tcb, (CCHAR)IdealProcessor); @@ -2317,6 +2372,8 @@ NtSetInformationThread(IN HANDLE ThreadHandle, ExReleaseRundownProtection(&Thread->RundownProtect); } + /* Dereference the thread */ + ObDereferenceObject(Thread); break; case ThreadPriorityBoost: @@ -2342,8 +2399,21 @@ NtSetInformationThread(IN HANDLE ThreadHandle, } _SEH2_END; + /* Reference the thread */ + Status = ObReferenceObjectByHandle(ThreadHandle, + THREAD_SET_INFORMATION, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Call the kernel */ KeSetDisableBoostThread(&Thread->Tcb, (BOOLEAN)DisableBoost); + + /* Dereference the thread */ + ObDereferenceObject(Thread); break; case ThreadZeroTlsCell: @@ -2377,6 +2447,16 @@ NtSetInformationThread(IN HANDLE ThreadHandle, break; } + /* Reference the thread */ + Status = ObReferenceObjectByHandle(ThreadHandle, + THREAD_SET_INFORMATION, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Get the process */ Process = Thread->ThreadsProcess; @@ -2421,7 +2501,8 @@ NtSetInformationThread(IN HANDLE ThreadHandle, ProcThread = PsGetNextProcessThread(Process, ProcThread); } - /* All done */ + /* Dereference the thread */ + ObDereferenceObject(Thread); break; case ThreadBreakOnTermination: @@ -2455,6 +2536,16 @@ NtSetInformationThread(IN HANDLE ThreadHandle, break; } + /* Reference the thread */ + Status = ObReferenceObjectByHandle(ThreadHandle, + THREAD_SET_INFORMATION, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Set or clear the flag */ if (Break) { @@ -2464,6 +2555,9 @@ NtSetInformationThread(IN HANDLE ThreadHandle, { PspClearCrossThreadFlag(Thread, CT_BREAK_ON_TERMINATION_BIT); } + + /* Dereference the thread */ + ObDereferenceObject(Thread); break; case ThreadHideFromDebugger: @@ -2475,8 +2569,21 @@ NtSetInformationThread(IN HANDLE ThreadHandle, break; } + /* Reference the thread */ + Status = ObReferenceObjectByHandle(ThreadHandle, + THREAD_SET_INFORMATION, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Set the flag */ PspSetCrossThreadFlag(Thread, CT_HIDE_FROM_DEBUGGER_BIT); + + /* Dereference the thread */ + ObDereferenceObject(Thread); break; default: @@ -2485,8 +2592,6 @@ NtSetInformationThread(IN HANDLE ThreadHandle, Status = STATUS_NOT_IMPLEMENTED; } - /* Dereference and return status */ - ObDereferenceObject(Thread); return Status; }

3 years, 4 months

[reactos] 01/01: [NTOS:PS] Rewrite NtQueryInformationThread to match NtQueryInformationProcess

by Eric Kohl

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=55857674608c9e06593e5… commit 55857674608c9e06593e5bf31d33e390c10df23f Author: Eric Kohl <eric.kohl(a)reactos.org> AuthorDate: Sun May 2 12:46:19 2021 +0200 Commit: Eric Kohl <eric.kohl(a)reactos.org> CommitDate: Sun May 2 12:46:55 2021 +0200 [NTOS:PS] Rewrite NtQueryInformationThread to match NtQueryInformationProcess The information length must always be checked before referencing the thread object. This fixes the remaining test failure. --- ntoskrnl/ps/query.c | 133 +++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 122 insertions(+), 11 deletions(-) diff --git a/ntoskrnl/ps/query.c b/ntoskrnl/ps/query.c index 7c8737cba93..fa8d201c249 100644 --- a/ntoskrnl/ps/query.c +++ b/ntoskrnl/ps/query.c @@ -2538,15 +2538,6 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, /* Check what class this is */ Access = THREAD_QUERY_INFORMATION; - /* Reference the process */ - Status = ObReferenceObjectByHandle(ThreadHandle, - Access, - PsThreadType, - PreviousMode, - (PVOID*)&Thread, - NULL); - if (!NT_SUCCESS(Status)) return Status; - /* Check what kind of information class this is */ switch (ThreadInformationClass) { @@ -2561,6 +2552,17 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = STATUS_INFO_LENGTH_MISMATCH; break; } + + /* Reference the process */ + Status = ObReferenceObjectByHandle(ThreadHandle, + Access, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Protect writes with SEH */ _SEH2_TRY { @@ -2578,6 +2580,9 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = _SEH2_GetExceptionCode(); } _SEH2_END; + + /* Dereference the thread */ + ObDereferenceObject(Thread); break; /* Thread time information */ @@ -2591,6 +2596,17 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = STATUS_INFO_LENGTH_MISMATCH; break; } + + /* Reference the process */ + Status = ObReferenceObjectByHandle(ThreadHandle, + Access, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Protect writes with SEH */ _SEH2_TRY { @@ -2615,6 +2631,9 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = _SEH2_GetExceptionCode(); } _SEH2_END; + + /* Dereference the thread */ + ObDereferenceObject(Thread); break; case ThreadQuerySetWin32StartAddress: @@ -2627,6 +2646,17 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = STATUS_INFO_LENGTH_MISMATCH; break; } + + /* Reference the process */ + Status = ObReferenceObjectByHandle(ThreadHandle, + Access, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Protect write with SEH */ _SEH2_TRY { @@ -2639,6 +2669,9 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = _SEH2_GetExceptionCode(); } _SEH2_END; + + /* Dereference the thread */ + ObDereferenceObject(Thread); break; case ThreadPerformanceCount: @@ -2651,6 +2684,17 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = STATUS_INFO_LENGTH_MISMATCH; break; } + + /* Reference the process */ + Status = ObReferenceObjectByHandle(ThreadHandle, + Access, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Protect write with SEH */ _SEH2_TRY { @@ -2663,6 +2707,9 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = _SEH2_GetExceptionCode(); } _SEH2_END; + + /* Dereference the thread */ + ObDereferenceObject(Thread); break; case ThreadAmILastThread: @@ -2675,6 +2722,17 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = STATUS_INFO_LENGTH_MISMATCH; break; } + + /* Reference the process */ + Status = ObReferenceObjectByHandle(ThreadHandle, + Access, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Protect write with SEH */ _SEH2_TRY { @@ -2691,6 +2749,9 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = _SEH2_GetExceptionCode(); } _SEH2_END; + + /* Dereference the thread */ + ObDereferenceObject(Thread); break; case ThreadIsIoPending: @@ -2703,6 +2764,17 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = STATUS_INFO_LENGTH_MISMATCH; break; } + + /* Reference the process */ + Status = ObReferenceObjectByHandle(ThreadHandle, + Access, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Raise the IRQL to protect the IRP list */ KeRaiseIrql(APC_LEVEL, &OldIrql); @@ -2721,17 +2793,33 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, /* Lower IRQL back */ KeLowerIrql(OldIrql); + + /* Dereference the thread */ + ObDereferenceObject(Thread); break; /* LDT and GDT information */ case ThreadDescriptorTableEntry: #if defined(_X86_) + /* Reference the process */ + Status = ObReferenceObjectByHandle(ThreadHandle, + Access, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Call the worker routine */ Status = PspQueryDescriptorThread(Thread, ThreadInformation, ThreadInformationLength, ReturnLength); + + /* Dereference the thread */ + ObDereferenceObject(Thread); #else /* Only implemented on x86 */ Status = STATUS_NOT_IMPLEMENTED; @@ -2749,6 +2837,16 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, break; } + /* Reference the process */ + Status = ObReferenceObjectByHandle(ThreadHandle, + Access, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + _SEH2_TRY { *(PULONG)ThreadInformation = Thread->Tcb.DisableBoost ? 1 : 0; @@ -2758,6 +2856,9 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = _SEH2_GetExceptionCode(); } _SEH2_END; + + /* Dereference the thread */ + ObDereferenceObject(Thread); break; case ThreadIsTerminated: @@ -2771,6 +2872,16 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, break; } + /* Reference the process */ + Status = ObReferenceObjectByHandle(ThreadHandle, + Access, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + ThreadTerminated = PsIsThreadTerminating(Thread); _SEH2_TRY @@ -2783,6 +2894,8 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, } _SEH2_END; + /* Dereference the thread */ + ObDereferenceObject(Thread); break; /* Anything else */ @@ -2806,8 +2919,6 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, } _SEH2_END; - /* Dereference the thread, and return */ - ObDereferenceObject(Thread); return Status; }

3 years, 4 months

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Ros-diffs May 2021