https://git.reactos.org/?p=reactos.git;a=commitdiff;h=199f575342a9d4383f44e…
commit 199f575342a9d4383f44e9d29fa8088985dd9b9d
Author: George Bișoc <george.bisoc(a)reactos.org>
AuthorDate: Sun Sep 26 11:38:45 2021 +0200
Commit: George Bișoc <george.bisoc(a)reactos.org>
CommitDate: Mon Sep 27 09:37:28 2021 +0200
[NTOS:SE] Check the privilege count against the maximum threshold
In SeCaptureLuidAndAttributesArray we must ensure that we don't go onto a potential integer overflow scenario by checking against the maximum limit threshold the kernel states. In addition, write an explicit name macro for the value.
---
ntoskrnl/se/priv.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/ntoskrnl/se/priv.c b/ntoskrnl/se/priv.c
index cae9103e210..a1013b1844b 100644
--- a/ntoskrnl/se/priv.c
+++ b/ntoskrnl/se/priv.c
@@ -15,6 +15,8 @@
/* GLOBALS ********************************************************************/
+#define SE_MAXIMUM_PRIVILEGE_LIMIT 0x3C
+
#define CONST_LUID(x1, x2) {x1, x2}
const LUID SeCreateTokenPrivilege = CONST_LUID(SE_CREATE_TOKEN_PRIVILEGE, 0);
const LUID SeAssignPrimaryTokenPrivilege = CONST_LUID(SE_ASSIGNPRIMARYTOKEN_PRIVILEGE, 0);
@@ -427,7 +429,9 @@ SeCheckAuditPrivilege(
* has been captured successfully. STATUS_INSUFFICIENT_RESOURCES is returned
* if memory pool allocation for the captured buffer has failed.
* STATUS_BUFFER_TOO_SMALL is returned if the buffer size is less than the
- * required size.
+ * required size. STATUS_INVALID_PARAMETER is returned if the caller has
+ * submitted a privilege count that exceeds that maximum threshold the
+ * kernel can permit, for the purpose to avoid an integer overflow.
*/
NTSTATUS
NTAPI
@@ -454,15 +458,17 @@ SeCaptureLuidAndAttributesArray(
return STATUS_SUCCESS;
}
+ if (PrivilegeCount > SE_MAXIMUM_PRIVILEGE_LIMIT)
+ {
+ return STATUS_INVALID_PARAMETER;
+ }
+
if (PreviousMode == KernelMode && !CaptureIfKernel)
{
*Dest = Src;
return STATUS_SUCCESS;
}
- /* FIXME - check PrivilegeCount for a valid number so we don't
- cause an integer overflow or exhaust system resources! */
-
BufferSize = PrivilegeCount * sizeof(LUID_AND_ATTRIBUTES);
*Length = ROUND_UP(BufferSize, 4); /* round up to a 4 byte alignment */