- Use MmUserProbeAddress in the system call handler to verify the parametes we got from user-mode are valid and return STATUS_ACCESS_VIOLATION if the check fails.
- Handle failure after PsConvertToGuiThread and return STATUS_INVALID_SYSTEM_SERVICE and/or FALSE and/or -1 on failure.
- Made MCE/XMMI interrupts unexpected on-boot.
- Removed KiTrapUnknown and used KiTrap0F (15) instead, which is the generic unexpected handler.
Modified: trunk/reactos/include/ndk/asm.h
Modified: trunk/reactos/ntoskrnl/ke/i386/trap.s
Modified: trunk/reactos/include/ndk/asm.h
--- trunk/reactos/include/ndk/asm.h	2006-01-17 22:34:20 UTC (rev 20941)
+++ trunk/reactos/include/ndk/asm.h	2006-01-17 22:41:39 UTC (rev 20942)
@@ -357,10 +357,12 @@

 // NTSTATUS and Bugcheck Codes
 //
 #ifdef __ASM__

+#define STATUS_ACCESS_VIOLATION                 0xC0000005

 #define STATUS_INVALID_SYSTEM_SERVICE           0xC000001C
 #define STATUS_NO_CALLBACK_ACTIVE               0xC0000258

-#define APC_INDEX_MISMATCH                      1

+#define APC_INDEX_MISMATCH                      0x01

 #define IRQL_GT_ZERO_AT_SYSTEM_SERVICE          0x4A

+#define UNEXPECTED_KERNEL_MODE_TRAP             0x7F

 #endif
 
 //
Modified: trunk/reactos/ntoskrnl/ke/i386/trap.s
--- trunk/reactos/ntoskrnl/ke/i386/trap.s	2006-01-17 22:34:20 UTC (rev 20941)
+++ trunk/reactos/ntoskrnl/ke/i386/trap.s	2006-01-17 22:41:39 UTC (rev 20942)
@@ -16,8 +16,6 @@

   * FIXMEs:
   *         - Figure out why ES/DS gets messed up in VMWare, when doing KiServiceExit only,
   *           and only when called from user-mode, and returning to user-mode.

-  *         - Use MmProbe when copying arguments to syscall.
-  *         - Handle failure after PsConvertToGuiThread.

   *         - Figure out what the DEBUGEIP hack is for and how it can be moved away.
   *         - Add DR macro/save and VM macro/save.
   *         - Implement KiCallbackReturn, KiGetTickCount, KiRaiseAssertion.
@@ -43,22 +41,22 @@

 idt _KiTrap12,         INT_32_DPL0  /* INT 0C: Stack Fault Exception (#SS)  */
 idt _KiTrap13,         INT_32_DPL0  /* INT 0D: General Protection (#GP)     */
 idt _KiTrap14,         INT_32_DPL0  /* INT 0E: Page-Fault Exception (#PF)   */

-idt _KiTrap15,         INT_32_DPL0  /* INT 0F: RESERVED                     */

+idt _KiTrap15,         INT_32_DPL0  /* INT 0F: RESERVED [FIXME: HBIRR HACK] */

 idt _KiTrap16,         INT_32_DPL0  /* INT 10: x87 FPU Error (#MF)          */
 idt _KiTrap17,         INT_32_DPL0  /* INT 11: Align Check Exception (#AC)  */

-idt _KiTrap18,         INT_32_DPL0  /* INT 12: Machine Check Exception (#MC)*/
-idt _KiTrap19,         INT_32_DPL0  /* INT 13: SIMD FPU Exception (#XF)     */

+idt _KiTrap0F,         INT_32_DPL0  /* INT 12: Machine Check Exception (#MC)*/
+idt _KiTrap0F,         INT_32_DPL0  /* INT 13: SIMD FPU Exception (#XF)     */

 .rept 22

-idt _KiTrapUnknown,    INT_32_DPL0  /* INT 14-29: UNDEFINED INTERRUPTS      */

+idt _KiTrap0F,         INT_32_DPL0  /* INT 14-29: UNDEFINED INTERRUPTS      */

 .endr
 idt _KiGetTickCount,   INT_32_DPL3  /* INT 2A: Get Tick Count Handler       */
 idt _KiCallbackReturn, INT_32_DPL3  /* INT 2B: User-Mode Callback Return    */
 idt _KiRaiseAssertion, INT_32_DPL3  /* INT 2C: Debug Assertion Handler      */
 idt _KiDebugService,   INT_32_DPL3  /* INT 2D: Debug Service Handler        */
 idt _KiSystemService,  INT_32_DPL3  /* INT 2E: System Call Service Handler  */

-idt _KiTrapUnknown,    INT_32_DPL0  /* INT 2F: RESERVED                     */

+idt _KiTrap0F,         INT_32_DPL0  /* INT 2F: RESERVED                     */

 .rept 220

-idt _KiTrapUnknown,    INT_32_DPL0  /* INT 30-FF: UNDEFINED INTERRUPTS      */

+idt _KiTrap0F,         INT_32_DPL0  /* INT 30-FF: UNDEFINED INTERRUPTS      */

 .endr
 
 /* System call entrypoints:                                                 */
@@ -271,33 +269,28 @@

     /* Allocate space on our stack */
     sub esp, ecx
 

-    /* 
-     * Copy the arguments from the user stack to our stack
-     * FIXME: This needs to be probed with MmSystemRangeStart
-     */

+    /* Set the size of the arguments and the destination */

     shr ecx, 2
     mov edi, esp

+
+    /* Make sure we're within the User Probe Address */
+    cmp esi, _MmUserProbeAddress
+    jnb AccessViolation
+
+CopyParams:
+    /* Copy the parameters */

     rep movsd
 
 #ifdef DBG

-
-    /* Make sure this isn't a user-mode call at elevated IRQL */
-    test byte ptr [ebp+KTRAP_FRAME_CS], MODE_MASK
-    jz SkipCheck
-    call _KeGetCurrentIrql@0
-    or al, al
-    jnz InvalidIrql
-

     /*
      * The following lines are for the benefit of GDB. It will see the return
      * address of the "call ebx" below, find the last label before it and
      * thinks that that's the start of the function. It will then check to see

-     * if it starts with a standard function prolog (push ebp, mov ebp,esp).

+     * if it starts with a standard function prolog (push ebp, mov ebp,esp1).

      * When that standard function prolog is not found, it will stop the
      * stack backtrace. Since we do want to backtrace into usermode, let's
      * make GDB happy and create a standard prolog.
      */

-SkipCheck:

 KiSystemService:
     push ebp
     mov ebp,esp
@@ -307,10 +300,11 @@

     /* Do the System Call */
     call ebx
 

+AfterSysCall:

 #ifdef DBG
     /* Make sure the user-mode call didn't return at elevated IRQL */
     test byte ptr [ebp+KTRAP_FRAME_CS], MODE_MASK

-    jz SkipCheck2

+    jz SkipCheck

     mov esi, eax                /* We need to save the syscall's return val */
     call _KeGetCurrentIrql@0
     or al, al
@@ -329,7 +323,7 @@

     jnz InvalidIndex
 #endif
 

-SkipCheck2:

+SkipCheck:

 
     /* Deallocate the kernel stack frame  */
     mov esp, ebp
@@ -363,7 +357,7 @@

 KiBBTUnexpectedRange:
 
     /* If this isn't a Win32K call, fail */

-    cmp ecx, 0x10

+    cmp ecx, SERVICE_TABLE_TEST

     jne InvalidCall
 
     /* Set up Win32K Table */
@@ -371,7 +365,10 @@

     push ebx
     call _PsConvertToGuiThread@0
 

-    /* FIXME: Handle failure */

+    /* Check return code */
+    or eax, eax
+
+    /* Restore registers */

     pop eax
     pop edx
 
@@ -379,15 +376,53 @@

     mov ebp, esp
     mov [esi+KTHREAD_TRAP_FRAME], ebp
 

-    /* Try the Call again */
-    jmp SharedCode

+    /* Try the Call again, if we suceeded */
+    jz SharedCode

 

+    /*
+     * The Shadow Table should have a special byte table which tells us
+     * whether we should return FALSE, -1 or STATUS_INVALID_SYSTEM_SERVICE.
+     */
+
+    /* Get the table limit and base */
+    lea edx, _KeServiceDescriptorTableShadow + SERVICE_TABLE_TEST
+    mov ecx, [edx+SERVICE_DESCRIPTOR_LIMIT]
+    mov edx, [edx+SERVICE_DESCRIPTOR_BASE]
+
+    /* Get the table address and add our index into the array */
+    lea edx, [edx+ecx*4]
+    and eax, SERVICE_NUMBER_MASK
+    add edx, eax
+
+    /* Find out what we should return */
+    movsx eax, byte ptr [edx]
+    or eax, eax
+
+    /* Return either 0 or -1, we've set it in EAX */
+    jle KeReturnFromSystemCall
+
+    /* Set STATUS_INVALID_SYSTEM_SERVICE */
+    mov eax, STATUS_INVALID_SYSTEM_SERVICE
+    jmp KeReturnFromSystemCall
+

 InvalidCall:
 
     /* Invalid System Call */
     mov eax, STATUS_INVALID_SYSTEM_SERVICE
     jmp KeReturnFromSystemCall
 

+AccessViolation:
+
+    /* Check if this came from kernel-mode */
+    test byte ptr [ebp+KTRAP_FRAME_CS], MODE_MASK
+
+    /* It's fine, go ahead with it */
+    jz CopyParams
+
+    /* Caller sent invalid parameters, fail here */
+    mov eax, STATUS_ACCESS_VIOLATION
+    jmp AfterSysCall
+

 BadStack:
 
     /* Restore ESP0 stack */
@@ -974,57 +1009,34 @@

     jne _Kei386EoiHelper@0
     jmp _KiV86Complete
 

-_KiTrap18:

+_KiTrap0F:

     /* Push error code */
     push 0
 
     /* Enter trap */

-    TRAP_PROLOG(18)

+    TRAP_PROLOG(15)
+    sti

 

-    /* Call the C exception handler */
-    push 18
-    push ebp
-    call _KiTrapHandler
-    add esp, 8

+    /* Raise a fatal exception */
+    mov eax, 15
+    jmp _KiSystemFatalException

 

-    /* Check for v86 recovery */
-    cmp eax, 1

+.func KiSystemFatalException
+_KiSystemFatalException:

 

-    /* Return to caller */
-    jne _Kei386EoiHelper@0
-    jmp _KiV86Complete
-
-_KiTrap19:
-    /* Push error code */
-    push 0
-
-    /* Enter trap */
-    TRAP_PROLOG(19)
-
-    /* Call the C exception handler */
-    push 19

+    /* Push the trap frame */

     push ebp

-    call _KiTrapHandler
-    add esp, 8

 

-    /* Check for v86 recovery */
-    cmp eax, 1
-
-    /* Return to caller */
-    jne _Kei386EoiHelper@0
-    jmp _KiV86Complete
-
-_KiTrapUnknown:
-    /* Push error code */

+    /* Push empty parameters */

     push 0

+    push 0
+    push 0

 

-    /* Enter trap */
-    TRAP_PROLOG(255)

+    /* Push trap number and bugcheck code */
+    push eax
+    push UNEXPECTED_KERNEL_MODE_TRAP
+    call _KeBugCheckWithTf@24
+    ret
+.endfunc

 

-    /* Check for v86 recovery */
-    cmp eax, 1

 

-    /* Return to caller */
-    jne _Kei386EoiHelper@0
-    jmp _KiV86Complete
-