[ros-diffs] [weiden] 13306: securely access buffers in NtOpenDirectoryObject(), NtQueryDirectoryObject() and NtCreateDirectoryObject()

securely access buffers in NtOpenDirectoryObject(), NtQueryDirectoryObject() and NtCreateDirectoryObject() Modified: trunk/reactos/ntoskrnl/ob/dirobj.c _____

Modified: trunk/reactos/ntoskrnl/ob/dirobj.c --- trunk/reactos/ntoskrnl/ob/dirobj.c 2005-01-26 05:00:08 UTC (rev 13305) +++ trunk/reactos/ntoskrnl/ob/dirobj.c 2005-01-26 12:47:38 UTC (rev 13306) @@ -47,65 +47,57 @@

IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes) { - PVOID Object; - NTSTATUS Status; - - *DirectoryHandle = 0; + HANDLE hDirectory; + KPROCESSOR_MODE PreviousMode; + NTSTATUS Status = STATUS_SUCCESS;

- Status = ObReferenceObjectByName(ObjectAttributes->ObjectName, - ObjectAttributes->Attributes, - NULL, - DesiredAccess, - ObDirectoryType, - UserMode, - NULL, - &Object); - if (!NT_SUCCESS(Status)) + PreviousMode = ExGetPreviousMode(); + + if(PreviousMode != KernelMode) + { + _SEH_TRY { - return Status; + ProbeForWrite(DirectoryHandle, + sizeof(HANDLE), + sizeof(ULONG)); } + _SEH_HANDLE + { + Status = _SEH_GetExceptionCode(); + } + _SEH_END; + + if(!NT_SUCCESS(Status)) + { + DPRINT1("NtOpenDirectoryObject failed, Status: 0x%x\n", Status); + return Status; + } + }

- Status = ObCreateHandle(PsGetCurrentProcess(), - Object, - DesiredAccess, - FALSE, - DirectoryHandle); - return STATUS_SUCCESS; + Status = ObOpenObjectByName(ObjectAttributes, + ObDirectoryType, + NULL, + PreviousMode, + DesiredAccess, + NULL, + &hDirectory); + if(NT_SUCCESS(Status)) + { + _SEH_TRY + { + *DirectoryHandle = hDirectory; + } + _SEH_HANDLE + { + Status = _SEH_GetExceptionCode(); + } + _SEH_END; + } + + return Status; }

-static NTSTATUS -CopyDirectoryString(PUNICODE_STRING UnsafeTarget, PUNICODE_STRING Source, PUCHAR *Buffer) -{ - UNICODE_STRING Target; - NTSTATUS Status; - WCHAR NullWchar;

- Target.Length = Source->Length; - Target.MaximumLength = (Source->Length + sizeof (WCHAR)); - Target.Buffer = (PWCHAR) *Buffer; - Status = MmCopyToCaller(UnsafeTarget, &Target, sizeof(UNICODE_STRING)); - if (! NT_SUCCESS(Status)) - { - return Status; - } - Status = MmCopyToCaller(*Buffer, Source->Buffer, Source->Length); - if (! NT_SUCCESS(Status)) - { - return Status; - } - *Buffer += Source->Length; - NullWchar = L'\0'; - Status = MmCopyToCaller(*Buffer, &NullWchar, sizeof(WCHAR)); - if (! NT_SUCCESS(Status)) - { - return Status; - } - *Buffer += sizeof(WCHAR); - - return STATUS_SUCCESS; -} - - /********************************************************************** * NAME EXPORTED * NtQueryDirectoryObject @@ -169,202 +161,229 @@ IN ULONG BufferLength, IN BOOLEAN ReturnSingleEntry, IN BOOLEAN RestartScan, - IN OUT PULONG UnsafeContext, - OUT PULONG UnsafeReturnLength OPTIONAL) + IN OUT PULONG Context, + OUT PULONG ReturnLength OPTIONAL) { - PDIRECTORY_OBJECT dir = NULL; - PLIST_ENTRY current_entry = NULL; - PLIST_ENTRY start_entry; - POBJECT_HEADER current = NULL; - NTSTATUS Status = STATUS_SUCCESS; - ULONG DirectoryCount = 0; - ULONG DirectoryIndex = 0; - POBJECT_DIRECTORY_INFORMATION current_odi = (POBJECT_DIRECTORY_INFORMATION) Buffer; - OBJECT_DIRECTORY_INFORMATION ZeroOdi; - PUCHAR FirstFree = (PUCHAR) Buffer; - ULONG Context; - ULONG RequiredSize; - ULONG NewValue; - KIRQL OldLevel; + PDIRECTORY_OBJECT Directory; + KPROCESSOR_MODE PreviousMode; + ULONG SkipEntries = 0; + ULONG NextEntry = 0; + NTSTATUS Status = STATUS_SUCCESS; + + PreviousMode = ExGetPreviousMode();

- DPRINT("NtQueryDirectoryObject(DirectoryHandle %x)\n", DirectoryHandle); - - /* Check Context is not NULL */ - if (NULL == UnsafeContext) + if(PreviousMode != KernelMode) + { + _SEH_TRY + { + /* a test showed that the Buffer pointer just has to be 16 bit aligned, + propably due to the fact that most information that needs to be copied + is unicode strings */ + ProbeForWrite(Buffer, + BufferLength, + sizeof(WCHAR)); + ProbeForWrite(Context, + sizeof(ULONG), + sizeof(ULONG)); + if(!RestartScan) { - return STATUS_INVALID_PARAMETER; + SkipEntries = *Context; } - - /* Reference the DIRECTORY_OBJECT */ - Status = ObReferenceObjectByHandle(DirectoryHandle, - DIRECTORY_QUERY, - ObDirectoryType, - UserMode, - (PVOID*)&dir, - NULL); - if (!NT_SUCCESS(Status)) + if(ReturnLength != NULL) { - return Status; + ProbeForWrite(ReturnLength, + sizeof(ULONG), + sizeof(ULONG)); } + } + _SEH_HANDLE + { + Status = _SEH_GetExceptionCode(); + } + _SEH_END;

- KeAcquireSpinLock(&dir->Lock, &OldLevel); + if(!NT_SUCCESS(Status)) + { + DPRINT1("NtQueryDirectoryObject failed, Status: 0x%x\n", Status); + return Status; + } + } + else if(!RestartScan) + { + SkipEntries = *Context; + } + + Status = ObReferenceObjectByHandle(DirectoryHandle, + DIRECTORY_QUERY, + ObDirectoryType, + PreviousMode, + (PVOID*)&Directory, + NULL); + if(NT_SUCCESS(Status)) + { + PVOID TemporaryBuffer = ExAllocatePool(PagedPool, + BufferLength); + if(TemporaryBuffer != NULL) + { + POBJECT_HEADER EntryHeader; + PLIST_ENTRY ListEntry; + KIRQL OldLevel; + ULONG RequiredSize = 0; + ULONG nDirectories = 0; + POBJECT_DIRECTORY_INFORMATION DirInfo = (POBJECT_DIRECTORY_INFORMATION)TemporaryBuffer;

- /* - * Optionally, skip over some entries at the start of the directory - * (use *ObjectIndex value) - */ - start_entry = dir->head.Flink; - if (! RestartScan) + KeAcquireSpinLock(&Directory->Lock, &OldLevel); + + for(ListEntry = Directory->head.Flink; + ListEntry != &Directory->head; + ListEntry = ListEntry->Flink) { - register ULONG EntriesToSkip; + NextEntry++; + if(SkipEntries == 0) + { + PUNICODE_STRING Name, Type; + ULONG EntrySize;

- Status = MmCopyFromCaller(&Context, UnsafeContext, sizeof(ULONG)); - if (! NT_SUCCESS(Status)) - { - KeReleaseSpinLock(&dir->Lock, OldLevel); - ObDereferenceObject(dir); - return Status; - } - EntriesToSkip = Context; + EntryHeader = CONTAINING_RECORD(ListEntry, OBJECT_HEADER, Entry);

- CHECKPOINT; - - for (; 0 != EntriesToSkip-- && start_entry != &dir->head; - start_entry = start_entry->Flink) - { - ; - } - if ((0 != EntriesToSkip) && (start_entry == &dir->head)) - { - KeReleaseSpinLock(&dir->Lock, OldLevel); - ObDereferenceObject(dir); - return STATUS_NO_MORE_ENTRIES; - } - } + /* calculate the size of the required buffer space for this entry */ + Name = (EntryHeader->Name.Length != 0 ? &EntryHeader->Name : NULL); + Type = &EntryHeader->ObjectType->TypeName; + EntrySize = sizeof(OBJECT_DIRECTORY_INFORMATION) + + ((Name != NULL) ? ((ULONG)Name->Length + sizeof(WCHAR)) : 0) + + (ULONG)EntryHeader->ObjectType->TypeName.Length + sizeof(WCHAR);

- /* - * Compute number of entries that we will copy into the buffer and - * the total size of all entries (even if larger than the buffer size) - */ - DirectoryCount = 0; - /* For the end sentenil */ - RequiredSize = sizeof(OBJECT_DIRECTORY_INFORMATION); - for (current_entry = start_entry; - current_entry != &dir->head; - current_entry = current_entry->Flink) - { - current = CONTAINING_RECORD(current_entry, OBJECT_HEADER, Entry); + if(RequiredSize + EntrySize <= BufferLength) + { + /* the buffer is large enough to receive this entry. It would've + been much easier if the strings were directly appended to the + OBJECT_DIRECTORY_INFORMATION structured written into the buffer */ + if(Name != NULL) + DirInfo->ObjectName = *Name; + else + { + DirInfo->ObjectName.Length = DirInfo->ObjectName.MaximumLength = 0; + DirInfo->ObjectName.Buffer = NULL; + } + DirInfo->ObjectTypeName = *Type;

- RequiredSize += sizeof(OBJECT_DIRECTORY_INFORMATION) + - current->Name.Length + sizeof(WCHAR) + - current->ObjectType->TypeName.Length + sizeof(WCHAR); - if (RequiredSize <= BufferLength && - (! ReturnSingleEntry || DirectoryCount < 1)) - { - DirectoryCount++; - } - } + nDirectories++; + RequiredSize += EntrySize;

- /* - * If there's no room to even copy a single entry then return error - * status. - */ - if (0 == DirectoryCount && - !(IsListEmpty(&dir->head) && BufferLength >= RequiredSize)) - { - KeReleaseSpinLock(&dir->Lock, OldLevel); - ObDereferenceObject(dir); - if (NULL != UnsafeReturnLength) - { - Status = MmCopyToCaller(UnsafeReturnLength, &RequiredSize, sizeof(ULONG)); - } - return NT_SUCCESS(Status) ? STATUS_BUFFER_TOO_SMALL : Status; + if(ReturnSingleEntry) + { + /* we're only supposed to query one entry, so bail and copy the + strings to the buffer */ + break; + } + DirInfo++; + } + else + { + if(ReturnSingleEntry) + { + /* the buffer is too small, so return the number of bytes that + would've been required for this query */ + RequiredSize += EntrySize; + Status = STATUS_BUFFER_TOO_SMALL; + } + else + { + /* just copy the entries that fit into the buffer */ + Status = STATUS_NO_MORE_ENTRIES; + } + break; + } + } + else + { + /* skip the entry */ + SkipEntries--; + } }

- /* - * Move FirstFree to point to the Unicode strings area - */ - FirstFree += (DirectoryCount + 1) * sizeof(OBJECT_DIRECTORY_INFORMATION); - - /* Scan the directory */ - current_entry = start_entry; - for (DirectoryIndex = 0; DirectoryIndex < DirectoryCount; DirectoryIndex++) + if(NT_SUCCESS(Status)) { - current = CONTAINING_RECORD(current_entry, OBJECT_HEADER, Entry); + if(SkipEntries > 0 || nDirectories == 0) + { + /* we skipped more entries than the directory contains, nothing more to do */ + Status = STATUS_NO_MORE_ENTRIES; + } + else + { + _SEH_TRY + { + POBJECT_DIRECTORY_INFORMATION DestDirInfo = (POBJECT_DIRECTORY_INFORMATION)Buffer; + PWSTR strbuf = (PWSTR)((POBJECT_DIRECTORY_INFORMATION)Buffer + nDirectories);

- /* - * Copy the current directory entry's data into the buffer - * and update the OBJDIR_INFORMATION entry in the array. - */ - /* --- Object's name --- */ - Status = CopyDirectoryString(&current_odi->ObjectName, &current->Name, &FirstFree); - if (! NT_SUCCESS(Status)) - { - KeReleaseSpinLock(&dir->Lock, OldLevel); - ObDereferenceObject(dir); - return Status; - } - /* --- Object type's name --- */ - Status = CopyDirectoryString(&current_odi->ObjectTypeName, &current->ObjectType->TypeName, &FirstFree); - if (! NT_SUCCESS(Status)) - { - KeReleaseSpinLock(&dir->Lock, OldLevel); - ObDereferenceObject(dir); - return Status; - } + /* copy all OBJECT_DIRECTORY_INFORMATION structures to the buffer and + just append all strings (whose pointers are stored in the buffer!) + and replace the pointers */ + for(DirInfo = (POBJECT_DIRECTORY_INFORMATION)TemporaryBuffer; + nDirectories > 0; + nDirectories--, DirInfo++, DestDirInfo++) + { + if(DirInfo->ObjectName.Length > 0) + { + DestDirInfo->ObjectName.Length = DirInfo->ObjectName.Length; + DestDirInfo->ObjectName.MaximumLength = DirInfo->ObjectName.MaximumLength; + DestDirInfo->ObjectName.Buffer = strbuf; + RtlCopyMemory(strbuf, + DirInfo->ObjectName.Buffer, + DirInfo->ObjectName.Length); + /* NULL-terminate the string */ + strbuf[DirInfo->ObjectName.Length / sizeof(WCHAR)] = L'\0'; + strbuf += (DirInfo->ObjectName.Length / sizeof(WCHAR)) + 1; + } + + DestDirInfo->ObjectTypeName.Length = DirInfo->ObjectTypeName.Length; + DestDirInfo->ObjectTypeName.MaximumLength = DirInfo->ObjectTypeName.MaximumLength; + DestDirInfo->ObjectTypeName.Buffer = strbuf; + RtlCopyMemory(strbuf, + DirInfo->ObjectTypeName.Buffer, + DirInfo->ObjectTypeName.Length); + /* NULL-terminate the string */ + strbuf[DirInfo->ObjectTypeName.Length / sizeof(WCHAR)] = L'\0'; + strbuf += (DirInfo->ObjectTypeName.Length / sizeof(WCHAR)) + 1; + } + } + _SEH_HANDLE + { + Status = _SEH_GetExceptionCode(); + } + _SEH_END; + } + }

- /* Next entry in the array */ - current_odi++; - /* Next object in the directory */ - current_entry = current_entry->Flink; - } + KeReleaseSpinLock(&Directory->Lock, OldLevel); + ObDereferenceObject(Directory); + + ExFreePool(TemporaryBuffer);

- /* - * Don't need dir object anymore - */ - KeReleaseSpinLock(&dir->Lock, OldLevel); - ObDereferenceObject(dir); - - /* Terminate with all zero entry */ - memset(&ZeroOdi, '\0', sizeof(OBJECT_DIRECTORY_INFORMATION)); - Status = MmCopyToCaller(current_odi, &ZeroOdi, sizeof(OBJECT_DIRECTORY_INFORMATION)); - if (! NT_SUCCESS(Status)) + if(NT_SUCCESS(Status) || ReturnSingleEntry) { - return Status; + _SEH_TRY + { + *Context = NextEntry; + if(ReturnLength != NULL) + { + *ReturnLength = RequiredSize; + } + } + _SEH_HANDLE + { + Status = _SEH_GetExceptionCode(); + } + _SEH_END; } - - /* - * Store current index in Context - */ - if (RestartScan) - { - Context = DirectoryCount; - } + } else - { - Context += DirectoryCount; - } - Status = MmCopyToCaller(UnsafeContext, &Context, sizeof(ULONG)); - if (! NT_SUCCESS(Status)) - { - return Status; - } - - /* - * Report to the caller how much bytes - * we wrote in the user buffer. - */ - if (NULL != UnsafeReturnLength) - { - NewValue = FirstFree - (PUCHAR) Buffer; - Status = MmCopyToCaller(UnsafeReturnLength, &NewValue, sizeof(ULONG)); - if (! NT_SUCCESS(Status)) - { - return Status; - } - } - - return Status; + { + Status = STATUS_INSUFFICIENT_RESOURCES; + } + } + + return Status; }

@@ -396,43 +415,69 @@ IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes) { - PDIRECTORY_OBJECT DirectoryObject; - NTSTATUS Status; - + PDIRECTORY_OBJECT Directory; + HANDLE hDirectory; + KPROCESSOR_MODE PreviousMode; + NTSTATUS Status = STATUS_SUCCESS; + DPRINT("NtCreateDirectoryObject(DirectoryHandle %x, " - "DesiredAccess %x, ObjectAttributes %x, " - "ObjectAttributes->ObjectName %wZ)\n", - DirectoryHandle, DesiredAccess, ObjectAttributes, - ObjectAttributes->ObjectName); + "DesiredAccess %x, ObjectAttributes %x\n", + DirectoryHandle, DesiredAccess, ObjectAttributes);

- Status = NtOpenDirectoryObject (DirectoryHandle, - DesiredAccess, - ObjectAttributes); + PreviousMode = ExGetPreviousMode();

- if (Status == STATUS_OBJECT_NAME_NOT_FOUND) + if(PreviousMode != KernelMode) { - Status = ObCreateObject (ExGetPreviousMode(), - ObDirectoryType, - ObjectAttributes, - ExGetPreviousMode(), - NULL, - sizeof(DIRECTORY_OBJECT), - 0, - 0, - (PVOID*)&DirectoryObject); - if (!NT_SUCCESS(Status)) - { - return Status; - } + _SEH_TRY + { + ProbeForWrite(DirectoryHandle, + sizeof(HANDLE), + sizeof(ULONG)); + } + _SEH_HANDLE + { + Status = _SEH_GetExceptionCode(); + } + _SEH_END;

- Status = ObInsertObject ((PVOID)DirectoryObject, - NULL, - DesiredAccess, - 0, - NULL, - DirectoryHandle); + if(!NT_SUCCESS(Status)) + { + DPRINT1("NtCreateDirectoryObject failed, Status: 0x%x\n", Status); + return Status; + } + }

- ObDereferenceObject(DirectoryObject); + Status = ObCreateObject(PreviousMode, + ObDirectoryType, + ObjectAttributes, + PreviousMode, + NULL, + sizeof(DIRECTORY_OBJECT), + 0, + 0, + (PVOID*)&Directory); + if(NT_SUCCESS(Status)) + { + Status = ObInsertObject((PVOID)Directory, + NULL, + DesiredAccess, + 0, + NULL, + &hDirectory); + ObDereferenceObject(Directory); + + if(NT_SUCCESS(Status)) + { + _SEH_TRY + { + *DirectoryHandle = hDirectory; + } + _SEH_HANDLE + { + Status = _SEH_GetExceptionCode(); + } + _SEH_END; + } }

return Status;