[ros-diffs] [weiden] 13236: 1. fixed the timer functions to securely access buffers

23 Jan 2005

1. fixed the timer functions to securely access buffers
2. minor fixes due to copy+paste
Modified: trunk/reactos/ntoskrnl/ex/sem.c
Modified: trunk/reactos/ntoskrnl/ex/timer.c
  _____
Modified: trunk/reactos/ntoskrnl/ex/sem.c

--- trunk/reactos/ntoskrnl/ex/sem.c	2005-01-23 23:02:19 UTC (rev
13235)
+++ trunk/reactos/ntoskrnl/ex/sem.c	2005-01-23 23:51:40 UTC (rev
13236)
@@ -240,12 +240,12 @@
&Status);
    if(!NT_SUCCESS(Status))
    {
-     DPRINT1("NtQueryEvent() failed, Status: 0x%x\n", Status);
+     DPRINT1("NtQuerySemaphore() failed, Status: 0x%x\n", Status);
      return Status;
    }
Status = ObReferenceObjectByHandle(SemaphoreHandle,
-				      EVENT_QUERY_STATE,
+				      SEMAPHORE_QUERY_STATE,
    			      ExSemaphoreObjectType,
    			      PreviousMode,
    			      (PVOID*)&Semaphore,
  _____
Modified: trunk/reactos/ntoskrnl/ex/timer.c
--- trunk/reactos/ntoskrnl/ex/timer.c	2005-01-23 23:02:19 UTC (rev
13235)
+++ trunk/reactos/ntoskrnl/ex/timer.c	2005-01-23 23:51:40 UTC (rev
13236)
@@ -36,6 +36,10 @@
STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE,
    TIMER_ALL_ACCESS};
+static const INFORMATION_CLASS_INFO ExTimerInfoClass[] =
+{
+  ICI_SQ_SAME( sizeof(TIMER_BASIC_INFORMATION), sizeof(ULONG),
ICIF_QUERY ), /* TimerBasicInformation */
+};
/* FUNCTIONS
*****************************************************************/
@@ -146,36 +150,67 @@
          OUT PBOOLEAN CurrentState OPTIONAL)
 {
    PNTTIMER Timer;
-   NTSTATUS Status;
-   BOOLEAN State;
-   KIRQL OldIrql;
+   KPROCESSOR_MODE PreviousMode;
+   NTSTATUS Status = STATUS_SUCCESS;
+   
+   PreviousMode = ExGetPreviousMode();
+   
+   DPRINT("NtCancelTimer(0x%x, 0x%x)\n", TimerHandle, CurrentState);
+   
+   if(CurrentState != NULL && PreviousMode != KernelMode)
+   {
+     _SEH_TRY
+     {
+       ProbeForWrite(CurrentState,
+                     sizeof(BOOLEAN),
+                     sizeof(BOOLEAN));
+     }
+     _SEH_HANDLE
+     {
+       Status = _SEH_GetExceptionCode();
+     }
+     _SEH_END;
+     
+     if(!NT_SUCCESS(Status))
+     {
+       return Status;
+     }
+   }
-   DPRINT("NtCancelTimer()\n");
    Status = ObReferenceObjectByHandle(TimerHandle,
    			      TIMER_ALL_ACCESS,
    			      ExTimerType,
-				      UserMode,
+				      PreviousMode,
    			      (PVOID*)&Timer,
    			      NULL);
-   if (!NT_SUCCESS(Status))
-     return Status;
+   if(NT_SUCCESS(Status))
+   {
+     BOOLEAN State;
+     KIRQL OldIrql = KeRaiseIrqlToDpcLevel();
-   OldIrql = KeRaiseIrqlToDpcLevel();
+     State = KeCancelTimer(&Timer->Timer);
+     KeRemoveQueueDpc(&Timer->Dpc);
+     KeRemoveQueueApc(&Timer->Apc);
+     Timer->Running = FALSE;
-   State = KeCancelTimer(&Timer->Timer);
-   KeRemoveQueueDpc(&Timer->Dpc);
-   KeRemoveQueueApc(&Timer->Apc);
-   Timer->Running = FALSE;
+     KeLowerIrql(OldIrql);
+     ObDereferenceObject(Timer);
-   KeLowerIrql(OldIrql);
-   ObDereferenceObject(Timer);
-
-   if (CurrentState != NULL)
+     if(CurrentState != NULL)
      {
-	*CurrentState = State;
+       _SEH_TRY
+       {
+         *CurrentState = State;
+       }
+       _SEH_HANDLE
+       {
+         Status = _SEH_GetExceptionCode();
+       }
+       _SEH_END;
      }
+   }
-   return STATUS_SUCCESS;
+   return Status;
 }
@@ -186,39 +221,76 @@
          IN TIMER_TYPE TimerType)
 {
    PNTTIMER Timer;
-   NTSTATUS Status;
+   HANDLE hTimer;
+   KPROCESSOR_MODE PreviousMode;
+   NTSTATUS Status = STATUS_SUCCESS;
+   
+   DPRINT("NtCreateTimer()\n");
+   
+   PreviousMode = ExGetPreviousMode();
+   
+   if(PreviousMode != KernelMode)
+   {
+     _SEH_TRY
+     {
+       ProbeForWrite(TimerHandle,
+                     sizeof(HANDLE),
+                     sizeof(ULONG));
+     }
+     _SEH_HANDLE
+     {
+       Status = _SEH_GetExceptionCode();
+     }
+     _SEH_END;
-   DPRINT("NtCreateTimer()\n");
-   Status = ObCreateObject(ExGetPreviousMode(),
+     if(!NT_SUCCESS(Status))
+     {
+       return Status;
+     }
+   }
+
+   Status = ObCreateObject(PreviousMode,
    		   ExTimerType,
    		   ObjectAttributes,
-			   ExGetPreviousMode(),
+			   PreviousMode,
    		   NULL,
    		   sizeof(NTTIMER),
    		   0,
    		   0,
    		   (PVOID*)&Timer);
-   if (!NT_SUCCESS(Status))
-     return Status;
+   if(NT_SUCCESS(Status))
+   {
+     KeInitializeTimerEx(&Timer->Timer,
+		         TimerType);
-   KeInitializeTimerEx(&Timer->Timer,
-		       TimerType);
+     KeInitializeDpc(&Timer->Dpc,
+		     &ExpTimerDpcRoutine,
+		     Timer);
-   KeInitializeDpc(&Timer->Dpc,
-		   &ExpTimerDpcRoutine,
-		   Timer);
+     Timer->Running = FALSE;
-   Timer->Running = FALSE;
+     Status = ObInsertObject ((PVOID)Timer,
+			      NULL,
+			      DesiredAccess,
+			      0,
+			      NULL,
+			      &hTimer);
+     ObDereferenceObject(Timer);
+     
+     if(NT_SUCCESS(Status))
+     {
+       _SEH_TRY
+       {
+         *TimerHandle = hTimer;
+       }
+       _SEH_HANDLE
+       {
+         Status = _SEH_GetExceptionCode();
+       }
+       _SEH_END;
+     }
+   }
-   Status = ObInsertObject ((PVOID)Timer,
-			    NULL,
-			    DesiredAccess,
-			    0,
-			    NULL,
-			    TimerHandle);
-
-   ObDereferenceObject(Timer);
-
    return Status;
 }
@@ -228,15 +300,54 @@
        IN ACCESS_MASK DesiredAccess,
        IN POBJECT_ATTRIBUTES ObjectAttributes)
 {
-   NTSTATUS Status;
+   HANDLE hTimer;
+   KPROCESSOR_MODE PreviousMode;
+   NTSTATUS Status = STATUS_SUCCESS;
+   DPRINT("NtOpenTimer()\n");
+
+   PreviousMode = ExGetPreviousMode();
+
+   if(PreviousMode != KernelMode)
+   {
+     _SEH_TRY
+     {
+       ProbeForWrite(TimerHandle,
+                     sizeof(HANDLE),
+                     sizeof(ULONG));
+     }
+     _SEH_HANDLE
+     {
+       Status = _SEH_GetExceptionCode();
+     }
+     _SEH_END;
+
+     if(!NT_SUCCESS(Status))
+     {
+       return Status;
+     }
+   }
+
    Status = ObOpenObjectByName(ObjectAttributes,
    		       ExTimerType,
    		       NULL,
-			       UserMode,
+			       PreviousMode,
    		       DesiredAccess,
    		       NULL,
-			       TimerHandle);
+			       &hTimer);
+   if(NT_SUCCESS(Status))
+   {
+     _SEH_TRY
+     {
+       *TimerHandle = hTimer;
+     }
+     _SEH_HANDLE
+     {
+       Status = _SEH_GetExceptionCode();
+     }
+     _SEH_END;
+   }
+   
    return Status;
 }
@@ -248,58 +359,67 @@
         IN ULONG TimerInformationLength,
         OUT PULONG ReturnLength  OPTIONAL)
 {
-  PNTTIMER Timer;
-  TIMER_BASIC_INFORMATION SafeTimerInformation;
-  ULONG ResultLength;
-  NTSTATUS Status;
+   PNTTIMER Timer;
+   KPROCESSOR_MODE PreviousMode;
+   NTSTATUS Status = STATUS_SUCCESS;
-  Status = ObReferenceObjectByHandle(TimerHandle,
-				     TIMER_QUERY_STATE,
-				     ExTimerType,
-
(KPROCESSOR_MODE)KeGetPreviousMode(),
-				     (PVOID*)&Timer,
-				     NULL);
-  if (!NT_SUCCESS(Status))
-    {
-      return(Status);
-    }
+   PreviousMode = ExGetPreviousMode();
-  if (TimerInformationClass != TimerBasicInformation)
-    {
-      ObDereferenceObject(Timer);
-      return(STATUS_INVALID_INFO_CLASS);
-    }
-  if (TimerInformationLength < sizeof(TIMER_BASIC_INFORMATION))
-    {
-      ObDereferenceObject(Timer);
-      return(STATUS_INFO_LENGTH_MISMATCH);
-    }
+   DefaultQueryInfoBufferCheck(TimerInformationClass,
+                               ExTimerInfoClass,
+                               TimerInformation,
+                               TimerInformationLength,
+                               ReturnLength,
+                               PreviousMode,
+                               &Status);
+   if(!NT_SUCCESS(Status))
+   {
+     DPRINT1("NtQueryTimer() failed, Status: 0x%x\n", Status);
+     return Status;
+   }
-  memcpy(&SafeTimerInformation.TimeRemaining, &Timer->Timer.DueTime,
-	 sizeof(LARGE_INTEGER));
-  SafeTimerInformation.SignalState =
(BOOLEAN)Timer->Timer.Header.SignalState;
-  ResultLength = sizeof(TIMER_BASIC_INFORMATION);
+   Status = ObReferenceObjectByHandle(TimerHandle,
+				      TIMER_QUERY_STATE,
+				      ExTimerType,
+				      PreviousMode,
+				      (PVOID*)&Timer,
+				      NULL);
+   if(NT_SUCCESS(Status))
+   {
+     switch(TimerInformationClass)
+     {
+       case TimerBasicInformation:
+       {
+         PTIMER_BASIC_INFORMATION BasicInfo =
(PTIMER_BASIC_INFORMATION)TimerInformation;
-  Status = MmCopyToCaller(TimerInformation, &SafeTimerInformation,
-			  sizeof(TIMER_BASIC_INFORMATION));
-  if (!NT_SUCCESS(Status))
-    {
-      ObDereferenceObject(Timer);
-      return(Status);
-    }
+         _SEH_TRY
+         {
+           /* FIXME - interrupt correction */
+           BasicInfo->TimeRemaining.QuadPart =
Timer->Timer.DueTime.QuadPart;
+           BasicInfo->SignalState =
(BOOLEAN)Timer->Timer.Header.SignalState;
-  if (ReturnLength != NULL)
-    {
-      Status = MmCopyToCaller(ReturnLength, &ResultLength,
-			      sizeof(ULONG));
-      if (!NT_SUCCESS(Status))
-	{
-	  ObDereferenceObject(Timer);
-	  return(Status);
-	}
-    }
-  ObDereferenceObject(Timer);
-  return(STATUS_SUCCESS);
+           if(ReturnLength != NULL)
+           {
+             *ReturnLength = sizeof(TIMER_BASIC_INFORMATION);
+           }
+         }
+         _SEH_HANDLE
+         {
+           Status = _SEH_GetExceptionCode();
+         }
+         _SEH_END;
+         break;
+       }
+
+       default:
+         Status = STATUS_NOT_IMPLEMENTED;
+         break;
+     }
+
+     ObDereferenceObject(Timer);
+   }
+
+   return Status;
 }
@@ -313,16 +433,48 @@
       OUT PBOOLEAN PreviousState  OPTIONAL)
 {
    PNTTIMER Timer;
-   NTSTATUS Status;
    BOOLEAN Result;
    BOOLEAN State;
+   LARGE_INTEGER TimerDueTime;
+   KPROCESSOR_MODE PreviousMode;
+   NTSTATUS Status = STATUS_SUCCESS;
DPRINT("NtSetTimer()\n");
+   PreviousMode = ExGetPreviousMode();
+
+   if(PreviousMode != KernelMode)
+   {
+     _SEH_TRY
+     {
+       ProbeForRead(DueTime,
+                    sizeof(LARGE_INTEGER),
+                    sizeof(ULONG));
+       TimerDueTime = *DueTime;
+
+       if(PreviousState != NULL)
+       {
+         ProbeForWrite(PreviousState,
+                       sizeof(BOOLEAN),
+                       sizeof(BOOLEAN));
+       }
+     }
+     _SEH_HANDLE
+     {
+       Status = _SEH_GetExceptionCode();
+     }
+     _SEH_END;
+
+     if(!NT_SUCCESS(Status))
+     {
+       return Status;
+     }
+   }
+
    Status = ObReferenceObjectByHandle(TimerHandle,
    			      TIMER_ALL_ACCESS,
    			      ExTimerType,
-
(KPROCESSOR_MODE)KeGetPreviousMode(),
+				      PreviousMode,
    			      (PVOID*)&Timer,
    			      NULL);
    if (!NT_SUCCESS(Status))
@@ -351,15 +503,15 @@
    	       &ExpTimerApcKernelRoutine,
    	       (PKRUNDOWN_ROUTINE)NULL,
    	       (PKNORMAL_ROUTINE)TimerApcRoutine,
-		       (KPROCESSOR_MODE)KeGetPreviousMode(),
+		       PreviousMode,
    	       TimerContext);
      }
Result = KeSetTimerEx(&Timer->Timer,
-			 *DueTime,
+			 TimerDueTime,
    		 Period,
    		 TimerApcRoutine ? &Timer->Dpc : 0 );
-   if (Result == TRUE)
+   if (Result)
      {
    ObDereferenceObject(Timer);
    DPRINT1( "KeSetTimer says the timer was already running, this
shouldn't be\n" );
@@ -371,11 +523,19 @@
    ObDereferenceObject(Timer);
if (PreviousState != NULL)
+   {
+     _SEH_TRY
      {
-	*PreviousState = State;
+       *PreviousState = State;
      }
+     _SEH_HANDLE
+     {
+       Status = _SEH_GetExceptionCode();
+     }
+     _SEH_END;
+   }
-   return STATUS_SUCCESS;
+   return Status;
 }
/* EOF */

    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

[ros-diffs] [weiden] 13236: 1. fixed the timer functions to securely access buffers