probe pointers in NtCreateToken. Still needs some work as access to the buffers needs to be secured Modified: trunk/reactos/ntoskrnl/se/token.c _____
Modified: trunk/reactos/ntoskrnl/se/token.c --- trunk/reactos/ntoskrnl/se/token.c 2005-02-14 00:28:12 UTC (rev 13552) +++ trunk/reactos/ntoskrnl/se/token.c 2005-02-14 00:32:09 UTC (rev 13553) @@ -1588,7 +1588,7 @@
NTSTATUS STDCALL -NtCreateToken(OUT PHANDLE UnsafeTokenHandle, +NtCreateToken(OUT PHANDLE TokenHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN TOKEN_TYPE TokenType, @@ -1602,14 +1602,64 @@ IN PTOKEN_DEFAULT_DACL TokenDefaultDacl, IN PTOKEN_SOURCE TokenSource) { - HANDLE TokenHandle; + HANDLE hToken; PTOKEN AccessToken; - NTSTATUS Status; LUID TokenId; LUID ModifiedId; PVOID EndMem; ULONG uLength; ULONG i; + KPROCESSOR_MODE PreviousMode; + NTSTATUS Status = STATUS_SUCCESS; + + PreviousMode = ExGetPreviousMode(); + + if(PreviousMode != KernelMode) + { + _SEH_TRY + { + ProbeForWrite(TokenHandle, + sizeof(HANDLE), + sizeof(ULONG)); + ProbeForRead(AuthenticationId, + sizeof(LUID), + sizeof(ULONG)); + ProbeForRead(ExpirationTime, + sizeof(LARGE_INTEGER), + sizeof(ULONG)); + ProbeForRead(TokenUser, + sizeof(TOKEN_USER), + sizeof(ULONG)); + ProbeForRead(TokenGroups, + sizeof(TOKEN_GROUPS), + sizeof(ULONG)); + ProbeForRead(TokenPrivileges, + sizeof(TOKEN_PRIVILEGES), + sizeof(ULONG)); + ProbeForRead(TokenOwner, + sizeof(TOKEN_OWNER), + sizeof(ULONG)); + ProbeForRead(TokenPrimaryGroup, + sizeof(TOKEN_PRIMARY_GROUP), + sizeof(ULONG)); + ProbeForRead(TokenDefaultDacl, + sizeof(TOKEN_DEFAULT_DACL), + sizeof(ULONG)); + ProbeForRead(TokenSource, + sizeof(TOKEN_SOURCE), + sizeof(ULONG)); + } + _SEH_HANDLE + { + Status = _SEH_GetExceptionCode(); + } + _SEH_END; + + if(!NT_SUCCESS(Status)) + { + return Status; + } + }
Status = ZwAllocateLocallyUniqueId(&TokenId); if (!NT_SUCCESS(Status)) @@ -1619,10 +1669,10 @@ if (!NT_SUCCESS(Status)) return(Status);
- Status = ObCreateObject(ExGetPreviousMode(), + Status = ObCreateObject(PreviousMode, SepTokenObjectType, ObjectAttributes, - ExGetPreviousMode(), + PreviousMode, NULL, sizeof(TOKEN), 0, @@ -1634,19 +1684,6 @@ return(Status); }
- Status = ObInsertObject ((PVOID)AccessToken, - NULL, - DesiredAccess, - 0, - NULL, - &TokenHandle); - if (!NT_SUCCESS(Status)) - { - DPRINT1("ObInsertObject() failed (Status %lx)\n"); - ObDereferenceObject (AccessToken); - return Status; - } - RtlCopyLuid(&AccessToken->TokenSource.SourceIdentifier, &TokenSource->SourceIdentifier); memcpy(AccessToken->TokenSource.SourceName, @@ -1740,22 +1777,33 @@ TokenDefaultDacl->DefaultDacl->AclSize); }
+ Status = ObInsertObject ((PVOID)AccessToken, + NULL, + DesiredAccess, + 0, + NULL, + &hToken); + if (!NT_SUCCESS(Status)) + { + DPRINT1("ObInsertObject() failed (Status %lx)\n", Status); + } + ObDereferenceObject(AccessToken);
if (NT_SUCCESS(Status)) { - Status = MmCopyToCaller(UnsafeTokenHandle, - &TokenHandle, - sizeof(HANDLE)); + _SEH_TRY + { + *TokenHandle = hToken; + } + _SEH_HANDLE + { + Status = _SEH_GetExceptionCode(); + } + _SEH_END; }
- if (!NT_SUCCESS(Status)) - { - ZwClose(TokenHandle); - return(Status); - } - - return(STATUS_SUCCESS); + return Status; }