[tfaber] 64950: [NTOS:IO] - Don't delete the device node for root enumerated device objects on failure. It's pointless, since IopEnumerateDevice will just recreate it, and more importantly it cause... - Ros-diffs

24 Oct 2014

Author: tfaber
Date: Fri Oct 24 09:39:15 2014
New Revision: 64950

URL: http://svn.reactos.org/svn/reactos?rev=64950&view=rev
Log:
[NTOS:IO]
- Don't delete the device node for root enumerated device objects on failure. It's
pointless, since IopEnumerateDevice will just recreate it, and more importantly it causes
a use-after-free because IopFreeDeviceNode does not unset the DeviceNode member of the
device object extension, so IopEnumerateDevice will try to access the freed node
- Set the device object's DeviceNode pointer to NULL in IopFreeDeviceNode
- Use consistent pool tagging for device nodes
CORE-8671 #resolve

Modified:
    trunk/reactos/ntoskrnl/include/internal/tag.h
    trunk/reactos/ntoskrnl/io/iomgr/driver.c
    trunk/reactos/ntoskrnl/io/pnpmgr/pnpmgr.c

Modified: trunk/reactos/ntoskrnl/include/internal/tag.h
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/include/internal/…
==============================================================================

--- trunk/reactos/ntoskrnl/include/internal/tag.h	[iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/include/internal/tag.h	[iso-8859-1] Fri Oct 24 09:39:15 2014
@@ -80,6 +80,9 @@
 
 /* formerly located in io/mdl.c */
 #define TAG_MDL    ' LDM'
+
+/* formerly located in io/pnpmgr.c */
+#define TAG_IO_DEVNODE 'donD'
 
 /* formerly located in io/pnpnotify.c */
 #define TAG_PNP_NOTIFY  'NPnP'

Modified: trunk/reactos/ntoskrnl/io/iomgr/driver.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/io/iomgr/driver.c…
==============================================================================
--- trunk/reactos/ntoskrnl/io/iomgr/driver.c	[iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/io/iomgr/driver.c	[iso-8859-1] Fri Oct 24 09:39:15 2014
@@ -930,7 +930,6 @@
 
     if (!NT_SUCCESS(Status))
     {
-        IopFreeDeviceNode(DeviceNode);
         return Status;
     }
 
@@ -994,7 +993,6 @@
     if (!NT_SUCCESS(Status))
     {
         /* Fail */
-        IopFreeDeviceNode(DeviceNode);
         return;
     }
 
@@ -1003,7 +1001,6 @@
     if (!NT_SUCCESS(Status))
     {
         /* Fail */
-        IopFreeDeviceNode(DeviceNode);
         ObDereferenceObject(DriverObject);
         return;
     }
@@ -1013,7 +1010,6 @@
     if (!NT_SUCCESS(Status))
     {
         /* Fail */
-        IopFreeDeviceNode(DeviceNode);
         ObDereferenceObject(DriverObject);
         return;
     }
@@ -2020,7 +2016,6 @@
         {
             DPRINT1("IopInitializeDriverModule() failed (Status %lx)\n",
Status);
             MmUnloadSystemImage(ModuleObject);
-            IopFreeDeviceNode(DeviceNode);
             return Status;
         }
 

Modified: trunk/reactos/ntoskrnl/io/pnpmgr/pnpmgr.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/io/pnpmgr/pnpmgr.…
==============================================================================
--- trunk/reactos/ntoskrnl/io/pnpmgr/pnpmgr.c	[iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/io/pnpmgr/pnpmgr.c	[iso-8859-1] Fri Oct 24 09:39:15 2014
@@ -1024,7 +1024,7 @@
    DPRINT("ParentNode 0x%p PhysicalDeviceObject 0x%p ServiceName %wZ\n",
       ParentNode, PhysicalDeviceObject, ServiceName);
 
-   Node = (PDEVICE_NODE)ExAllocatePool(NonPagedPool, sizeof(DEVICE_NODE));
+   Node = ExAllocatePoolWithTag(NonPagedPool, sizeof(DEVICE_NODE), TAG_IO_DEVNODE);
    if (!Node)
    {
       return STATUS_INSUFFICIENT_RESOURCES;
@@ -1044,7 +1044,7 @@
       FullServiceName.Buffer = ExAllocatePool(PagedPool, FullServiceName.MaximumLength);
       if (!FullServiceName.Buffer)
       {
-          ExFreePool(Node);
+          ExFreePoolWithTag(Node, TAG_IO_DEVNODE);
           return STATUS_INSUFFICIENT_RESOURCES;
       }
 
@@ -1055,7 +1055,7 @@
       if (!NT_SUCCESS(Status))
       {
          DPRINT1("PnpRootCreateDevice() failed with status 0x%08X\n", Status);
-         ExFreePool(Node);
+         ExFreePoolWithTag(Node, TAG_IO_DEVNODE);
          return Status;
       }
 
@@ -1064,7 +1064,7 @@
       if (!NT_SUCCESS(Status))
       {
           ZwClose(InstanceHandle);
-          ExFreePool(Node);
+          ExFreePoolWithTag(Node, TAG_IO_DEVNODE);
           ExFreePool(FullServiceName.Buffer);
           return Status;
       }
@@ -1073,7 +1073,7 @@
       if (!Node->ServiceName.Buffer)
       {
           ZwClose(InstanceHandle);
-          ExFreePool(Node);
+          ExFreePoolWithTag(Node, TAG_IO_DEVNODE);
           ExFreePool(FullServiceName.Buffer);
           return Status;
       }
@@ -1122,7 +1122,7 @@
 
       if (!NT_SUCCESS(Status))
       {
-          ExFreePool(Node);
+          ExFreePoolWithTag(Node, TAG_IO_DEVNODE);
           return Status;
       }
 
@@ -1225,7 +1225,8 @@
       ExFreePool(DeviceNode->BootResources);
    }
 
-   ExFreePool(DeviceNode);
+  
((PEXTENDED_DEVOBJ_EXTENSION)DeviceNode->PhysicalDeviceObject->DeviceObjectExtension)->DeviceNode
= NULL;
+   ExFreePoolWithTag(DeviceNode, TAG_IO_DEVNODE);
 
    return STATUS_SUCCESS;
 }
@@ -2560,7 +2561,7 @@
 
    DPRINT("IopActionInitChildServices(%p, %p)\n", DeviceNode, Context);
 
-   ParentDeviceNode = (PDEVICE_NODE)Context;
+   ParentDeviceNode = Context;
 
    /*
     * We are called for the parent too, but we don't need to do special
@@ -3545,7 +3546,7 @@
     PAGED_CODE();
 
     /* Allocate it */
-    DeviceNode = ExAllocatePoolWithTag(NonPagedPool, sizeof(DEVICE_NODE),
'donD');
+    DeviceNode = ExAllocatePoolWithTag(NonPagedPool, sizeof(DEVICE_NODE),
TAG_IO_DEVNODE);
     if (!DeviceNode) return DeviceNode;
 
     /* Statistics */



    