[hyperion] 32770: Fix some serious handle table bugs which led to memory corruption and stale values (which led to more memory corruption). Patch by Alex Ionescu.
27 Mar
2008
27 Mar
'08
1:13 a.m.
Author: hyperion
Date: Wed Mar 26 20:13:24 2008
New Revision: 32770
URL: http://svn.reactos.org/svn/reactos?rev=32770&view=rev
Log:
Fix some serious handle table bugs which led to memory corruption and stale values (which
led to more memory corruption). Patch by Alex Ionescu.
Modified:
trunk/reactos/ntoskrnl/ex/handle.c
Modified: trunk/reactos/ntoskrnl/ex/handle.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/ex/handle.c?rev=3…
==============================================================================
--- trunk/reactos/ntoskrnl/ex/handle.c [iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/ex/handle.c [iso-8859-1] Wed Mar 26 20:13:24 2008
@@ -17,7 +17,7 @@
LIST_ENTRY HandleTableListHead;
EX_PUSH_LOCK HandleTableListLock;
-#define SizeOfHandle(x) (sizeof(HANDLE) * x)
+#define SizeOfHandle(x) (sizeof(HANDLE) * (x))
/* PRIVATE FUNCTIONS *********************************************************/
@@ -43,11 +43,11 @@
/* Clear the tag bits and check what the next handle is */
Handle.TagBits = 0;
- NextHandle = HandleTable->NextHandleNeedingPool;
+ NextHandle = *(volatile ULONG*)&HandleTable->NextHandleNeedingPool;
if (Handle.Value >= NextHandle) return NULL;
/* Get the table code */
- TableBase = (ULONG_PTR)HandleTable->TableCode;
+ TableBase = *(volatile ULONG_PTR*)&HandleTable->TableCode;
/* Extract the table level and actual table base */
TableLevel = (ULONG)(TableBase & 3);
@@ -734,7 +734,7 @@
ExAcquirePushLockShared(&HandleTable->HandleTableLock[i]);
/* Check if the value changed after acquiring the lock */
- if (OldValue != HandleTable->FirstFree)
+ if (OldValue != *(volatile ULONG*)&HandleTable->FirstFree)
{
/* It did, so try again */
ExReleasePushLockShared(&HandleTable->HandleTableLock[i]);
@@ -743,7 +743,7 @@
}
/* Now get the next value and do the compare */
- NewValue = Entry->NextFreeTableEntry;
+ NewValue = *(volatile ULONG*)&Entry->NextFreeTableEntry;
NewValue1 = InterlockedCompareExchange((PLONG) &HandleTable->FirstFree,
NewValue,
OldValue);
@@ -874,7 +874,7 @@
for (;;)
{
/* Get the current value and check if it's locked */
- OldValue = (LONG_PTR)HandleTableEntry->Object;
+ OldValue = *(volatile LONG_PTRits *)&HandleTableEntry->Object;
if (OldValue & EXHANDLE_TABLE_ENTRY_LOCK_BIT)
{
/* It's not locked, remove the lock bit to lock it */
6049
days inactive
6049
days old
0 comments
1 participants
participants (1)
-
hyperion@svn.reactos.org