[hyperion] 32770: Fix some serious handle table bugs which led to memory corruption and stale values (which led to more memory corruption). Patch by Alex Ionescu. - Ros-diffs

27 Mar 2008

Author: hyperion
Date: Wed Mar 26 20:13:24 2008
New Revision: 32770
URL: http://svn.reactos.org/svn/reactos?rev=32770&view=rev
Log:
Fix some serious handle table bugs which led to memory corruption and stale values (which led to more memory corruption). Patch by Alex Ionescu.
Modified:
    trunk/reactos/ntoskrnl/ex/handle.c
Modified: trunk/reactos/ntoskrnl/ex/handle.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/ex/handle.c?rev=32...
==============================================================================

--- trunk/reactos/ntoskrnl/ex/handle.c [iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/ex/handle.c [iso-8859-1] Wed Mar 26 20:13:24 2008
@@ -17,7 +17,7 @@
LIST_ENTRY HandleTableListHead;
 EX_PUSH_LOCK HandleTableListLock;
-#define SizeOfHandle(x) (sizeof(HANDLE) * x)
+#define SizeOfHandle(x) (sizeof(HANDLE) * (x))
/* PRIVATE FUNCTIONS *********************************************************/
@@ -43,11 +43,11 @@
/* Clear the tag bits and check what the next handle is */
     Handle.TagBits = 0;
-    NextHandle = HandleTable->NextHandleNeedingPool;
+    NextHandle = *(volatile ULONG*)&HandleTable->NextHandleNeedingPool;
     if (Handle.Value >= NextHandle) return NULL;
/* Get the table code */
-    TableBase = (ULONG_PTR)HandleTable->TableCode;
+    TableBase = *(volatile ULONG_PTR*)&HandleTable->TableCode;
/* Extract the table level and actual table base */
     TableLevel = (ULONG)(TableBase & 3);
@@ -734,7 +734,7 @@
         ExAcquirePushLockShared(&HandleTable->HandleTableLock[i]);
/* Check if the value changed after acquiring the lock */
-        if (OldValue != HandleTable->FirstFree)
+        if (OldValue != *(volatile ULONG*)&HandleTable->FirstFree)
         {
             /* It did, so try again */
             ExReleasePushLockShared(&HandleTable->HandleTableLock[i]);
@@ -743,7 +743,7 @@
         }
/* Now get the next value and do the compare */
-        NewValue = Entry->NextFreeTableEntry;
+        NewValue = *(volatile ULONG*)&Entry->NextFreeTableEntry;
         NewValue1 = InterlockedCompareExchange((PLONG) &HandleTable->FirstFree,
                                                NewValue,
                                                OldValue);
@@ -874,7 +874,7 @@
     for (;;)
     {
         /* Get the current value and check if it's locked */
-        OldValue = (LONG_PTR)HandleTableEntry->Object;
+        OldValue = *(volatile LONG_PTRits *)&HandleTableEntry->Object;
         if (OldValue & EXHANDLE_TABLE_ENTRY_LOCK_BIT)
         {
             /* It's not locked, remove the lock bit to lock it */

    