https://git.reactos.org/?p=reactos.git;a=commitdiff;h=f0729b30bb79d6f538cf2b...

commit f0729b30bb79d6f538cf2b9578ff8ebe7989f8d3 Author: Hermès Bélusca-Maïto hermes.belusca-maito@reactos.org AuthorDate: Sun Apr 1 14:46:19 2018 +0200 Commit: Hermès Bélusca-Maïto hermes.belusca-maito@reactos.org CommitDate: Sun Apr 1 22:39:31 2018 +0200

[NTOSKRNL] Forbid processes without the Tcb prvilege to perform a user-mode hard-error BSOD. --- ntoskrnl/ex/harderr.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/ntoskrnl/ex/harderr.c b/ntoskrnl/ex/harderr.c index 84f409a1bb..a5200e3e74 100644 --- a/ntoskrnl/ex/harderr.c +++ b/ntoskrnl/ex/harderr.c @@ -132,8 +132,18 @@ ExpRaiseHardError(IN NTSTATUS ErrorStatus, /* Check if this error will shutdown the system */ if (ValidResponseOptions == OptionShutdownSystem) { - /* Check for privilege */ - if (!SeSinglePrivilegeCheck(SeShutdownPrivilege, PreviousMode)) + /* + * Check if we have the privileges. + * + * NOTE: In addition to the Shutdown privilege we also check whether + * the caller has the Tcb privilege. The purpose is to allow only + * SYSTEM processes to "shutdown" the system on hard errors (BSOD) + * while forbidding regular processes to do so. This behaviour differs + * from Windows, where any user-mode process, as soon as it has the + * Shutdown privilege, can trigger a hard-error BSOD. + */ + if (!SeSinglePrivilegeCheck(SeTcbPrivilege, PreviousMode) || + !SeSinglePrivilegeCheck(SeShutdownPrivilege, PreviousMode)) { /* No rights */ *Response = ResponseNotHandled;