Author: ion Date: Mon Jan 15 21:37:53 2007 New Revision: 25467

URL: http://svn.reactos.org/svn/reactos?rev=25467&view=rev Log: [22 bugfixes]: - ObpReferenceProcessObjectByHandle is always called with HandleInformation, remove this check. - ObpReferenceProcessObjectByHandle already gets a process parameter, don't query the current one. - ObpReferenceProcessObjectByHandle already gets a handle table, don't query the current one. - ObpDecrementHandleCount shouldn't remove the object from the creator info. - ObpDecrementHandleCount should clear the exclusive process if this is the last handle. - Killing a protected handle should raise an exception if a debug port is connected, not an exception port. - ObpIncrementHandleCount should support OBJ_FORCE_ACCESS_CHECK. - ObpIncrementHandleCount needs to support ObDuplicateHandle. - ObpIncrementHandleCount needs to support being called without an AccessState. - Fix interlocked handle count accounting. - Allow user-mode to create kernel-mode handles. - Fix the way Additional reference bias is de-referenced during failures. - Complete rundown in ObKillProcess. - Send SourceProcess in ObDuplicateHandle. - Assume initial failure and clear handle in ObDuplicateHandle. - Don't leak object table references when failing in ObDuplicateHandle. - Assume failure in ObOpenObjectByName. - Don't leak buffer during failure in ObOpenObjectByName. - Don't leak object reference durning failure in ObOpenObjecByName. - Validate handle attributes in ObOpenObjectByPointer. - Use RtlCopyMemory when possible to speed up.

Modified: trunk/reactos/ntoskrnl/ob/obhandle.c

Modified: trunk/reactos/ntoskrnl/ob/obhandle.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/ob/obhandle.c?rev=... ============================================================================== --- trunk/reactos/ntoskrnl/ob/obhandle.c (original) +++ trunk/reactos/ntoskrnl/ob/obhandle.c Mon Jan 15 21:37:53 2007 @@ -60,14 +60,14 @@ IN PHANDLE_TABLE HandleTable, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, - OUT POBJECT_HANDLE_INFORMATION HandleInformation) + OUT POBJECT_HANDLE_INFORMATION HandleInformation, + OUT PACCESS_MASK AuditMask) { PHANDLE_TABLE_ENTRY HandleEntry; POBJECT_HEADER ObjectHeader; ACCESS_MASK GrantedAccess; ULONG Attributes; - PEPROCESS CurrentProcess; - PETHREAD CurrentThread; + PETHREAD Thread = PsGetCurrentThread(); NTSTATUS Status; PAGED_CODE();

@@ -77,46 +77,40 @@ /* Check if the caller wants the current process */ if (Handle == NtCurrentProcess()) { - /* Get the current process */ - CurrentProcess = PsGetCurrentProcess(); - - /* Check if the caller wanted handle information */ - if (HandleInformation) - { - /* Return it */ - HandleInformation->HandleAttributes = 0; - HandleInformation->GrantedAccess = Process->GrantedAccess; - } + /* Return handle info */ + HandleInformation->HandleAttributes = 0; + HandleInformation->GrantedAccess = Process->GrantedAccess; + + /* No audit mask */ + *AuditMask = 0;

/* Reference ourselves */ - ObjectHeader = OBJECT_TO_OBJECT_HEADER(CurrentProcess); + ObjectHeader = OBJECT_TO_OBJECT_HEADER(Process); InterlockedExchangeAdd(&ObjectHeader->PointerCount, 1);

/* Return the pointer */ - *Object = CurrentProcess; + *Object = Process; + ASSERT(*Object != NULL); return STATUS_SUCCESS; }

/* Check if the caller wants the current thread */ if (Handle == NtCurrentThread()) { - /* Get the current thread */ - CurrentThread = PsGetCurrentThread(); - - /* Check if the caller wanted handle information */ - if (HandleInformation) - { - /* Return it */ - HandleInformation->HandleAttributes = 0; - HandleInformation->GrantedAccess = CurrentThread->GrantedAccess; - } + /* Return handle information */ + HandleInformation->HandleAttributes = 0; + HandleInformation->GrantedAccess = Thread->GrantedAccess;

/* Reference ourselves */ - ObjectHeader = OBJECT_TO_OBJECT_HEADER(CurrentThread); + ObjectHeader = OBJECT_TO_OBJECT_HEADER(Thread); InterlockedExchangeAdd(&ObjectHeader->PointerCount, 1);

+ /* No audit mask */ + *AuditMask = 0; + /* Return the pointer */ - *Object = CurrentThread; + *Object = Thread; + ASSERT(*Object != NULL); return STATUS_SUCCESS; }

@@ -126,11 +120,6 @@ /* Use the kernel handle table and get the actual handle value */ Handle = ObKernelHandleToHandle(Handle); HandleTable = ObpKernelHandleTable; - } - else - { - /* Otherwise use this process's handle table */ - HandleTable = PsGetCurrentProcess()->ObjectTable; }

/* Enter a critical region while we touch the handle table */ @@ -156,6 +145,9 @@ /* Fill out the information */ HandleInformation->HandleAttributes = Attributes; HandleInformation->GrantedAccess = GrantedAccess; + + /* No audit mask (FIXME!) */ + *AuditMask = 0;

/* Return the pointer */ *Object = &ObjectHeader->Body; @@ -244,7 +236,7 @@ if (!HandleDatabase) return NULL;

/* Copy the old database */ - RtlMoveMemory(HandleDatabase, OldHandleDatabase, OldSize); + RtlCopyMemory(HandleDatabase, OldHandleDatabase, OldSize);

/* Check if we he had a single entry before */ if (ObjectHeader->Flags & OB_FLAG_SINGLE_PROCESS) @@ -440,12 +432,12 @@ POBJECT_TYPE ObjectType; LONG SystemHandleCount, ProcessHandleCount; LONG NewCount; - POBJECT_HEADER_CREATOR_INFO CreatorInfo; KIRQL CalloutIrql; POBJECT_HEADER_HANDLE_INFO HandleInfo; POBJECT_HANDLE_COUNT_ENTRY HandleEntry; POBJECT_HANDLE_COUNT_DATABASE HandleDatabase; ULONG i; + PAGED_CODE();

/* Get the object type and header */ ObjectHeader = OBJECT_TO_OBJECT_HEADER(ObjectBody); @@ -467,17 +459,11 @@ /* Decrement the handle count */ NewCount = InterlockedDecrement(&ObjectHeader->HandleCount);

- /* Check if we're out of handles */ - if (!NewCount) - { - /* Get the creator info */ - CreatorInfo = OBJECT_HEADER_TO_CREATOR_INFO(ObjectHeader); - if ((CreatorInfo) && !(IsListEmpty(&CreatorInfo->TypeList))) - { - /* Remove it from the list and re-initialize it */ - RemoveEntryList(&CreatorInfo->TypeList); - InitializeListHead(&CreatorInfo->TypeList); - } + /* Check if we're out of handles and this was an exclusive object */ + if (!(NewCount) && (ObjectHeader->Flags & OB_FLAG_EXCLUSIVE)) + { + /* Clear the exclusive flag */ + OBJECT_HEADER_TO_QUOTA_INFO(ObjectHeader)->ExclusiveProcess = NULL; }

/* Is the object type keeping track of handles? */ @@ -644,8 +630,8 @@ /* We are! Unlock the entry */ ExUnlockHandleTableEntry(HandleTable, HandleEntry);

- /* Make sure we have an exception port */ - if (PsGetCurrentProcess()->ExceptionPort) + /* Make sure we have a debug port */ + if (PsGetCurrentProcess()->DebugPort) { /* Raise an exception */ return KeRaiseUserException(STATUS_HANDLE_NOT_CLOSABLE); @@ -656,10 +642,11 @@ return STATUS_HANDLE_NOT_CLOSABLE; } } - - /* Otherwise, we are kernel mode, so unlock the entry and return */ - ExUnlockHandleTableEntry(HandleTable, HandleEntry); - return STATUS_HANDLE_NOT_CLOSABLE; + else + { + /* Otherwise, bugcheck the OS */ + KeBugCheckEx(0x8B, (ULONG_PTR)Handle, 0, 0, 0); + } }

/* Destroy and unlock the handle entry */ @@ -727,6 +714,8 @@ BOOLEAN Exclusive = FALSE, NewObject; POBJECT_HEADER_CREATOR_INFO CreatorInfo; KIRQL CalloutIrql; + KPROCESSOR_MODE ProbeMode; + ULONG Total;

/* Get the object header and type */ ObjectHeader = OBJECT_TO_OBJECT_HEADER(Object); @@ -738,6 +727,18 @@ OpenReason, ObjectHeader->HandleCount, ObjectHeader->PointerCount); + + /* Check if caller is forcing user mode */ + if (HandleAttributes & OBJ_FORCE_ACCESS_CHECK) + { + /* Force it */ + ProbeMode = UserMode; + } + else + { + /* Keep original setting */ + ProbeMode = AccessMode; + }

/* Lock the object type */ ObpEnterObjectTypeMutex(ObjectType); @@ -797,7 +798,8 @@ }

/* Check if we're opening an existing handle */ - if (OpenReason == ObOpenHandle) + if ((OpenReason == ObOpenHandle) || + ((OpenReason == ObDuplicateHandle) && (AccessState))) { /* Validate the caller's access to this object */ if (!ObCheckObjectAccess(Object, @@ -875,7 +877,10 @@ Status = ObjectType->TypeInfo.OpenProcedure(OpenReason, Process, Object, - AccessState->PreviouslyGrantedAccess, + AccessState ? + AccessState-> + PreviouslyGrantedAccess : + 0, ProcessHandleCount); ObpCalloutEnd(CalloutIrql, "Open", ObjectType, Object);

@@ -889,26 +894,30 @@ } }

- /* Check if we have creator info */ - CreatorInfo = OBJECT_HEADER_TO_CREATOR_INFO(ObjectHeader); - if (CreatorInfo) - { - /* We do, acquire the lock */ - ObpEnterObjectTypeMutex(ObjectType); - - /* Insert us on the list */ - InsertTailList(&ObjectType->TypeList, &CreatorInfo->TypeList); - - /* Release the lock */ - ObpLeaveObjectTypeMutex(ObjectType); + /* Check if this is a create operation */ + if (OpenReason == ObCreateHandle) + { + /* Check if we have creator info */ + CreatorInfo = OBJECT_HEADER_TO_CREATOR_INFO(ObjectHeader); + if (CreatorInfo) + { + /* We do, acquire the lock */ + ObpEnterObjectTypeMutex(ObjectType); + + /* Insert us on the list */ + InsertTailList(&ObjectType->TypeList, &CreatorInfo->TypeList); + + /* Release the lock */ + ObpLeaveObjectTypeMutex(ObjectType); + } }

/* Increase total number of handles */ - InterlockedIncrement((PLONG)&ObjectType->TotalNumberOfHandles); - if (ObjectType->TotalNumberOfHandles > ObjectType->HighWaterNumberOfHandles) + Total = InterlockedIncrement((PLONG)&ObjectType->TotalNumberOfHandles); + if (Total > ObjectType->HighWaterNumberOfHandles) { /* Fixup count */ - ObjectType->HighWaterNumberOfHandles = ObjectType->TotalNumberOfHandles; + ObjectType->HighWaterNumberOfHandles = Total; }

/* Trace call and return */ @@ -971,6 +980,7 @@ BOOLEAN Exclusive = FALSE, NewObject; POBJECT_HEADER_CREATOR_INFO CreatorInfo; KIRQL CalloutIrql; + ULONG Total;

/* Get the object header and type */ ObjectHeader = OBJECT_TO_OBJECT_HEADER(Object); @@ -1123,11 +1133,11 @@ }

/* Increase total number of handles */ - InterlockedIncrement((PLONG)&ObjectType->TotalNumberOfHandles); - if (ObjectType->TotalNumberOfHandles > ObjectType->HighWaterNumberOfHandles) + Total = InterlockedIncrement((PLONG)&ObjectType->TotalNumberOfHandles); + if (Total > ObjectType->HighWaterNumberOfHandles) { /* Fixup count */ - ObjectType->HighWaterNumberOfHandles = ObjectType->TotalNumberOfHandles; + ObjectType->HighWaterNumberOfHandles = Total; }

/* Trace call and return */ @@ -1208,7 +1218,7 @@ ObjectHeader->PointerCount);

/* Check if this is a kernel handle */ - if ((HandleAttributes & OBJ_KERNEL_HANDLE) && (AccessMode == KernelMode)) + if (HandleAttributes & OBJ_KERNEL_HANDLE) { /* Set the handle table */ HandleTable = ObpKernelHandleTable; @@ -1309,14 +1319,9 @@ }

/* Handle extra references */ - if (AdditionalReferences == 1) - { - /* Dereference the object once */ - ObDereferenceObject(Object); - } - else if (AdditionalReferences > 1) - { - /* Dereference it many times */ + if (AdditionalReferences) + { + /* Dereference it as many times as required */ InterlockedExchangeAdd(&ObjectHeader->PointerCount, -AdditionalReferences); } @@ -1413,7 +1418,7 @@ }

/* Check if this is a kernel handle */ - if ((HandleAttributes & OBJ_KERNEL_HANDLE) && (AccessMode == KernelMode)) + if (HandleAttributes & OBJ_KERNEL_HANDLE) { /* Set the handle table */ HandleTable = ObpKernelHandleTable; @@ -1508,12 +1513,6 @@ /* Make sure we got a handle */ if (Handle) { - /* Check if we have auxiliary data */ - if (AuxData) - { - /* FIXME: Change handle security */ - } - /* Check if this was a kernel handle */ if (KernelHandle) Handle = ObMarkHandleAsKernelHandle(Handle);

@@ -1573,16 +1572,18 @@ GrantedAccess);

/* Handle extra references */ - if (AdditionalReferences == 1) - { - /* Dereference the object once */ + if (AdditionalReferences) + { + /* Check how many extra references were added */ + if (AdditionalReferences > 1) + { + /* Dereference it many times */ + InterlockedExchangeAdd(&ObjectHeader->PointerCount, + -(AdditionalReferences - 1)); + } + + /* Dereference the object one last time */ ObDereferenceObject(Object); - } - else if (AdditionalReferences > 1) - { - /* Dereference it many times */ - InterlockedExchangeAdd(&ObjectHeader->PointerCount, - -AdditionalReferences); }

/* Detach if necessary and fail */ @@ -1670,9 +1671,9 @@ /* Detach */ if (AttachedToProcess) KeUnstackDetachProcess(&ApcState);

- /* Check if this was a user-mode caller with a valid exception port */ + /* Check if this was a user-mode caller with a valid debug port */ if ((AccessMode != KernelMode) && - (PsGetCurrentProcess()->ExceptionPort)) + (PsGetCurrentProcess()->DebugPort)) { /* Raise an exception */ Status = KeRaiseUserException(STATUS_INVALID_HANDLE); @@ -1948,8 +1949,9 @@ BOOLEAN HardErrors; PAGED_CODE();

- /* Wait for process rundown */ + /* Wait for process rundown and then complete it */ ExWaitForRundownProtectionRelease(&Process->RundownProtect); + ExRundownCompleted(&Process->RundownProtect);

/* Get the object table */ HandleTable = Process->ObjectTable; @@ -2007,6 +2009,7 @@ AUX_DATA AuxData; PHANDLE_TABLE HandleTable; OBJECT_HANDLE_INFORMATION HandleInformation; + ULONG AuditMask; PAGED_CODE(); OBTRACE(OB_HANDLE_DEBUG, "%s - Duplicating handle: %lx for %p into %p\n", @@ -2015,6 +2018,9 @@ SourceProcess, TargetProcess);

+ /* Assume failure */ + if (TargetHandle) *TargetHandle = NULL; + /* Check if we're not duplicating the same access */ if (!(Options & DUPLICATE_SAME_ACCESS)) { @@ -2029,11 +2035,12 @@

/* Reference the process object */ Status = ObpReferenceProcessObjectByHandle(SourceHandle, - 0, + SourceProcess, HandleTable, PreviousMode, &SourceObject, - &HandleInformation); + &HandleInformation, + &AuditMask); if (!NT_SUCCESS(Status)) { /* Fail */ @@ -2191,6 +2198,10 @@ /* Now check if incrementing actually failed */ if (!NT_SUCCESS(Status)) { + /* Dereference handle tables */ + ObDereferenceProcessHandleTable(SourceProcess); + ObDereferenceProcessHandleTable(TargetProcess); + /* Dereference the source object */ ObDereferenceObject(SourceObject); return Status; @@ -2283,11 +2294,13 @@ POB_TEMP_BUFFER TempBuffer; PAGED_CODE();

+ /* Assume failure */ + *Handle = NULL; + /* Check if we didn't get any Object Attributes */ if (!ObjectAttributes) { /* Fail with special status code */ - *Handle = NULL; return STATUS_INVALID_PARAMETER; }

@@ -2303,7 +2316,12 @@ TRUE, &TempBuffer->ObjectCreateInfo, &ObjectName); - if (!NT_SUCCESS(Status)) return Status; + if (!NT_SUCCESS(Status)) + { + /* Fail */ + ExFreePool(TempBuffer); + return Status; + }

/* Check if we didn't get an access state */ if (!PassedAccessState) @@ -2378,6 +2396,9 @@

/* Cleanup after lookup */ ObpCleanupDirectoryLookup(&TempBuffer->LookupContext); + + /* Dereference the object */ + ObDereferenceObject(Object); } else { @@ -2466,8 +2487,8 @@ AUX_DATA AuxData; PAGED_CODE();

- /* Get the Header Info */ - Header = OBJECT_TO_OBJECT_HEADER(Object); + /* Assume failure */ + *Handle = NULL;

/* Reference the object */ Status = ObReferenceObjectByPointer(Object, @@ -2475,6 +2496,9 @@ ObjectType, AccessMode); if (!NT_SUCCESS(Status)) return Status; + + /* Get the Header Info */ + Header = OBJECT_TO_OBJECT_HEADER(Object);

/* Check if we didn't get an access state */ if (!PassedAccessState) @@ -2491,6 +2515,20 @@ ObDereferenceObject(Object); return Status; } + } + + /* Check if we have invalid object attributes */ + if (Header->Type->TypeInfo.InvalidAttributes & HandleAttributes) + { + /* Delete the access state */ + if (PassedAccessState == &AccessState) + { + SeDeleteAccessState(PassedAccessState); + } + + /* Dereference the object */ + ObDereferenceObject(Object); + return STATUS_INVALID_PARAMETER; }

/* Create the handle */