Author: tfaber Date: Sun Sep 25 13:46:18 2016 New Revision: 72800 URL: http://svn.reactos.org/svn/reactos?rev=72800&view=rev Log: [NTOS:PO] - Protect against invalid user mode pointers in NtPowerInformation Modified: trunk/reactos/ntoskrnl/po/power.c Modified: trunk/reactos/ntoskrnl/po/power.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/po/power.c?rev=72… ============================================================================== --- trunk/reactos/ntoskrnl/po/power.c [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/po/power.c [iso-8859-1] Sun Sep 25 13:46:18 2016 @@ -657,6 +657,7 @@ IN ULONG OutputBufferLength) { NTSTATUS Status; + KPROCESSOR_MODE PreviousMode = KeGetPreviousMode(); PAGED_CODE(); @@ -666,6 +667,20 @@ InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength); + if (PreviousMode != KernelMode) + { + _SEH2_TRY + { + ProbeForRead(InputBuffer, InputBufferLength, 1); + ProbeForWrite(OutputBuffer, OutputBufferLength, sizeof(ULONG)); + } + _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) + { + _SEH2_YIELD(return _SEH2_GetExceptionCode()); + } + _SEH2_END; + } + switch (PowerInformationLevel) { case SystemBatteryState: @@ -677,11 +692,20 @@ if (OutputBufferLength < sizeof(SYSTEM_BATTERY_STATE)) return STATUS_BUFFER_TOO_SMALL; - /* Just zero the struct (and thus set BatteryState->BatteryPresent = FALSE) */ - RtlZeroMemory(BatteryState, sizeof(SYSTEM_BATTERY_STATE)); - BatteryState->EstimatedTime = MAXULONG; - - Status = STATUS_SUCCESS; + _SEH2_TRY + { + /* Just zero the struct (and thus set BatteryState->BatteryPresent = FALSE) */ + RtlZeroMemory(BatteryState, sizeof(SYSTEM_BATTERY_STATE)); + BatteryState->EstimatedTime = MAXULONG; + + Status = STATUS_SUCCESS; + } + _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) + { + Status = _SEH2_GetExceptionCode(); + } + _SEH2_END; + break; } @@ -694,11 +718,20 @@ if (OutputBufferLength < sizeof(SYSTEM_POWER_CAPABILITIES)) return STATUS_BUFFER_TOO_SMALL; - /* Just zero the struct (and thus set BatteryState->BatteryPresent = FALSE) */ - RtlZeroMemory(PowerCapabilities, sizeof(SYSTEM_POWER_CAPABILITIES)); - //PowerCapabilities->SystemBatteriesPresent = 0; - - Status = STATUS_SUCCESS; + _SEH2_TRY + { + /* Just zero the struct (and thus set PowerCapabilities->SystemBatteriesPresent = FALSE) */ + RtlZeroMemory(PowerCapabilities, sizeof(SYSTEM_POWER_CAPABILITIES)); + //PowerCapabilities->SystemBatteriesPresent = 0; + + Status = STATUS_SUCCESS; + } + _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) + { + Status = _SEH2_GetExceptionCode(); + } + _SEH2_END; + break; } @@ -711,14 +744,23 @@ if (OutputBufferLength < sizeof(PROCESSOR_POWER_INFORMATION)) return STATUS_BUFFER_TOO_SMALL; - PowerInformation->Number = 0; - PowerInformation->MaxMhz = 1000; - PowerInformation->CurrentMhz = 1000; - PowerInformation->MhzLimit = 1000; - PowerInformation->MaxIdleState = 0; - PowerInformation->CurrentIdleState = 0; - - Status = STATUS_SUCCESS; + _SEH2_TRY + { + PowerInformation->Number = 0; + PowerInformation->MaxMhz = 1000; + PowerInformation->CurrentMhz = 1000; + PowerInformation->MhzLimit = 1000; + PowerInformation->MaxIdleState = 0; + PowerInformation->CurrentIdleState = 0; + + Status = STATUS_SUCCESS; + } + _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) + { + Status = _SEH2_GetExceptionCode(); + } + _SEH2_END; + break; }