[tfaber] 63779: [NTOS:CM] - Improve the hack from r63777 to return an allow-Everyone DACL. Fixes crash in advapi32:security. CORE-8383 #resolve - Ros-diffs

30 Jul 2014

Author: tfaber
Date: Wed Jul 30 10:08:30 2014
New Revision: 63779

URL: http://svn.reactos.org/svn/reactos?rev=63779&view=rev
Log:
[NTOS:CM]
- Improve the hack from r63777 to return an allow-Everyone DACL. Fixes crash in
advapi32:security.
CORE-8383 #resolve

Modified:
    trunk/reactos/ntoskrnl/config/cmse.c

Modified: trunk/reactos/ntoskrnl/config/cmse.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/config/cmse.c?rev…
==============================================================================

--- trunk/reactos/ntoskrnl/config/cmse.c	[iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/config/cmse.c	[iso-8859-1] Wed Jul 30 10:08:30 2014
@@ -144,10 +144,14 @@
                            IN OUT PULONG BufferLength)
 {
     PISECURITY_DESCRIPTOR_RELATIVE RelSd;
-    PUCHAR Current;
     ULONG SidSize;
+    ULONG AclSize;
     ULONG SdSize;
     NTSTATUS Status;
+    SECURITY_DESCRIPTOR_CONTROL Control = 0;
+    ULONG Owner = 0;
+    ULONG Group = 0;
+    ULONG Dacl = 0;
 
     DBG_UNREFERENCED_PARAMETER(KeyBody);
 
@@ -157,8 +161,33 @@
     }
 
     SidSize = RtlLengthSid(SeWorldSid);
-    SdSize = sizeof(*RelSd) + 2 * SidSize;
     RelSd = SecurityDescriptor;
+    SdSize = sizeof(*RelSd);
+
+    if (SecurityInformation & OWNER_SECURITY_INFORMATION)
+    {
+        Owner = SdSize;
+        SdSize += SidSize;
+    }
+
+    if (SecurityInformation & GROUP_SECURITY_INFORMATION)
+    {
+        Group = SdSize;
+        SdSize += SidSize;
+    }
+
+    if (SecurityInformation & DACL_SECURITY_INFORMATION)
+    {
+        Control |= SE_DACL_PRESENT;
+        Dacl = SdSize;
+        AclSize = sizeof(ACL) + sizeof(ACE) + SidSize;
+        SdSize += AclSize;
+    }
+
+    if (SecurityInformation & SACL_SECURITY_INFORMATION)
+    {
+        Control |= SE_SACL_PRESENT;
+    }
 
     if (*BufferLength < SdSize)
     {
@@ -173,36 +202,37 @@
     if (!NT_SUCCESS(Status))
         return Status;
 
-    Current = (PUCHAR)(RelSd + 1);
-    ASSERT((ULONG_PTR)Current - (ULONG_PTR)RelSd <= SdSize);
-
-    if (SecurityInformation & OWNER_SECURITY_INFORMATION)
-    {
-        RtlCopyMemory(Current, SeWorldSid, SidSize);
-        RelSd->Owner = Current - (PUCHAR)RelSd;
-        Current += SidSize;
-        ASSERT((ULONG_PTR)Current - (ULONG_PTR)RelSd <= SdSize);
-    }
-
-    if (SecurityInformation & GROUP_SECURITY_INFORMATION)
-    {
-        RtlCopyMemory(Current, SeWorldSid, SidSize);
-        RelSd->Group = Current - (PUCHAR)RelSd;
-        Current += SidSize;
-        ASSERT((ULONG_PTR)Current - (ULONG_PTR)RelSd <= SdSize);
-    }
-
-    if (SecurityInformation & DACL_SECURITY_INFORMATION)
-    {
-        RelSd->Control |= SE_DACL_PRESENT;
-    }
-
-    if (SecurityInformation & SACL_SECURITY_INFORMATION)
-    {
-        RelSd->Control |= SE_SACL_PRESENT;
-    }
-
-    return STATUS_SUCCESS;
+    RelSd->Control |= Control;
+    RelSd->Owner = Owner;
+    RelSd->Group = Group;
+    RelSd->Dacl = Dacl;
+
+    if (Owner)
+        RtlCopyMemory((PUCHAR)RelSd + Owner,
+                      SeWorldSid,
+                      SidSize);
+
+    if (Group)
+        RtlCopyMemory((PUCHAR)RelSd + Group,
+                      SeWorldSid,
+                      SidSize);
+
+    if (Dacl)
+    {
+        Status = RtlCreateAcl((PACL)((PUCHAR)RelSd + Dacl),
+                              AclSize,
+                              ACL_REVISION);
+        if (NT_SUCCESS(Status))
+        {
+            Status = RtlAddAccessAllowedAce((PACL)((PUCHAR)RelSd + Dacl),
+                                            ACL_REVISION,
+                                            GENERIC_ALL,
+                                            SeWorldSid);
+        }
+    }
+
+    ASSERT(Status == STATUS_SUCCESS);
+    return Status;
 }
 
 NTSTATUS



    