https://git.reactos.org/?p=reactos.git;a=commitdiff;h=34ccecbce889ec2d8ce65… commit 34ccecbce889ec2d8ce659e6fcdf9719775fd960 Author: Thomas Faber <thomas.faber(a)reactos.org> AuthorDate: Fri Dec 8 14:41:41 2017 +0100 [NTOS:KD] Protect against invalid user arguments in KdpPrintString. CORE-14057 --- ntoskrnl/include/internal/kd.h | 4 ++-- ntoskrnl/kd/kdio.c | 28 ++++++++++++++++++++++++++-- 2 files changed, 28 insertions(+), 4 deletions(-) diff --git a/ntoskrnl/include/internal/kd.h b/ntoskrnl/include/internal/kd.h index 9bb744319a..05179ea6d3 100644 --- a/ntoskrnl/include/internal/kd.h +++ b/ntoskrnl/include/internal/kd.h @@ -193,8 +193,8 @@ KdpCallGdb( ULONG NTAPI KdpPrintString( - LPSTR String, - ULONG Length); + _In_reads_bytes_(Length) PCHAR UnsafeString, + _In_ ULONG Length); ULONG NTAPI diff --git a/ntoskrnl/kd/kdio.c b/ntoskrnl/kd/kdio.c index 8dc3366f03..3fedfd7ca5 100644 --- a/ntoskrnl/kd/kdio.c +++ b/ntoskrnl/kd/kdio.c @@ -567,14 +567,38 @@ KdpScreenInit(PKD_DISPATCH_TABLE DispatchTable, ULONG NTAPI -KdpPrintString(LPSTR String, - ULONG Length) +KdpPrintString( + _In_reads_bytes_(Length) PCHAR UnsafeString, + _In_ ULONG Length) { PLIST_ENTRY CurrentEntry; PKD_DISPATCH_TABLE CurrentTable; + PCHAR String; if (!KdpDebugMode.Value) return 0; + Length = min(Length, 512); + + if (ExGetPreviousMode() != KernelMode) + { + _SEH2_TRY + { + ProbeForRead(UnsafeString, Length, 1); + String = _alloca(Length + 1); + RtlCopyMemory(String, UnsafeString, Length); + String[Length] = ANSI_NULL; + } + _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) + { + return 0; + } + _SEH2_END; + } + else + { + String = UnsafeString; + } + /* Call the registered handlers */ CurrentEntry = KdProviders.Flink; while (CurrentEntry != &KdProviders)