https://git.reactos.org/?p=reactos.git;a=commitdiff;h=632fa1cfbe32dbcc1f97d… commit 632fa1cfbe32dbcc1f97dc96c9d6374cacf94ac7 Author: George Bișoc <george.bisoc(a)reactos.org> AuthorDate: Sun Jul 25 11:37:02 2021 +0200 Commit: George Bișoc <george.bisoc(a)reactos.org> CommitDate: Sat Jul 31 17:23:05 2021 +0200 [NTOS:SE] Handle the reference logon session of the token When creating or duplicating an access token object, make sure that the logon session is getting referenced by the token must be inserted onto the logon reference member (a.k.a LogonSession) for proper logon session referencing tracking. Also when a token object is about to be destroyed or that we are taking away a reference session from it, we must ensure that the referenced logon session data gets removed from the token in question. CORE-17700 --- ntoskrnl/se/token.c | 47 ++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 42 insertions(+), 5 deletions(-) diff --git a/ntoskrnl/se/token.c b/ntoskrnl/se/token.c index a7b004ae034..46dbb725a89 100644 --- a/ntoskrnl/se/token.c +++ b/ntoskrnl/se/token.c @@ -865,6 +865,15 @@ SepDuplicateToken( goto Quit; } + /* Insert the referenced logon session into the token */ + Status = SepRmInsertLogonSessionIntoToken(AccessToken); + if (!NT_SUCCESS(Status)) + { + /* Failed to insert the logon session into the token, bail out */ + DPRINT1("SepRmInsertLogonSessionIntoToken() failed (Status 0x%lx)\n", Status); + goto Quit; + } + /* Assign the data that reside in the TOKEN's variable information area */ AccessToken->VariableLength = VariableLength; EndMem = (PVOID)&AccessToken->VariablePart; @@ -1164,10 +1173,23 @@ VOID NTAPI SepDeleteToken(PVOID ObjectBody) { + NTSTATUS Status; PTOKEN AccessToken = (PTOKEN)ObjectBody; DPRINT("SepDeleteToken()\n"); + /* Remove the referenced logon session from token */ + if (AccessToken->LogonSession) + { + Status = SepRmRemoveLogonSessionFromToken(AccessToken); + if (!NT_SUCCESS(Status)) + { + /* Something seriously went wrong */ + DPRINT1("SepDeleteToken(): Failed to remove the logon session from token (Status: 0x%lx)\n", Status); + return; + } + } + /* Dereference the logon session */ if ((AccessToken->TokenFlags & TOKEN_SESSION_NOT_REFERENCED) == 0) SepRmDereferenceLogonSession(&AccessToken->AuthenticationId); @@ -1359,6 +1381,15 @@ SepCreateToken( goto Quit; } + /* Insert the referenced logon session into the token */ + Status = SepRmInsertLogonSessionIntoToken(AccessToken); + if (!NT_SUCCESS(Status)) + { + /* Failed to insert the logon session into the token, bail out */ + DPRINT1("SepRmInsertLogonSessionIntoToken() failed (Status 0x%lx)\n", Status); + goto Quit; + } + /* Assign the data that reside in the TOKEN's variable information area */ AccessToken->VariableLength = VariableLength; EndMem = (PVOID)&AccessToken->VariablePart; @@ -3299,14 +3330,20 @@ NtSetInformationToken( if (OldTokenFlags == Token->TokenFlags) SessionReference = ULONG_MAX; + /* + * Otherwise if the flag was never set but just for this first time then + * remove the referenced logon session data from the token and dereference + * the logon session when needed. + */ + if (SessionReference == 0) + { + SepRmRemoveLogonSessionFromToken(Token); + SepRmDereferenceLogonSession(&Token->AuthenticationId); + } + /* Unlock the token */ SepReleaseTokenLock(Token); } - - /* Dereference the logon session if needed */ - if (SessionReference == 0) - SepRmDereferenceLogonSession(&Token->AuthenticationId); - break; }