https://git.reactos.org/?p=reactos.git;a=commitdiff;h=96761885432e19d4035922...

commit 96761885432e19d4035922178e56c4c49f844153 Author: Hermès Bélusca-Maïto hermes.belusca-maito@reactos.org AuthorDate: Sun May 22 18:33:46 2022 +0200 Commit: Hermès Bélusca-Maïto hermes.belusca-maito@reactos.org CommitDate: Mon May 23 19:30:36 2022 +0200

[NTOS:SE] NtAdjustGroupsToken(): Avoid double-free on ObReferenceObjectByHandle failure path (#4523) --- ntoskrnl/se/token.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/ntoskrnl/se/token.c b/ntoskrnl/se/token.c index aad1321abd6..65018f60f3f 100644 --- a/ntoskrnl/se/token.c +++ b/ntoskrnl/se/token.c @@ -5256,7 +5256,6 @@ NtAdjustGroupsToken( ULONG NewStateSize = 0; PSID_AND_ATTRIBUTES CapturedGroups = NULL; BOOLEAN ChangesMade = FALSE; - BOOLEAN LockAndReferenceAcquired = FALSE;

PAGED_CODE();

@@ -5363,12 +5362,11 @@ NtAdjustGroupsToken( TRUE); }

- goto Quit; + return Status; }

/* Lock the token */ SepAcquireTokenLockExclusive(Token); - LockAndReferenceAcquired = TRUE;

/* Count the number of groups to be changed */ Status = SepAdjustGroups(Token, @@ -5442,13 +5440,9 @@ Quit: ExAllocateLocallyUniqueId(&Token->ModifiedId); }

- /* Have we successfully acquired the lock and referenced the token before? */ - if (LockAndReferenceAcquired) - { - /* Unlock and dereference the token */ - SepReleaseTokenLock(Token); - ObDereferenceObject(Token); - } + /* Unlock and dereference the token */ + SepReleaseTokenLock(Token); + ObDereferenceObject(Token);

/* Release the captured groups */ if (CapturedGroups != NULL)