Author: hbelusca Date: Wed Feb 11 20:12:30 2015 New Revision: 66223 URL: http://svn.reactos.org/svn/reactos?rev=66223&view=rev Log: [WIN32K]: Fix an insecure user buffer reading/writing. Caught by Thomas Faber, thanks! CORE-8322 Modified: trunk/reactos/win32ss/user/ntuser/ntstubs.c Modified: trunk/reactos/win32ss/user/ntuser/ntstubs.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/user/ntuser/ntstub… ============================================================================== --- trunk/reactos/win32ss/user/ntuser/ntstubs.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/user/ntuser/ntstubs.c [iso-8859-1] Wed Feb 11 20:12:30 2015 @@ -790,6 +790,8 @@ { case UserThreadInitiateShutdown: { + ULONG CapturedFlags = 0; + ERR("Shutdown initiated\n"); if (ThreadInformationLength != sizeof(ULONG)) @@ -798,7 +800,33 @@ break; } - Status = UserInitiateShutdown(Thread, (PULONG)ThreadInformation); + /* Capture the caller value */ + Status = STATUS_SUCCESS; + _SEH2_TRY + { + ProbeForWrite(ThreadInformation, sizeof(CapturedFlags), sizeof(PVOID)); + CapturedFlags = *(PULONG)ThreadInformation; + } + _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) + { + Status = _SEH2_GetExceptionCode(); + } + _SEH2_END; + + if (NT_SUCCESS(Status)) + Status = UserInitiateShutdown(Thread, &CapturedFlags); + + /* Return the modified value to the caller */ + _SEH2_TRY + { + *(PULONG)ThreadInformation = CapturedFlags; + } + _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) + { + Status = _SEH2_GetExceptionCode(); + } + _SEH2_END; + break; } @@ -814,6 +842,7 @@ break; } + /* Capture the caller value */ Status = STATUS_SUCCESS; _SEH2_TRY { @@ -844,6 +873,7 @@ break; } + /* Capture the caller value */ Status = STATUS_SUCCESS; _SEH2_TRY {