[weiden] 13553: probe pointers in NtCreateToken. Still needs some work as access to the buffers needs to be secured
probe pointers in NtCreateToken. Still needs some work as access to the buffers needs to be secured Modified: trunk/reactos/ntoskrnl/se/token.c _____
Modified: trunk/reactos/ntoskrnl/se/token.c --- trunk/reactos/ntoskrnl/se/token.c 2005-02-14 00:28:12 UTC (rev 13552) +++ trunk/reactos/ntoskrnl/se/token.c 2005-02-14 00:32:09 UTC (rev 13553) @@ -1588,7 +1588,7 @@
NTSTATUS STDCALL -NtCreateToken(OUT PHANDLE UnsafeTokenHandle, +NtCreateToken(OUT PHANDLE TokenHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN TOKEN_TYPE TokenType, @@ -1602,14 +1602,64 @@ IN PTOKEN_DEFAULT_DACL TokenDefaultDacl, IN PTOKEN_SOURCE TokenSource) { - HANDLE TokenHandle; + HANDLE hToken; PTOKEN AccessToken; - NTSTATUS Status; LUID TokenId; LUID ModifiedId; PVOID EndMem; ULONG uLength; ULONG i; + KPROCESSOR_MODE PreviousMode; + NTSTATUS Status = STATUS_SUCCESS; + + PreviousMode = ExGetPreviousMode(); + + if(PreviousMode != KernelMode) + { + _SEH_TRY + { + ProbeForWrite(TokenHandle, + sizeof(HANDLE), + sizeof(ULONG)); + ProbeForRead(AuthenticationId, + sizeof(LUID), + sizeof(ULONG)); + ProbeForRead(ExpirationTime, + sizeof(LARGE_INTEGER), + sizeof(ULONG)); + ProbeForRead(TokenUser, + sizeof(TOKEN_USER), + sizeof(ULONG)); + ProbeForRead(TokenGroups, + sizeof(TOKEN_GROUPS), + sizeof(ULONG)); + ProbeForRead(TokenPrivileges, + sizeof(TOKEN_PRIVILEGES), + sizeof(ULONG)); + ProbeForRead(TokenOwner, + sizeof(TOKEN_OWNER), + sizeof(ULONG)); + ProbeForRead(TokenPrimaryGroup, + sizeof(TOKEN_PRIMARY_GROUP), + sizeof(ULONG)); + ProbeForRead(TokenDefaultDacl, + sizeof(TOKEN_DEFAULT_DACL), + sizeof(ULONG)); + ProbeForRead(TokenSource, + sizeof(TOKEN_SOURCE), + sizeof(ULONG)); + } + _SEH_HANDLE + { + Status = _SEH_GetExceptionCode(); + } + _SEH_END; + + if(!NT_SUCCESS(Status)) + { + return Status; + } + }
Status = ZwAllocateLocallyUniqueId(&TokenId); if (!NT_SUCCESS(Status)) @@ -1619,10 +1669,10 @@ if (!NT_SUCCESS(Status)) return(Status);
- Status = ObCreateObject(ExGetPreviousMode(), + Status = ObCreateObject(PreviousMode, SepTokenObjectType, ObjectAttributes, - ExGetPreviousMode(), + PreviousMode, NULL, sizeof(TOKEN), 0, @@ -1634,19 +1684,6 @@ return(Status); }
- Status = ObInsertObject ((PVOID)AccessToken, - NULL, - DesiredAccess, - 0, - NULL, - &TokenHandle); - if (!NT_SUCCESS(Status)) - { - DPRINT1("ObInsertObject() failed (Status %lx)\n"); - ObDereferenceObject (AccessToken); - return Status; - } - RtlCopyLuid(&AccessToken->TokenSource.SourceIdentifier, &TokenSource->SourceIdentifier); memcpy(AccessToken->TokenSource.SourceName, @@ -1740,22 +1777,33 @@ TokenDefaultDacl->DefaultDacl->AclSize); }
+ Status = ObInsertObject ((PVOID)AccessToken, + NULL, + DesiredAccess, + 0, + NULL, + &hToken); + if (!NT_SUCCESS(Status)) + { + DPRINT1("ObInsertObject() failed (Status %lx)\n", Status); + } + ObDereferenceObject(AccessToken);
if (NT_SUCCESS(Status)) { - Status = MmCopyToCaller(UnsafeTokenHandle, - &TokenHandle, - sizeof(HANDLE)); + _SEH_TRY + { + *TokenHandle = hToken; + } + _SEH_HANDLE + { + Status = _SEH_GetExceptionCode(); + } + _SEH_END; }
- if (!NT_SUCCESS(Status)) - { - ZwClose(TokenHandle); - return(Status); - } - - return(STATUS_SUCCESS); + return Status; }
-
weiden@svn.reactos.com