[NTOS:WMI] WMIP_GUID_OBJECT must start with an event object, as it is waitable. 2303/head
authorThomas Faber <thomas.faber@reactos.org>
Tue, 28 Jan 2020 18:52:55 +0000 (19:52 +0100)
committerThomas Faber <thomas.faber@reactos.org>
Sat, 15 Feb 2020 19:43:26 +0000 (20:43 +0100)
The initializer for WmipGuidObjectType does not set UseDefaultObject,
and it's possible for user mode to obtain a handle to a GUID object
with SYNCHRONIZE access. Therefore that handle can be passed to
NtWaitForSingleObject, which means it must start with a DISPATCHER_HEADER.

ntoskrnl/wmi/guidobj.c
ntoskrnl/wmi/wmip.h

index 1a13d36..48b8481 100644 (file)
@@ -204,6 +204,7 @@ WmipCreateGuidObject(
     }
 
     RtlZeroMemory(GuidObject, sizeof(*GuidObject));
+    KeInitializeEvent(&GuidObject->Event, NotificationEvent, FALSE);
     GuidObject->Guid = *Guid;
 
     *OutGuidObject = GuidObject;
index 69ecf7d..f45cba0 100644 (file)
@@ -12,6 +12,7 @@ typedef struct _WMIP_IRP_CONTEXT
 
 typedef struct _WMIP_GUID_OBJECT
 {
+    KEVENT Event;
     GUID Guid;
     PIRP Irp;
     LIST_ENTRY IrpLink;