[NTOSKRNL] Check that caller has the priviliege to unload a driver

Also, probe the service name when unloading a driver if called from
user-mode. This will avoid that userland applications can trigger an
invalid read in the kernel (and thus, a BSOD).

CORE-15468

diff --git a/ntoskrnl/io/iomgr/driver.c b/ntoskrnl/io/iomgr/driver.c
index 4e1814d..a1584f5 100644 (file)
--- a/ntoskrnl/io/iomgr/driver.c
+++ b/ntoskrnl/io/iomgr/driver.c
@@ -1187,17 +1187,43 @@ IopUnloadDriver(PUNICODE_STRING DriverServiceName, BOOLEAN UnloadPnpDrivers)
     NTSTATUS Status;
     PWSTR Start;
     BOOLEAN SafeToUnload = TRUE;
     NTSTATUS Status;
     PWSTR Start;
     BOOLEAN SafeToUnload = TRUE;

-
-    DPRINT("IopUnloadDriver('%wZ', %u)\n", DriverServiceName, UnloadPnpDrivers);
+    KPROCESSOR_MODE PreviousMode;
+    UNICODE_STRING CapturedServiceName;

 
     PAGED_CODE();
 
 
     PAGED_CODE();
 

+    PreviousMode = ExGetPreviousMode();
+
+    /* Need the appropriate priviliege */
+    if (!SeSinglePrivilegeCheck(SeLoadDriverPrivilege, PreviousMode))
+    {
+        DPRINT1("No unload privilege!\n");
+        return STATUS_PRIVILEGE_NOT_HELD;
+    }
+
+    /* Capture the service name */
+    Status = ProbeAndCaptureUnicodeString(&CapturedServiceName, PreviousMode, DriverServiceName);
+    if (!NT_SUCCESS(Status))
+    {
+        return Status;
+    }
+
+    DPRINT("IopUnloadDriver('%wZ', %u)\n", &CapturedServiceName, UnloadPnpDrivers);
+
+
+    /* We need a service name */
+    if (CapturedServiceName.Length == 0)
+    {
+        ReleaseCapturedUnicodeString(&CapturedServiceName, PreviousMode);
+        return STATUS_INVALID_PARAMETER;
+    }
+

     /*
      * Get the service name from the registry key name
      */
     /*
      * Get the service name from the registry key name
      */

-    Start = wcsrchr(DriverServiceName->Buffer, L'\\');
+    Start = wcsrchr(CapturedServiceName.Buffer, L'\\');

     if (Start == NULL)
     if (Start == NULL)

-        Start = DriverServiceName->Buffer;
+        Start = CapturedServiceName.Buffer;

     else
         Start++;
 
     else
         Start++;
 


@@ -1211,7 +1237,11 @@ IopUnloadDriver(PUNICODE_STRING DriverServiceName, BOOLEAN UnloadPnpDrivers)
     ObjectName.Buffer = ExAllocatePoolWithTag(PagedPool,
                                               ObjectName.MaximumLength,
                                               TAG_IO);
     ObjectName.Buffer = ExAllocatePoolWithTag(PagedPool,
                                               ObjectName.MaximumLength,
                                               TAG_IO);

-    if (!ObjectName.Buffer) return STATUS_INSUFFICIENT_RESOURCES;
+    if (!ObjectName.Buffer)
+    {
+        ReleaseCapturedUnicodeString(&CapturedServiceName, PreviousMode);
+        return STATUS_INSUFFICIENT_RESOURCES;
+    }

     wcscpy(ObjectName.Buffer, DRIVER_ROOT_NAME);
     memcpy(ObjectName.Buffer + 8, Start, ObjectName.Length - 8 * sizeof(WCHAR));
     ObjectName.Buffer[ObjectName.Length/sizeof(WCHAR)] = UNICODE_NULL;
     wcscpy(ObjectName.Buffer, DRIVER_ROOT_NAME);
     memcpy(ObjectName.Buffer + 8, Start, ObjectName.Length - 8 * sizeof(WCHAR));
     ObjectName.Buffer[ObjectName.Length/sizeof(WCHAR)] = UNICODE_NULL;


@@ -1232,6 +1262,7 @@ IopUnloadDriver(PUNICODE_STRING DriverServiceName, BOOLEAN UnloadPnpDrivers)
     {
         DPRINT1("Can't locate driver object for %wZ\n", &ObjectName);
         ExFreePoolWithTag(ObjectName.Buffer, TAG_IO);
     {
         DPRINT1("Can't locate driver object for %wZ\n", &ObjectName);
         ExFreePoolWithTag(ObjectName.Buffer, TAG_IO);

+        ReleaseCapturedUnicodeString(&CapturedServiceName, PreviousMode);

         return Status;
     }
 
         return Status;
     }
 


@@ -1243,6 +1274,7 @@ IopUnloadDriver(PUNICODE_STRING DriverServiceName, BOOLEAN UnloadPnpDrivers)
     {
         DPRINT1("Driver deletion pending\n");
         ObDereferenceObject(DriverObject);
     {
         DPRINT1("Driver deletion pending\n");
         ObDereferenceObject(DriverObject);

+        ReleaseCapturedUnicodeString(&CapturedServiceName, PreviousMode);

         return STATUS_DELETE_PENDING;
     }
 
         return STATUS_DELETE_PENDING;
     }
 


@@ -1258,11 +1290,14 @@ IopUnloadDriver(PUNICODE_STRING DriverServiceName, BOOLEAN UnloadPnpDrivers)
     QueryTable[0].EntryContext = &ImagePath;
 
     Status = RtlQueryRegistryValues(RTL_REGISTRY_ABSOLUTE,
     QueryTable[0].EntryContext = &ImagePath;
 
     Status = RtlQueryRegistryValues(RTL_REGISTRY_ABSOLUTE,

-                                    DriverServiceName->Buffer,
+                                    CapturedServiceName.Buffer,

                                     QueryTable,
                                     NULL,
                                     NULL);
 
                                     QueryTable,
                                     NULL,
                                     NULL);
 

+    /* We no longer need service name */
+    ReleaseCapturedUnicodeString(&CapturedServiceName, PreviousMode);
+

     if (!NT_SUCCESS(Status))
     {
         DPRINT1("RtlQueryRegistryValues() failed (Status %x)\n", Status);
     if (!NT_SUCCESS(Status))
     {
         DPRINT1("RtlQueryRegistryValues() failed (Status %x)\n", Status);