From 9bccd936558eb1374d5a2b718614954f32973fc3 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Herm=C3=A8s=20B=C3=A9lusca-Ma=C3=AFto?= Date: Sat, 14 Nov 2015 16:20:00 +0000 Subject: [PATCH 1/1] [CONSRV]: Use NtDuplicateObject with DUPLICATE_CLOSE_SOURCE to close a duplicated handle in a target process (instead of erroneously call NtClose on it). Should fix CORE-10510 and CORE-9742. Thanks to Thomas Faber for having pointed me to the source of the problem. svn path=/trunk/; revision=69889 --- .../user/winsrv/consrv/condrv/graphics.c | 12 ++++++---- reactos/win32ss/user/winsrv/consrv/handle.c | 24 ++++++++++++++----- 2 files changed, 26 insertions(+), 10 deletions(-) diff --git a/reactos/win32ss/user/winsrv/consrv/condrv/graphics.c b/reactos/win32ss/user/winsrv/consrv/condrv/graphics.c index c2a0a82a951..a71bb3c73a2 100644 --- a/reactos/win32ss/user/winsrv/consrv/condrv/graphics.c +++ b/reactos/win32ss/user/winsrv/consrv/condrv/graphics.c @@ -163,7 +163,8 @@ GRAPHICS_BUFFER_Initialize(OUT PCONSOLE_SCREEN_BUFFER* Buffer, if (!NT_SUCCESS(Status)) { DPRINT1("Error: Impossible to create a shared section, Status = 0x%08lx\n", Status); - NtClose(NewBuffer->ClientMutex); + NtDuplicateObject(ProcessHandle, NewBuffer->ClientMutex, + NULL, NULL, 0, 0, DUPLICATE_CLOSE_SOURCE); NtClose(NewBuffer->Mutex); ConsoleFreeHeap(NewBuffer->BitMapInfo); CONSOLE_SCREEN_BUFFER_Destroy((PCONSOLE_SCREEN_BUFFER)NewBuffer); @@ -189,7 +190,8 @@ GRAPHICS_BUFFER_Initialize(OUT PCONSOLE_SCREEN_BUFFER* Buffer, { DPRINT1("Error: Impossible to map the shared section, Status = 0x%08lx\n", Status); NtClose(NewBuffer->hSection); - NtClose(NewBuffer->ClientMutex); + NtDuplicateObject(ProcessHandle, NewBuffer->ClientMutex, + NULL, NULL, 0, 0, DUPLICATE_CLOSE_SOURCE); NtClose(NewBuffer->Mutex); ConsoleFreeHeap(NewBuffer->BitMapInfo); CONSOLE_SCREEN_BUFFER_Destroy((PCONSOLE_SCREEN_BUFFER)NewBuffer); @@ -217,7 +219,8 @@ GRAPHICS_BUFFER_Initialize(OUT PCONSOLE_SCREEN_BUFFER* Buffer, DPRINT1("Error: Impossible to map the shared section, Status = 0x%08lx\n", Status); NtUnmapViewOfSection(NtCurrentProcess(), NewBuffer->BitMap); NtClose(NewBuffer->hSection); - NtClose(NewBuffer->ClientMutex); + NtDuplicateObject(ProcessHandle, NewBuffer->ClientMutex, + NULL, NULL, 0, 0, DUPLICATE_CLOSE_SOURCE); NtClose(NewBuffer->Mutex); ConsoleFreeHeap(NewBuffer->BitMapInfo); CONSOLE_SCREEN_BUFFER_Destroy((PCONSOLE_SCREEN_BUFFER)NewBuffer); @@ -260,7 +263,8 @@ GRAPHICS_BUFFER_Destroy(IN OUT PCONSOLE_SCREEN_BUFFER Buffer) NtUnmapViewOfSection(Buff->ClientProcess, Buff->ClientBitMap); NtUnmapViewOfSection(NtCurrentProcess(), Buff->BitMap); NtClose(Buff->hSection); - NtClose(Buff->ClientMutex); + NtDuplicateObject(Buff->ClientProcess, Buff->ClientMutex, + NULL, NULL, 0, 0, DUPLICATE_CLOSE_SOURCE); NtClose(Buff->Mutex); ConsoleFreeHeap(Buff->BitMapInfo); diff --git a/reactos/win32ss/user/winsrv/consrv/handle.c b/reactos/win32ss/user/winsrv/consrv/handle.c index 9a3285fe6c6..125dfab6753 100644 --- a/reactos/win32ss/user/winsrv/consrv/handle.c +++ b/reactos/win32ss/user/winsrv/consrv/handle.c @@ -548,7 +548,9 @@ ConSrvAllocateConsole(PCONSOLE_PROCESS_DATA ProcessData, if (!NT_SUCCESS(Status)) { DPRINT1("NtDuplicateObject(InitEvents[INIT_FAILURE]) failed: %lu\n", Status); - NtClose(ConsoleInitInfo->ConsoleStartInfo->InitEvents[INIT_SUCCESS]); + NtDuplicateObject(ProcessData->Process->ProcessHandle, + ConsoleInitInfo->ConsoleStartInfo->InitEvents[INIT_SUCCESS], + NULL, NULL, 0, 0, DUPLICATE_CLOSE_SOURCE); ConSrvFreeHandlesTable(ProcessData); ConSrvDeleteConsole(Console); ProcessData->ConsoleHandle = NULL; @@ -564,8 +566,12 @@ ConSrvAllocateConsole(PCONSOLE_PROCESS_DATA ProcessData, if (!NT_SUCCESS(Status)) { DPRINT1("NtDuplicateObject(InputWaitHandle) failed: %lu\n", Status); - NtClose(ConsoleInitInfo->ConsoleStartInfo->InitEvents[INIT_FAILURE]); - NtClose(ConsoleInitInfo->ConsoleStartInfo->InitEvents[INIT_SUCCESS]); + NtDuplicateObject(ProcessData->Process->ProcessHandle, + ConsoleInitInfo->ConsoleStartInfo->InitEvents[INIT_FAILURE], + NULL, NULL, 0, 0, DUPLICATE_CLOSE_SOURCE); + NtDuplicateObject(ProcessData->Process->ProcessHandle, + ConsoleInitInfo->ConsoleStartInfo->InitEvents[INIT_SUCCESS], + NULL, NULL, 0, 0, DUPLICATE_CLOSE_SOURCE); ConSrvFreeHandlesTable(ProcessData); ConSrvDeleteConsole(Console); ProcessData->ConsoleHandle = NULL; @@ -669,7 +675,9 @@ ConSrvInheritConsole(PCONSOLE_PROCESS_DATA ProcessData, if (!NT_SUCCESS(Status)) { DPRINT1("NtDuplicateObject(InitEvents[INIT_FAILURE]) failed: %lu\n", Status); - NtClose(ConsoleStartInfo->InitEvents[INIT_SUCCESS]); + NtDuplicateObject(ProcessData->Process->ProcessHandle, + ConsoleStartInfo->InitEvents[INIT_SUCCESS], + NULL, NULL, 0, 0, DUPLICATE_CLOSE_SOURCE); ConSrvFreeHandlesTable(ProcessData); ProcessData->ConsoleHandle = NULL; goto Quit; @@ -684,8 +692,12 @@ ConSrvInheritConsole(PCONSOLE_PROCESS_DATA ProcessData, if (!NT_SUCCESS(Status)) { DPRINT1("NtDuplicateObject(InputWaitHandle) failed: %lu\n", Status); - NtClose(ConsoleStartInfo->InitEvents[INIT_FAILURE]); - NtClose(ConsoleStartInfo->InitEvents[INIT_SUCCESS]); + NtDuplicateObject(ProcessData->Process->ProcessHandle, + ConsoleStartInfo->InitEvents[INIT_FAILURE], + NULL, NULL, 0, 0, DUPLICATE_CLOSE_SOURCE); + NtDuplicateObject(ProcessData->Process->ProcessHandle, + ConsoleStartInfo->InitEvents[INIT_SUCCESS], + NULL, NULL, 0, 0, DUPLICATE_CLOSE_SOURCE); ConSrvFreeHandlesTable(ProcessData); // NOTE: Always free the handles table. ProcessData->ConsoleHandle = NULL; goto Quit; -- 2.17.1