From bb3783a5244b4817bc7b27979cdd03266187bd4b Mon Sep 17 00:00:00 2001 From: Alex Ionescu Date: Mon, 30 Jan 2012 07:48:49 +0000 Subject: [PATCH] =?utf8?q?[NTOSKRNL]:=20hubris=20[=CB=88hju=CB=90br=C9=AAs?= =?utf8?q?],=20hybris=20n.=201.=20Belief=20that=20Ob=20is=20perfect.=20Fix?= =?utf8?q?=20a=20major=20bug=20which=20allowed=20user-mode=20applications?= =?utf8?q?=20to=20get=20kernel=20handles=20if=20they=20so=20requested=20--?= =?utf8?q?=20of=20course,=20they=20woudl=20then=20be=20completely=20unable?= =?utf8?q?=20to=20use=20such=20handles.=20This=20pattern=20is=20seen=20in?= =?utf8?q?=20Rtl=20code=20which=20we=20share,=20and=20where=20the=20intent?= =?utf8?q?=20is=20to=20give=20kernel=20kernel=20handles,=20and=20user=20us?= =?utf8?q?er=20handles,=20so=20OBJ=5FKERNEL=5FHANDLE=20is=20unconditionall?= =?utf8?q?y=20used,=20which=20in=20NT=20had=20the=20right=20effect.=20For?= =?utf8?q?=20us=20though,=20it=20gave=20unusable=20user-handles.=20This=20?= =?utf8?q?had=20the=20direct=20effect=20of=20completely=20breaking=20RtlQu?= =?utf8?q?eryRegistryValues=20from=20user-mode=20if=20the=20TOPKEY=20or=20?= =?utf8?q?SUBKEY=20flags=20were=20used.?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit svn path=/trunk/; revision=55318 --- reactos/ntoskrnl/include/internal/ob.h | 1 + reactos/ntoskrnl/ob/obhandle.c | 1 + reactos/ntoskrnl/ob/oblife.c | 15 +++++++++------ 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/reactos/ntoskrnl/include/internal/ob.h b/reactos/ntoskrnl/include/internal/ob.h index 3c8ad1edf3d..cc9ff526cca 100644 --- a/reactos/ntoskrnl/include/internal/ob.h +++ b/reactos/ntoskrnl/include/internal/ob.h @@ -559,6 +559,7 @@ NTAPI ObpCaptureObjectCreateInformation( IN POBJECT_ATTRIBUTES ObjectAttributes, IN KPROCESSOR_MODE AccessMode, + IN KPROCESSOR_MODE CreatorMode, IN BOOLEAN AllocateFromLookaside, IN POBJECT_CREATE_INFORMATION ObjectCreateInfo, OUT PUNICODE_STRING ObjectName diff --git a/reactos/ntoskrnl/ob/obhandle.c b/reactos/ntoskrnl/ob/obhandle.c index 346ea5bd4b0..6dfa67607d9 100644 --- a/reactos/ntoskrnl/ob/obhandle.c +++ b/reactos/ntoskrnl/ob/obhandle.c @@ -2456,6 +2456,7 @@ ObOpenObjectByName(IN POBJECT_ATTRIBUTES ObjectAttributes, /* Capture all the info */ Status = ObpCaptureObjectCreateInformation(ObjectAttributes, + AccessMode, AccessMode, TRUE, &TempBuffer->ObjectCreateInfo, diff --git a/reactos/ntoskrnl/ob/oblife.c b/reactos/ntoskrnl/ob/oblife.c index 724c7f57696..5b4727483f9 100644 --- a/reactos/ntoskrnl/ob/oblife.c +++ b/reactos/ntoskrnl/ob/oblife.c @@ -442,10 +442,11 @@ ObpCaptureObjectName(IN OUT PUNICODE_STRING CapturedName, NTSTATUS NTAPI ObpCaptureObjectCreateInformation(IN POBJECT_ATTRIBUTES ObjectAttributes, - IN KPROCESSOR_MODE AccessMode, - IN BOOLEAN AllocateFromLookaside, - IN POBJECT_CREATE_INFORMATION ObjectCreateInfo, - OUT PUNICODE_STRING ObjectName) + IN KPROCESSOR_MODE AccessMode, + IN KPROCESSOR_MODE CreatorMode, + IN BOOLEAN AllocateFromLookaside, + IN POBJECT_CREATE_INFORMATION ObjectCreateInfo, + OUT PUNICODE_STRING ObjectName) { NTSTATUS Status = STATUS_SUCCESS; PSECURITY_DESCRIPTOR SecurityDescriptor; @@ -479,9 +480,10 @@ ObpCaptureObjectCreateInformation(IN POBJECT_ATTRIBUTES ObjectAttributes, _SEH2_YIELD(return STATUS_INVALID_PARAMETER); } - /* Set some Create Info */ + /* Set some Create Info and do not allow user-mode kernel handles */ ObjectCreateInfo->RootDirectory = ObjectAttributes->RootDirectory; - ObjectCreateInfo->Attributes = ObjectAttributes->Attributes; + ObjectCreateInfo->Attributes = ObjectAttributes->Attributes & OBJ_VALID_ATTRIBUTES; + if (CreatorMode != KernelMode) ObjectCreateInfo->Attributes &= ~OBJ_KERNEL_HANDLE; LocalObjectName = ObjectAttributes->ObjectName; SecurityDescriptor = ObjectAttributes->SecurityDescriptor; SecurityQos = ObjectAttributes->SecurityQualityOfService; @@ -942,6 +944,7 @@ ObCreateObject(IN KPROCESSOR_MODE ProbeMode OPTIONAL, /* Capture all the info */ Status = ObpCaptureObjectCreateInformation(ObjectAttributes, ProbeMode, + AccessMode, FALSE, ObjectCreateInfo, &ObjectName); -- 2.17.1