From e601c831b9a3ec1f09fa8f1eae252036b397abce Mon Sep 17 00:00:00 2001
From: Thomas Bluemel <thomas@reactsoft.com>
Date: Sat, 29 Oct 2005 22:15:10 +0000
Subject: [PATCH] - don't dereference the section object in
 MmCreateProcessAddressSpace - properly handle object references in
 PspCreateProcess

svn path=/trunk/; revision=18860
---
 reactos/ntoskrnl/mm/process.c |  2 -
 reactos/ntoskrnl/ps/process.c | 84 ++++++++++++++++-------------------
 2 files changed, 39 insertions(+), 47 deletions(-)

diff --git a/reactos/ntoskrnl/mm/process.c b/reactos/ntoskrnl/mm/process.c
index d8b85d9f698..b07b5da887e 100644
--- a/reactos/ntoskrnl/mm/process.c
+++ b/reactos/ntoskrnl/mm/process.c
@@ -473,10 +473,8 @@ MmCreateProcessAddressSpace(IN PEPROCESS Process,
         if (!NT_SUCCESS(Status))
         {
             DPRINT1("Failed to map process Image\n");
-            ObDereferenceObject(Section);
             goto exit;
         }
-        ObDereferenceObject(Section);
 
         /* Save the pointer */
         Process->SectionBaseAddress = ImageBase;
diff --git a/reactos/ntoskrnl/ps/process.c b/reactos/ntoskrnl/ps/process.c
index e2f36f75c3f..d3ec90a9263 100644
--- a/reactos/ntoskrnl/ps/process.c
+++ b/reactos/ntoskrnl/ps/process.c
@@ -183,8 +183,8 @@ PspCreateProcess(OUT PHANDLE ProcessHandle,
                  IN HANDLE ExceptionPort  OPTIONAL)
 {
     HANDLE hProcess;
-    PEPROCESS Process;
-    PEPROCESS pParentProcess;
+    PEPROCESS Process = NULL;
+    PEPROCESS pParentProcess = NULL;
     PEPORT pDebugPort = NULL;
     PEPORT pExceptionPort = NULL;
     PSECTION_OBJECT SectionObject = NULL;
@@ -194,6 +194,7 @@ PspCreateProcess(OUT PHANDLE ProcessHandle,
     KAFFINITY Affinity;
     HANDLE_TABLE_ENTRY CidEntry;
     DirectoryTableBase.QuadPart = (ULONGLONG)0;
+    BOOLEAN ProcessCreated = FALSE;
 
     DPRINT("PspCreateProcess(ObjectAttributes %x)\n", ObjectAttributes);
 
@@ -210,7 +211,7 @@ PspCreateProcess(OUT PHANDLE ProcessHandle,
         if (!NT_SUCCESS(Status))
         {
             DPRINT1("Failed to reference the parent process: Status: 0x%x\n", Status);
-            return(Status);
+            goto Cleanup;
         }
 
         /* Inherit Parent process's Affinity. */
@@ -242,7 +243,7 @@ PspCreateProcess(OUT PHANDLE ProcessHandle,
         if (!NT_SUCCESS(Status))
         {
                 DPRINT1("Failed to reference the debug port: Status: 0x%x\n", Status);
-                goto exitdereferenceobjects;
+                goto Cleanup;
         }
     }
 
@@ -259,7 +260,7 @@ PspCreateProcess(OUT PHANDLE ProcessHandle,
         if (!NT_SUCCESS(Status))
         {
             DPRINT1("Failed to reference the exception port: Status: 0x%x\n", Status);
-            goto exitdereferenceobjects;
+            goto Cleanup;
         }
     }
 
@@ -267,7 +268,7 @@ PspCreateProcess(OUT PHANDLE ProcessHandle,
     if (SectionHandle != NULL)
     {
         Status = ObReferenceObjectByHandle(SectionHandle,
-                                           0,
+                                           SECTION_MAP_EXECUTE,
                                            MmSectionObjectType,
                                            PreviousMode,
                                            (PVOID*)&SectionObject,
@@ -275,7 +276,7 @@ PspCreateProcess(OUT PHANDLE ProcessHandle,
         if (!NT_SUCCESS(Status))
         {
             DPRINT1("Failed to reference process image section: Status: 0x%x\n", Status);
-            goto exitdereferenceobjects;
+            goto Cleanup;
         }
     }
 
@@ -294,7 +295,7 @@ PspCreateProcess(OUT PHANDLE ProcessHandle,
     if (!NT_SUCCESS(Status))
     {
         DPRINT1("Failed to create process object, Status: 0x%x\n", Status);
-        goto exitdereferenceobjects;
+        goto Cleanup;
     }
 
     /* Clean up the Object */
@@ -350,8 +351,7 @@ PspCreateProcess(OUT PHANDLE ProcessHandle,
     if (!NT_SUCCESS(Status))
     {
         DbgPrint("PspInitializeProcessSecurity failed (Status %x)\n", Status);
-        ObDereferenceObject(Process);
-        goto exitdereferenceobjects;
+        goto Cleanup;
     }
 
     /* Create the Process' Address Space */
@@ -360,8 +360,7 @@ PspCreateProcess(OUT PHANDLE ProcessHandle,
     if (!NT_SUCCESS(Status))
     {
         DPRINT1("Failed to create Address Space\n");
-        ObDereferenceObject(Process);
-        goto exitdereferenceobjects;
+        goto Cleanup;
     }
 
     if (SectionObject)
@@ -380,8 +379,8 @@ PspCreateProcess(OUT PHANDLE ProcessHandle,
     if(!Process->UniqueProcessId)
     {
         DPRINT1("Failed to create CID handle\n");
-        ObDereferenceObject(Process);
-        goto exitdereferenceobjects;
+        Status = STATUS_UNSUCCESSFUL; /* FIXME - what error should we return? */
+        goto Cleanup;
     }
 
     /* FIXME: Insert into Job Object */
@@ -394,13 +393,8 @@ PspCreateProcess(OUT PHANDLE ProcessHandle,
         if (!NT_SUCCESS(Status))
         {
             DbgPrint("NtCreateProcess() Peb creation failed: Status %x\n",Status);
-            ObDereferenceObject(Process);
-            goto exitdereferenceobjects;
+            goto Cleanup;
         }
-
-        /* Let's take advantage of this time to kill the reference too */
-        ObDereferenceObject(pParentProcess);
-        pParentProcess = NULL;
     }
 
     /* W00T! The process can now be activated */
@@ -408,6 +402,8 @@ PspCreateProcess(OUT PHANDLE ProcessHandle,
     ExAcquireFastMutex(&PspActiveProcessMutex);
     InsertTailList(&PsActiveProcessHead, &Process->ActiveProcessLinks);
     ExReleaseFastMutex(&PspActiveProcessMutex);
+    
+    ProcessCreated = TRUE;
 
     /* FIXME: SeCreateAccessStateEx */
 
@@ -419,37 +415,35 @@ PspCreateProcess(OUT PHANDLE ProcessHandle,
                             0,
                             NULL,
                             &hProcess);
-    if (!NT_SUCCESS(Status))
+    if (NT_SUCCESS(Status))
     {
-       DPRINT1("Could not get a handle to the Process Object\n");
-       ObDereferenceObject(Process);
-       goto exitdereferenceobjects;
-    }
+        /* Set the Creation Time */
+        KeQuerySystemTime(&Process->CreateTime);
 
-    /* Set the Creation Time */
-    KeQuerySystemTime(&Process->CreateTime);
+        DPRINT("Done. Returning handle: %x\n", hProcess);
+        _SEH_TRY
+        {
+           *ProcessHandle = hProcess;
+        }
+        _SEH_HANDLE
+        {
+           Status = _SEH_GetExceptionCode();
+        } _SEH_END;
+        /* FIXME: ObGetObjectSecurity(Process, &SecurityDescriptor)
+                  SeAccessCheck
+        */
+    }
 
-    DPRINT("Done. Returning handle: %x\n", hProcess);
-    _SEH_TRY
+Cleanup:
+    if(pParentProcess != NULL) ObDereferenceObject(pParentProcess);
+    if (!ProcessCreated)
     {
-       *ProcessHandle = hProcess;
+        if(SectionObject != NULL) ObDereferenceObject(SectionObject);
+        if(pExceptionPort != NULL) ObDereferenceObject(pExceptionPort);
+        if(pDebugPort != NULL) ObDereferenceObject(pDebugPort);
+        if(Process != NULL) ObDereferenceObject(Process);
     }
-    _SEH_HANDLE
-    {
-       Status = _SEH_GetExceptionCode();
-    } _SEH_END;
 
-    /* FIXME: ObGetObjectSecurity(Process, &SecurityDescriptor)
-              SeAccessCheck
-    */
-    ObDereferenceObject(Process);
-    return Status;
-
-exitdereferenceobjects:
-    if(SectionObject != NULL) ObDereferenceObject(SectionObject);
-    if(pExceptionPort != NULL) ObDereferenceObject(pExceptionPort);
-    if(pDebugPort != NULL) ObDereferenceObject(pDebugPort);
-    if(pParentProcess != NULL) ObDereferenceObject(pParentProcess);
     return Status;
 }
 
-- 
2.17.1