2006-05-25 06:07:11 +08:00
|
|
|
/*
|
|
|
|
* PROJECT: ReactOS Kernel
|
|
|
|
* LICENSE: GPL - See COPYING in the top level directory
|
2008-08-17 01:53:28 +08:00
|
|
|
* FILE: ntoskrnl/ob/obref.c
|
2006-05-25 06:07:11 +08:00
|
|
|
* PURPOSE: Manages the referencing and de-referencing of all Objects,
|
|
|
|
* as well as the Object Fast Reference implementation.
|
|
|
|
* PROGRAMMERS: Alex Ionescu (alex.ionescu@reactos.org)
|
|
|
|
* Eric Kohl
|
|
|
|
* Thomas Weidenmueller (w3seek@reactos.org)
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* INCLUDES ******************************************************************/
|
|
|
|
|
|
|
|
#include <ntoskrnl.h>
|
|
|
|
#define NDEBUG
|
2007-01-16 04:54:40 +08:00
|
|
|
#include <debug.h>
|
2006-05-25 06:07:11 +08:00
|
|
|
|
|
|
|
/* PRIVATE FUNCTIONS *********************************************************/
|
|
|
|
|
2006-07-14 23:26:19 +08:00
|
|
|
BOOLEAN
|
|
|
|
FASTCALL
|
|
|
|
ObReferenceObjectSafe(IN PVOID Object)
|
|
|
|
{
|
|
|
|
POBJECT_HEADER ObjectHeader;
|
2018-01-30 03:31:07 +08:00
|
|
|
LONG_PTR OldValue, NewValue;
|
2006-07-14 23:26:19 +08:00
|
|
|
|
|
|
|
/* Get the object header */
|
|
|
|
ObjectHeader = OBJECT_TO_OBJECT_HEADER(Object);
|
|
|
|
|
|
|
|
/* Get the current reference count and fail if it's zero */
|
|
|
|
OldValue = ObjectHeader->PointerCount;
|
|
|
|
if (!OldValue) return FALSE;
|
|
|
|
|
|
|
|
/* Start reference loop */
|
|
|
|
do
|
|
|
|
{
|
|
|
|
/* Increase the reference count */
|
2018-01-30 03:31:07 +08:00
|
|
|
NewValue = InterlockedCompareExchangeSizeT(&ObjectHeader->PointerCount,
|
|
|
|
OldValue + 1,
|
|
|
|
OldValue);
|
2006-07-14 23:26:19 +08:00
|
|
|
if (OldValue == NewValue) return TRUE;
|
|
|
|
|
|
|
|
/* Keep looping */
|
|
|
|
OldValue = NewValue;
|
|
|
|
} while (OldValue);
|
|
|
|
|
|
|
|
/* If we got here, then the reference count is now 0 */
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
2006-07-12 03:45:16 +08:00
|
|
|
VOID
|
|
|
|
NTAPI
|
- Fix critical bugs in exception handling: Unwinding was completely broken, using the wrong SEH protector to detect collided unwinding. The correct protector itself also had a broken check.
- Fix architectural bug in the entire TrapFrame<->Context conversion system and Ring Privilege Transitions (Inter-ring and intra-ring) which was lacking proper sanitation and validation of segments, flags and debug registers. Among other things, IOPL is now respected, CS is not KGDT_R0_CODE | RPL_MASK anymore, and the GPF code is now properly being called. This completely fixes exception handling being totally broken and crashing firefox installer, mirc, and other applications.
- Rewrite the page fault handler base code in assembly instead of relying on a broken C routine. Detect VDM, V8086, detecting expected/normal fault in ExpInterlockedPopEntrySList and faults in the system handler code. Rewrite MmAccessFault to be the main function that calls out to other sub-fault functions, and use the same prototype as NT.
- Fix the KGDT boot table to have proper granularity and big flags, and extend it to 256 entries.
- Create proper thread context in RtlInitializeContext and cleanup Rtl Thread routines.
- Remove all int3 and breakpoints from trap handlers, and replace them with a much better "UNHANDLED_PATH" macro which freezes the system, beeps, and displays a message with the line of code that's unhandled. This is to clearly tell the user that something is unhandled, instead of nesting infinite exceptions due to the int3.
- Fix a bug in INT_PROLOG.
- Sanitize EFLAGS and Code Segments in KeContextToTrapFrame and KeTrapFrameToContext.
- Implement KiUpdateDr7 and KiRecordDr7 as well as DR_MASK and other DR-validation macros and functions to protect against DR-vulnerabilites as well as to properly account for each active hardware breakpoint in a per-thread fashion by using the dispatcher header.
- Allow CR0_EM when running in a VDM.
- Fix FPU/NPX Register handling in KeContextToTrapFrame and KeTrapFrameToContext, and also speed it up by manual copying instead of a memory move.
- Properly give IOPL 3 to user-mode threads if they requested it.
- Detect GPF during GPF.
- Detect pagefault with a trap-frame spread over two or more pages and nested.
- Properly sanitize and set correct trap frame in KiInitailizeUserApc.
- Return STATUS_ACCESS_VIOLATION during page faults instead of STATUS_UNSUCESSFUL.
- Fix assert in VdmSwapContext, as well as Code Selector check which was broken.
- Fix delayed object deletion (ObDeferDeleteObject) and the Ob Repear Routine and list.
- Update Kernel Fun.
- BUGBUG: Temporaily hack VMWare to detection to always detect VMWare.
svn path=/trunk/; revision=25238
2006-12-30 02:49:00 +08:00
|
|
|
ObpDeferObjectDeletion(IN POBJECT_HEADER Header)
|
2006-07-12 03:45:16 +08:00
|
|
|
{
|
2007-01-16 04:54:40 +08:00
|
|
|
PVOID Entry;
|
2006-07-12 03:45:16 +08:00
|
|
|
|
- Fix critical bugs in exception handling: Unwinding was completely broken, using the wrong SEH protector to detect collided unwinding. The correct protector itself also had a broken check.
- Fix architectural bug in the entire TrapFrame<->Context conversion system and Ring Privilege Transitions (Inter-ring and intra-ring) which was lacking proper sanitation and validation of segments, flags and debug registers. Among other things, IOPL is now respected, CS is not KGDT_R0_CODE | RPL_MASK anymore, and the GPF code is now properly being called. This completely fixes exception handling being totally broken and crashing firefox installer, mirc, and other applications.
- Rewrite the page fault handler base code in assembly instead of relying on a broken C routine. Detect VDM, V8086, detecting expected/normal fault in ExpInterlockedPopEntrySList and faults in the system handler code. Rewrite MmAccessFault to be the main function that calls out to other sub-fault functions, and use the same prototype as NT.
- Fix the KGDT boot table to have proper granularity and big flags, and extend it to 256 entries.
- Create proper thread context in RtlInitializeContext and cleanup Rtl Thread routines.
- Remove all int3 and breakpoints from trap handlers, and replace them with a much better "UNHANDLED_PATH" macro which freezes the system, beeps, and displays a message with the line of code that's unhandled. This is to clearly tell the user that something is unhandled, instead of nesting infinite exceptions due to the int3.
- Fix a bug in INT_PROLOG.
- Sanitize EFLAGS and Code Segments in KeContextToTrapFrame and KeTrapFrameToContext.
- Implement KiUpdateDr7 and KiRecordDr7 as well as DR_MASK and other DR-validation macros and functions to protect against DR-vulnerabilites as well as to properly account for each active hardware breakpoint in a per-thread fashion by using the dispatcher header.
- Allow CR0_EM when running in a VDM.
- Fix FPU/NPX Register handling in KeContextToTrapFrame and KeTrapFrameToContext, and also speed it up by manual copying instead of a memory move.
- Properly give IOPL 3 to user-mode threads if they requested it.
- Detect GPF during GPF.
- Detect pagefault with a trap-frame spread over two or more pages and nested.
- Properly sanitize and set correct trap frame in KiInitailizeUserApc.
- Return STATUS_ACCESS_VIOLATION during page faults instead of STATUS_UNSUCESSFUL.
- Fix assert in VdmSwapContext, as well as Code Selector check which was broken.
- Fix delayed object deletion (ObDeferDeleteObject) and the Ob Repear Routine and list.
- Update Kernel Fun.
- BUGBUG: Temporaily hack VMWare to detection to always detect VMWare.
svn path=/trunk/; revision=25238
2006-12-30 02:49:00 +08:00
|
|
|
/* Loop while trying to update the list */
|
2006-07-12 03:45:16 +08:00
|
|
|
do
|
|
|
|
{
|
- Fix critical bugs in exception handling: Unwinding was completely broken, using the wrong SEH protector to detect collided unwinding. The correct protector itself also had a broken check.
- Fix architectural bug in the entire TrapFrame<->Context conversion system and Ring Privilege Transitions (Inter-ring and intra-ring) which was lacking proper sanitation and validation of segments, flags and debug registers. Among other things, IOPL is now respected, CS is not KGDT_R0_CODE | RPL_MASK anymore, and the GPF code is now properly being called. This completely fixes exception handling being totally broken and crashing firefox installer, mirc, and other applications.
- Rewrite the page fault handler base code in assembly instead of relying on a broken C routine. Detect VDM, V8086, detecting expected/normal fault in ExpInterlockedPopEntrySList and faults in the system handler code. Rewrite MmAccessFault to be the main function that calls out to other sub-fault functions, and use the same prototype as NT.
- Fix the KGDT boot table to have proper granularity and big flags, and extend it to 256 entries.
- Create proper thread context in RtlInitializeContext and cleanup Rtl Thread routines.
- Remove all int3 and breakpoints from trap handlers, and replace them with a much better "UNHANDLED_PATH" macro which freezes the system, beeps, and displays a message with the line of code that's unhandled. This is to clearly tell the user that something is unhandled, instead of nesting infinite exceptions due to the int3.
- Fix a bug in INT_PROLOG.
- Sanitize EFLAGS and Code Segments in KeContextToTrapFrame and KeTrapFrameToContext.
- Implement KiUpdateDr7 and KiRecordDr7 as well as DR_MASK and other DR-validation macros and functions to protect against DR-vulnerabilites as well as to properly account for each active hardware breakpoint in a per-thread fashion by using the dispatcher header.
- Allow CR0_EM when running in a VDM.
- Fix FPU/NPX Register handling in KeContextToTrapFrame and KeTrapFrameToContext, and also speed it up by manual copying instead of a memory move.
- Properly give IOPL 3 to user-mode threads if they requested it.
- Detect GPF during GPF.
- Detect pagefault with a trap-frame spread over two or more pages and nested.
- Properly sanitize and set correct trap frame in KiInitailizeUserApc.
- Return STATUS_ACCESS_VIOLATION during page faults instead of STATUS_UNSUCESSFUL.
- Fix assert in VdmSwapContext, as well as Code Selector check which was broken.
- Fix delayed object deletion (ObDeferDeleteObject) and the Ob Repear Routine and list.
- Update Kernel Fun.
- BUGBUG: Temporaily hack VMWare to detection to always detect VMWare.
svn path=/trunk/; revision=25238
2006-12-30 02:49:00 +08:00
|
|
|
/* Get the current entry */
|
|
|
|
Entry = ObpReaperList;
|
|
|
|
|
|
|
|
/* Link our object to the list */
|
|
|
|
Header->NextToFree = Entry;
|
|
|
|
|
|
|
|
/* Update the list */
|
2006-07-12 03:45:16 +08:00
|
|
|
} while (InterlockedCompareExchangePointer(&ObpReaperList,
|
2007-01-16 04:54:40 +08:00
|
|
|
Header,
|
- Fix critical bugs in exception handling: Unwinding was completely broken, using the wrong SEH protector to detect collided unwinding. The correct protector itself also had a broken check.
- Fix architectural bug in the entire TrapFrame<->Context conversion system and Ring Privilege Transitions (Inter-ring and intra-ring) which was lacking proper sanitation and validation of segments, flags and debug registers. Among other things, IOPL is now respected, CS is not KGDT_R0_CODE | RPL_MASK anymore, and the GPF code is now properly being called. This completely fixes exception handling being totally broken and crashing firefox installer, mirc, and other applications.
- Rewrite the page fault handler base code in assembly instead of relying on a broken C routine. Detect VDM, V8086, detecting expected/normal fault in ExpInterlockedPopEntrySList and faults in the system handler code. Rewrite MmAccessFault to be the main function that calls out to other sub-fault functions, and use the same prototype as NT.
- Fix the KGDT boot table to have proper granularity and big flags, and extend it to 256 entries.
- Create proper thread context in RtlInitializeContext and cleanup Rtl Thread routines.
- Remove all int3 and breakpoints from trap handlers, and replace them with a much better "UNHANDLED_PATH" macro which freezes the system, beeps, and displays a message with the line of code that's unhandled. This is to clearly tell the user that something is unhandled, instead of nesting infinite exceptions due to the int3.
- Fix a bug in INT_PROLOG.
- Sanitize EFLAGS and Code Segments in KeContextToTrapFrame and KeTrapFrameToContext.
- Implement KiUpdateDr7 and KiRecordDr7 as well as DR_MASK and other DR-validation macros and functions to protect against DR-vulnerabilites as well as to properly account for each active hardware breakpoint in a per-thread fashion by using the dispatcher header.
- Allow CR0_EM when running in a VDM.
- Fix FPU/NPX Register handling in KeContextToTrapFrame and KeTrapFrameToContext, and also speed it up by manual copying instead of a memory move.
- Properly give IOPL 3 to user-mode threads if they requested it.
- Detect GPF during GPF.
- Detect pagefault with a trap-frame spread over two or more pages and nested.
- Properly sanitize and set correct trap frame in KiInitailizeUserApc.
- Return STATUS_ACCESS_VIOLATION during page faults instead of STATUS_UNSUCESSFUL.
- Fix assert in VdmSwapContext, as well as Code Selector check which was broken.
- Fix delayed object deletion (ObDeferDeleteObject) and the Ob Repear Routine and list.
- Update Kernel Fun.
- BUGBUG: Temporaily hack VMWare to detection to always detect VMWare.
svn path=/trunk/; revision=25238
2006-12-30 02:49:00 +08:00
|
|
|
Entry) != Entry);
|
2006-07-12 03:45:16 +08:00
|
|
|
|
- Fix critical bugs in exception handling: Unwinding was completely broken, using the wrong SEH protector to detect collided unwinding. The correct protector itself also had a broken check.
- Fix architectural bug in the entire TrapFrame<->Context conversion system and Ring Privilege Transitions (Inter-ring and intra-ring) which was lacking proper sanitation and validation of segments, flags and debug registers. Among other things, IOPL is now respected, CS is not KGDT_R0_CODE | RPL_MASK anymore, and the GPF code is now properly being called. This completely fixes exception handling being totally broken and crashing firefox installer, mirc, and other applications.
- Rewrite the page fault handler base code in assembly instead of relying on a broken C routine. Detect VDM, V8086, detecting expected/normal fault in ExpInterlockedPopEntrySList and faults in the system handler code. Rewrite MmAccessFault to be the main function that calls out to other sub-fault functions, and use the same prototype as NT.
- Fix the KGDT boot table to have proper granularity and big flags, and extend it to 256 entries.
- Create proper thread context in RtlInitializeContext and cleanup Rtl Thread routines.
- Remove all int3 and breakpoints from trap handlers, and replace them with a much better "UNHANDLED_PATH" macro which freezes the system, beeps, and displays a message with the line of code that's unhandled. This is to clearly tell the user that something is unhandled, instead of nesting infinite exceptions due to the int3.
- Fix a bug in INT_PROLOG.
- Sanitize EFLAGS and Code Segments in KeContextToTrapFrame and KeTrapFrameToContext.
- Implement KiUpdateDr7 and KiRecordDr7 as well as DR_MASK and other DR-validation macros and functions to protect against DR-vulnerabilites as well as to properly account for each active hardware breakpoint in a per-thread fashion by using the dispatcher header.
- Allow CR0_EM when running in a VDM.
- Fix FPU/NPX Register handling in KeContextToTrapFrame and KeTrapFrameToContext, and also speed it up by manual copying instead of a memory move.
- Properly give IOPL 3 to user-mode threads if they requested it.
- Detect GPF during GPF.
- Detect pagefault with a trap-frame spread over two or more pages and nested.
- Properly sanitize and set correct trap frame in KiInitailizeUserApc.
- Return STATUS_ACCESS_VIOLATION during page faults instead of STATUS_UNSUCESSFUL.
- Fix assert in VdmSwapContext, as well as Code Selector check which was broken.
- Fix delayed object deletion (ObDeferDeleteObject) and the Ob Repear Routine and list.
- Update Kernel Fun.
- BUGBUG: Temporaily hack VMWare to detection to always detect VMWare.
svn path=/trunk/; revision=25238
2006-12-30 02:49:00 +08:00
|
|
|
/* Queue the work item if needed */
|
|
|
|
if (!Entry) ExQueueWorkItem(&ObpReaperWorkItem, CriticalWorkQueue);
|
2006-07-12 03:45:16 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
LONG
|
|
|
|
FASTCALL
|
|
|
|
ObReferenceObjectEx(IN PVOID Object,
|
2006-10-26 02:23:45 +08:00
|
|
|
IN LONG Count)
|
2006-07-12 03:45:16 +08:00
|
|
|
{
|
|
|
|
/* Increment the reference count and return the count now */
|
2018-01-30 03:31:07 +08:00
|
|
|
return InterlockedExchangeAddSizeT(&OBJECT_TO_OBJECT_HEADER(Object)->
|
|
|
|
PointerCount,
|
|
|
|
Count) + Count;
|
2006-07-12 03:45:16 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
LONG
|
|
|
|
FASTCALL
|
|
|
|
ObDereferenceObjectEx(IN PVOID Object,
|
2006-10-26 02:23:45 +08:00
|
|
|
IN LONG Count)
|
2006-07-12 03:45:16 +08:00
|
|
|
{
|
|
|
|
POBJECT_HEADER Header;
|
2018-01-30 03:31:07 +08:00
|
|
|
LONG_PTR NewCount;
|
2006-07-12 03:45:16 +08:00
|
|
|
|
|
|
|
/* Extract the object header */
|
|
|
|
Header = OBJECT_TO_OBJECT_HEADER(Object);
|
|
|
|
|
|
|
|
/* Check whether the object can now be deleted. */
|
2018-01-30 03:31:07 +08:00
|
|
|
NewCount = InterlockedExchangeAddSizeT(&Header->PointerCount, -Count) - Count;
|
2009-05-23 01:19:27 +08:00
|
|
|
if (!NewCount) ObpDeferObjectDeletion(Header);
|
2006-07-12 03:45:16 +08:00
|
|
|
|
|
|
|
/* Return the current count */
|
|
|
|
return NewCount;
|
|
|
|
}
|
|
|
|
|
2006-05-25 06:07:11 +08:00
|
|
|
VOID
|
|
|
|
FASTCALL
|
|
|
|
ObInitializeFastReference(IN PEX_FAST_REF FastRef,
|
2006-07-12 03:45:16 +08:00
|
|
|
IN PVOID Object OPTIONAL)
|
|
|
|
{
|
|
|
|
/* Check if we were given an object and reference it 7 times */
|
|
|
|
if (Object) ObReferenceObjectEx(Object, MAX_FAST_REFS);
|
2020-05-08 23:53:29 +08:00
|
|
|
|
2009-03-04 04:24:10 +08:00
|
|
|
/* Setup the fast reference */
|
|
|
|
ExInitializeFastReference(FastRef, Object);
|
2006-07-12 03:45:16 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
PVOID
|
|
|
|
FASTCALL
|
|
|
|
ObFastReferenceObjectLocked(IN PEX_FAST_REF FastRef)
|
2006-05-25 06:07:11 +08:00
|
|
|
{
|
2006-07-12 03:45:16 +08:00
|
|
|
PVOID Object;
|
2009-03-04 04:24:10 +08:00
|
|
|
EX_FAST_REF OldValue = *FastRef;
|
2006-07-12 03:45:16 +08:00
|
|
|
|
|
|
|
/* Get the object and reference it slowly */
|
2009-03-04 04:24:10 +08:00
|
|
|
Object = ExGetObjectFastReference(OldValue);
|
2006-07-12 03:45:16 +08:00
|
|
|
if (Object) ObReferenceObject(Object);
|
|
|
|
return Object;
|
2006-05-25 06:07:11 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
PVOID
|
|
|
|
FASTCALL
|
|
|
|
ObFastReferenceObject(IN PEX_FAST_REF FastRef)
|
|
|
|
{
|
2009-03-04 04:24:10 +08:00
|
|
|
EX_FAST_REF OldValue;
|
2006-07-12 03:45:16 +08:00
|
|
|
ULONG_PTR Count;
|
|
|
|
PVOID Object;
|
|
|
|
|
2009-03-04 04:24:10 +08:00
|
|
|
/* Reference the object and get it pointer */
|
|
|
|
OldValue = ExAcquireFastReference(FastRef);
|
|
|
|
Object = ExGetObjectFastReference(OldValue);
|
2006-07-12 03:45:16 +08:00
|
|
|
|
2009-03-04 04:24:10 +08:00
|
|
|
/* Check how many references are left */
|
|
|
|
Count = ExGetCountFastReference(OldValue);
|
2006-07-12 03:45:16 +08:00
|
|
|
|
|
|
|
/* Check if the reference count is over 1 */
|
|
|
|
if (Count > 1) return Object;
|
|
|
|
|
|
|
|
/* Check if the reference count has reached 0 */
|
|
|
|
if (!Count) return NULL;
|
2006-05-25 06:07:11 +08:00
|
|
|
|
2006-07-12 03:45:16 +08:00
|
|
|
/* Otherwise, reference the object 7 times */
|
|
|
|
ObReferenceObjectEx(Object, MAX_FAST_REFS);
|
2020-05-08 23:53:29 +08:00
|
|
|
|
2009-03-04 04:24:10 +08:00
|
|
|
/* Now update the reference count */
|
|
|
|
if (!ExInsertFastReference(FastRef, Object))
|
2006-07-12 03:45:16 +08:00
|
|
|
{
|
2009-03-04 04:24:10 +08:00
|
|
|
/* We failed: completely dereference the object */
|
|
|
|
ObDereferenceObjectEx(Object, MAX_FAST_REFS);
|
2006-07-12 03:45:16 +08:00
|
|
|
}
|
2006-05-25 06:07:11 +08:00
|
|
|
|
|
|
|
/* Return the Object */
|
2006-07-12 03:45:16 +08:00
|
|
|
return Object;
|
2006-05-25 06:07:11 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
VOID
|
|
|
|
FASTCALL
|
|
|
|
ObFastDereferenceObject(IN PEX_FAST_REF FastRef,
|
2006-07-12 03:45:16 +08:00
|
|
|
IN PVOID Object)
|
2006-05-25 06:07:11 +08:00
|
|
|
{
|
2009-03-04 04:24:10 +08:00
|
|
|
/* Release a fast reference. If this failed, use the slow path */
|
|
|
|
if (!ExReleaseFastReference(FastRef, Object)) ObDereferenceObject(Object);
|
2006-05-25 06:07:11 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
PVOID
|
|
|
|
FASTCALL
|
|
|
|
ObFastReplaceObject(IN PEX_FAST_REF FastRef,
|
|
|
|
PVOID Object)
|
|
|
|
{
|
2009-03-04 04:24:10 +08:00
|
|
|
EX_FAST_REF OldValue;
|
2006-07-12 03:45:16 +08:00
|
|
|
PVOID OldObject;
|
[HAL/NDK]
- Make Vector parameter in HalEnableSystemInterrupt, HalDisableSystemInterrupt and HalBeginSystemInterrupt an ULONG, not an UCHAR
[NDK]
- 64bit fixes for HANDLE_TABLE, KPROCESS, SECTION_IMAGE_INFORMATION, MMADDRESS_LIST, MMVAD_FLAGS, MMVAD, MMVAD_LONG, MMVAD_SHORT, MEMORY_DESCRIPTOR, MEMORY_ALLOCATION_DESCRIPTOR, LdrVerifyMappedImageMatchesChecksum
- KDPC_DATA::DpcQueueDepth is signed on amd64, unsigned on x86
[NTOSKRNL]
- Fix hundreds of MSVC and amd64 warnings
- add a pragma message to FstubFixupEfiPartition, since it looks broken
- Move portable Ke constants from <arch>/cpu.c to krnlinit.c
- Fixed a bug in amd64 KiGeneralProtectionFaultHandler
svn path=/trunk/; revision=53734
2011-09-18 21:11:45 +08:00
|
|
|
ULONG Count;
|
2006-05-25 06:07:11 +08:00
|
|
|
|
2006-07-12 03:45:16 +08:00
|
|
|
/* Check if we were given an object and reference it 7 times */
|
|
|
|
if (Object) ObReferenceObjectEx(Object, MAX_FAST_REFS);
|
2020-05-08 23:53:29 +08:00
|
|
|
|
2009-03-04 04:24:10 +08:00
|
|
|
/* Do the swap */
|
|
|
|
OldValue = ExSwapFastReference(FastRef, Object);
|
|
|
|
OldObject = ExGetObjectFastReference(OldValue);
|
2020-05-08 23:53:29 +08:00
|
|
|
|
2009-03-04 04:24:10 +08:00
|
|
|
/* Check if we had an active object and dereference it */
|
|
|
|
Count = ExGetCountFastReference(OldValue);
|
|
|
|
if ((OldObject) && (Count)) ObDereferenceObjectEx(OldObject, Count);
|
2006-05-25 06:07:11 +08:00
|
|
|
|
2006-07-12 03:45:16 +08:00
|
|
|
/* Return the old object */
|
2006-05-25 06:07:11 +08:00
|
|
|
return OldObject;
|
|
|
|
}
|
|
|
|
|
2017-11-13 05:28:54 +08:00
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ObReferenceFileObjectForWrite(IN HANDLE Handle,
|
|
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
|
|
OUT PFILE_OBJECT *FileObject,
|
|
|
|
OUT POBJECT_HANDLE_INFORMATION HandleInformation)
|
|
|
|
{
|
|
|
|
NTSTATUS Status;
|
|
|
|
PHANDLE_TABLE HandleTable;
|
|
|
|
POBJECT_HEADER ObjectHeader;
|
|
|
|
PHANDLE_TABLE_ENTRY HandleEntry;
|
|
|
|
ACCESS_MASK GrantedAccess, DesiredAccess;
|
|
|
|
|
|
|
|
/* Assume failure */
|
|
|
|
*FileObject = NULL;
|
|
|
|
|
|
|
|
/* Check if this is a special handle */
|
|
|
|
if (HandleToLong(Handle) < 0)
|
|
|
|
{
|
|
|
|
/* Make sure we have a valid kernel handle */
|
|
|
|
if (AccessMode != KernelMode || Handle == NtCurrentProcess() || Handle == NtCurrentThread())
|
|
|
|
{
|
|
|
|
return STATUS_INVALID_HANDLE;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Use the kernel handle table and get the actual handle value */
|
|
|
|
Handle = ObKernelHandleToHandle(Handle);
|
|
|
|
HandleTable = ObpKernelHandleTable;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
/* Otherwise use this process's handle table */
|
|
|
|
HandleTable = PsGetCurrentProcess()->ObjectTable;
|
|
|
|
}
|
|
|
|
|
|
|
|
ASSERT(HandleTable != NULL);
|
|
|
|
KeEnterCriticalRegion();
|
|
|
|
|
|
|
|
/* Get the handle entry */
|
|
|
|
HandleEntry = ExMapHandleToPointer(HandleTable, Handle);
|
|
|
|
if (HandleEntry)
|
|
|
|
{
|
|
|
|
/* Get the object header and validate the type*/
|
|
|
|
ObjectHeader = ObpGetHandleObject(HandleEntry);
|
|
|
|
|
|
|
|
/* Get the desired access from the file object */
|
|
|
|
if (!NT_SUCCESS(IoComputeDesiredAccessFileObject((PFILE_OBJECT)&ObjectHeader->Body,
|
|
|
|
&DesiredAccess)))
|
|
|
|
{
|
|
|
|
Status = STATUS_OBJECT_TYPE_MISMATCH;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
/* Extract the granted access from the handle entry */
|
|
|
|
if (BooleanFlagOn(NtGlobalFlag, FLG_KERNEL_STACK_TRACE_DB))
|
|
|
|
{
|
|
|
|
/* FIXME: Translate granted access */
|
|
|
|
GrantedAccess = HandleEntry->GrantedAccess;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
GrantedAccess = HandleEntry->GrantedAccess & ~ObpAccessProtectCloseBit;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* FIXME: Get handle information for audit */
|
|
|
|
|
|
|
|
HandleInformation->GrantedAccess = GrantedAccess;
|
|
|
|
|
|
|
|
/* FIXME: Get handle attributes */
|
|
|
|
HandleInformation->HandleAttributes = 0;
|
|
|
|
|
|
|
|
/* Do granted and desired access match? */
|
|
|
|
if (GrantedAccess & DesiredAccess)
|
|
|
|
{
|
|
|
|
/* FIXME: Audit access if required */
|
|
|
|
|
|
|
|
/* Reference the object directly since we have its header */
|
2018-01-30 03:31:07 +08:00
|
|
|
InterlockedIncrementSizeT(&ObjectHeader->PointerCount);
|
2017-11-13 05:28:54 +08:00
|
|
|
|
|
|
|
/* Unlock the handle */
|
|
|
|
ExUnlockHandleTableEntry(HandleTable, HandleEntry);
|
|
|
|
KeLeaveCriticalRegion();
|
|
|
|
|
|
|
|
*FileObject = (PFILE_OBJECT)&ObjectHeader->Body;
|
|
|
|
|
|
|
|
/* Return success */
|
|
|
|
ASSERT(*FileObject != NULL);
|
|
|
|
return STATUS_SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* No match, deny write access */
|
|
|
|
Status = STATUS_ACCESS_DENIED;
|
|
|
|
|
|
|
|
ExUnlockHandleTableEntry(HandleTable, HandleEntry);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
Status = STATUS_INVALID_HANDLE;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Return failure status */
|
|
|
|
KeLeaveCriticalRegion();
|
|
|
|
return Status;
|
|
|
|
}
|
|
|
|
|
2006-05-25 06:07:11 +08:00
|
|
|
/* PUBLIC FUNCTIONS *********************************************************/
|
|
|
|
|
2006-09-07 13:07:34 +08:00
|
|
|
LONG_PTR
|
2006-06-05 08:32:26 +08:00
|
|
|
FASTCALL
|
2006-05-25 06:07:11 +08:00
|
|
|
ObfReferenceObject(IN PVOID Object)
|
|
|
|
{
|
|
|
|
ASSERT(Object);
|
|
|
|
|
2006-06-05 08:32:26 +08:00
|
|
|
/* Get the header and increment the reference count */
|
2018-01-30 03:31:07 +08:00
|
|
|
return InterlockedIncrementSizeT(&OBJECT_TO_OBJECT_HEADER(Object)->PointerCount);
|
2006-05-25 06:07:11 +08:00
|
|
|
}
|
|
|
|
|
2006-09-07 13:07:34 +08:00
|
|
|
LONG_PTR
|
2006-05-25 06:07:11 +08:00
|
|
|
FASTCALL
|
|
|
|
ObfDereferenceObject(IN PVOID Object)
|
|
|
|
{
|
|
|
|
POBJECT_HEADER Header;
|
2020-05-08 23:53:29 +08:00
|
|
|
LONG_PTR NewCount;
|
2006-05-25 06:07:11 +08:00
|
|
|
|
2006-05-29 08:05:07 +08:00
|
|
|
/* Extract the object header */
|
2006-05-26 04:14:09 +08:00
|
|
|
Header = OBJECT_TO_OBJECT_HEADER(Object);
|
2006-05-25 06:07:11 +08:00
|
|
|
|
2006-06-30 02:07:53 +08:00
|
|
|
if (Header->PointerCount < Header->HandleCount)
|
2006-06-29 13:05:27 +08:00
|
|
|
{
|
2007-06-17 23:18:06 +08:00
|
|
|
DPRINT1("Misbehaving object: %wZ\n", &Header->Type->Name);
|
2006-09-07 13:07:34 +08:00
|
|
|
return Header->PointerCount;
|
2006-06-29 13:05:27 +08:00
|
|
|
}
|
|
|
|
|
2006-05-25 06:07:11 +08:00
|
|
|
/* Check whether the object can now be deleted. */
|
2020-05-08 23:53:29 +08:00
|
|
|
NewCount = InterlockedDecrementSizeT(&Header->PointerCount);
|
|
|
|
if (!NewCount)
|
2006-05-25 06:07:11 +08:00
|
|
|
{
|
2006-05-29 08:05:07 +08:00
|
|
|
/* Sanity check */
|
2008-11-07 03:21:46 +08:00
|
|
|
ASSERT(Header->HandleCount == 0);
|
2006-05-29 08:05:07 +08:00
|
|
|
|
2007-01-16 04:54:40 +08:00
|
|
|
/* Check if APCs are still active */
|
|
|
|
if (!KeAreAllApcsDisabled())
|
2006-05-29 08:05:07 +08:00
|
|
|
{
|
|
|
|
/* Remove the object */
|
- Fix critical bugs in exception handling: Unwinding was completely broken, using the wrong SEH protector to detect collided unwinding. The correct protector itself also had a broken check.
- Fix architectural bug in the entire TrapFrame<->Context conversion system and Ring Privilege Transitions (Inter-ring and intra-ring) which was lacking proper sanitation and validation of segments, flags and debug registers. Among other things, IOPL is now respected, CS is not KGDT_R0_CODE | RPL_MASK anymore, and the GPF code is now properly being called. This completely fixes exception handling being totally broken and crashing firefox installer, mirc, and other applications.
- Rewrite the page fault handler base code in assembly instead of relying on a broken C routine. Detect VDM, V8086, detecting expected/normal fault in ExpInterlockedPopEntrySList and faults in the system handler code. Rewrite MmAccessFault to be the main function that calls out to other sub-fault functions, and use the same prototype as NT.
- Fix the KGDT boot table to have proper granularity and big flags, and extend it to 256 entries.
- Create proper thread context in RtlInitializeContext and cleanup Rtl Thread routines.
- Remove all int3 and breakpoints from trap handlers, and replace them with a much better "UNHANDLED_PATH" macro which freezes the system, beeps, and displays a message with the line of code that's unhandled. This is to clearly tell the user that something is unhandled, instead of nesting infinite exceptions due to the int3.
- Fix a bug in INT_PROLOG.
- Sanitize EFLAGS and Code Segments in KeContextToTrapFrame and KeTrapFrameToContext.
- Implement KiUpdateDr7 and KiRecordDr7 as well as DR_MASK and other DR-validation macros and functions to protect against DR-vulnerabilites as well as to properly account for each active hardware breakpoint in a per-thread fashion by using the dispatcher header.
- Allow CR0_EM when running in a VDM.
- Fix FPU/NPX Register handling in KeContextToTrapFrame and KeTrapFrameToContext, and also speed it up by manual copying instead of a memory move.
- Properly give IOPL 3 to user-mode threads if they requested it.
- Detect GPF during GPF.
- Detect pagefault with a trap-frame spread over two or more pages and nested.
- Properly sanitize and set correct trap frame in KiInitailizeUserApc.
- Return STATUS_ACCESS_VIOLATION during page faults instead of STATUS_UNSUCESSFUL.
- Fix assert in VdmSwapContext, as well as Code Selector check which was broken.
- Fix delayed object deletion (ObDeferDeleteObject) and the Ob Repear Routine and list.
- Update Kernel Fun.
- BUGBUG: Temporaily hack VMWare to detection to always detect VMWare.
svn path=/trunk/; revision=25238
2006-12-30 02:49:00 +08:00
|
|
|
ObpDeleteObject(Object, FALSE);
|
2006-05-29 08:05:07 +08:00
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
2006-07-12 03:45:16 +08:00
|
|
|
/* Add us to the deferred deletion list */
|
- Fix critical bugs in exception handling: Unwinding was completely broken, using the wrong SEH protector to detect collided unwinding. The correct protector itself also had a broken check.
- Fix architectural bug in the entire TrapFrame<->Context conversion system and Ring Privilege Transitions (Inter-ring and intra-ring) which was lacking proper sanitation and validation of segments, flags and debug registers. Among other things, IOPL is now respected, CS is not KGDT_R0_CODE | RPL_MASK anymore, and the GPF code is now properly being called. This completely fixes exception handling being totally broken and crashing firefox installer, mirc, and other applications.
- Rewrite the page fault handler base code in assembly instead of relying on a broken C routine. Detect VDM, V8086, detecting expected/normal fault in ExpInterlockedPopEntrySList and faults in the system handler code. Rewrite MmAccessFault to be the main function that calls out to other sub-fault functions, and use the same prototype as NT.
- Fix the KGDT boot table to have proper granularity and big flags, and extend it to 256 entries.
- Create proper thread context in RtlInitializeContext and cleanup Rtl Thread routines.
- Remove all int3 and breakpoints from trap handlers, and replace them with a much better "UNHANDLED_PATH" macro which freezes the system, beeps, and displays a message with the line of code that's unhandled. This is to clearly tell the user that something is unhandled, instead of nesting infinite exceptions due to the int3.
- Fix a bug in INT_PROLOG.
- Sanitize EFLAGS and Code Segments in KeContextToTrapFrame and KeTrapFrameToContext.
- Implement KiUpdateDr7 and KiRecordDr7 as well as DR_MASK and other DR-validation macros and functions to protect against DR-vulnerabilites as well as to properly account for each active hardware breakpoint in a per-thread fashion by using the dispatcher header.
- Allow CR0_EM when running in a VDM.
- Fix FPU/NPX Register handling in KeContextToTrapFrame and KeTrapFrameToContext, and also speed it up by manual copying instead of a memory move.
- Properly give IOPL 3 to user-mode threads if they requested it.
- Detect GPF during GPF.
- Detect pagefault with a trap-frame spread over two or more pages and nested.
- Properly sanitize and set correct trap frame in KiInitailizeUserApc.
- Return STATUS_ACCESS_VIOLATION during page faults instead of STATUS_UNSUCESSFUL.
- Fix assert in VdmSwapContext, as well as Code Selector check which was broken.
- Fix delayed object deletion (ObDeferDeleteObject) and the Ob Repear Routine and list.
- Update Kernel Fun.
- BUGBUG: Temporaily hack VMWare to detection to always detect VMWare.
svn path=/trunk/; revision=25238
2006-12-30 02:49:00 +08:00
|
|
|
ObpDeferObjectDeletion(Header);
|
2006-05-29 08:05:07 +08:00
|
|
|
}
|
2006-05-25 06:07:11 +08:00
|
|
|
}
|
2006-09-07 13:07:34 +08:00
|
|
|
|
2020-05-08 23:53:29 +08:00
|
|
|
/* Return the new count */
|
|
|
|
return NewCount;
|
2006-05-25 06:07:11 +08:00
|
|
|
}
|
|
|
|
|
2006-07-14 23:26:19 +08:00
|
|
|
VOID
|
|
|
|
NTAPI
|
|
|
|
ObDereferenceObjectDeferDelete(IN PVOID Object)
|
|
|
|
{
|
- Fix critical bugs in exception handling: Unwinding was completely broken, using the wrong SEH protector to detect collided unwinding. The correct protector itself also had a broken check.
- Fix architectural bug in the entire TrapFrame<->Context conversion system and Ring Privilege Transitions (Inter-ring and intra-ring) which was lacking proper sanitation and validation of segments, flags and debug registers. Among other things, IOPL is now respected, CS is not KGDT_R0_CODE | RPL_MASK anymore, and the GPF code is now properly being called. This completely fixes exception handling being totally broken and crashing firefox installer, mirc, and other applications.
- Rewrite the page fault handler base code in assembly instead of relying on a broken C routine. Detect VDM, V8086, detecting expected/normal fault in ExpInterlockedPopEntrySList and faults in the system handler code. Rewrite MmAccessFault to be the main function that calls out to other sub-fault functions, and use the same prototype as NT.
- Fix the KGDT boot table to have proper granularity and big flags, and extend it to 256 entries.
- Create proper thread context in RtlInitializeContext and cleanup Rtl Thread routines.
- Remove all int3 and breakpoints from trap handlers, and replace them with a much better "UNHANDLED_PATH" macro which freezes the system, beeps, and displays a message with the line of code that's unhandled. This is to clearly tell the user that something is unhandled, instead of nesting infinite exceptions due to the int3.
- Fix a bug in INT_PROLOG.
- Sanitize EFLAGS and Code Segments in KeContextToTrapFrame and KeTrapFrameToContext.
- Implement KiUpdateDr7 and KiRecordDr7 as well as DR_MASK and other DR-validation macros and functions to protect against DR-vulnerabilites as well as to properly account for each active hardware breakpoint in a per-thread fashion by using the dispatcher header.
- Allow CR0_EM when running in a VDM.
- Fix FPU/NPX Register handling in KeContextToTrapFrame and KeTrapFrameToContext, and also speed it up by manual copying instead of a memory move.
- Properly give IOPL 3 to user-mode threads if they requested it.
- Detect GPF during GPF.
- Detect pagefault with a trap-frame spread over two or more pages and nested.
- Properly sanitize and set correct trap frame in KiInitailizeUserApc.
- Return STATUS_ACCESS_VIOLATION during page faults instead of STATUS_UNSUCESSFUL.
- Fix assert in VdmSwapContext, as well as Code Selector check which was broken.
- Fix delayed object deletion (ObDeferDeleteObject) and the Ob Repear Routine and list.
- Update Kernel Fun.
- BUGBUG: Temporaily hack VMWare to detection to always detect VMWare.
svn path=/trunk/; revision=25238
2006-12-30 02:49:00 +08:00
|
|
|
POBJECT_HEADER Header = OBJECT_TO_OBJECT_HEADER(Object);
|
|
|
|
|
2006-07-14 23:26:19 +08:00
|
|
|
/* Check whether the object can now be deleted. */
|
2018-01-30 03:31:07 +08:00
|
|
|
if (!InterlockedDecrementSizeT(&Header->PointerCount))
|
2006-07-14 23:26:19 +08:00
|
|
|
{
|
|
|
|
/* Add us to the deferred deletion list */
|
- Fix critical bugs in exception handling: Unwinding was completely broken, using the wrong SEH protector to detect collided unwinding. The correct protector itself also had a broken check.
- Fix architectural bug in the entire TrapFrame<->Context conversion system and Ring Privilege Transitions (Inter-ring and intra-ring) which was lacking proper sanitation and validation of segments, flags and debug registers. Among other things, IOPL is now respected, CS is not KGDT_R0_CODE | RPL_MASK anymore, and the GPF code is now properly being called. This completely fixes exception handling being totally broken and crashing firefox installer, mirc, and other applications.
- Rewrite the page fault handler base code in assembly instead of relying on a broken C routine. Detect VDM, V8086, detecting expected/normal fault in ExpInterlockedPopEntrySList and faults in the system handler code. Rewrite MmAccessFault to be the main function that calls out to other sub-fault functions, and use the same prototype as NT.
- Fix the KGDT boot table to have proper granularity and big flags, and extend it to 256 entries.
- Create proper thread context in RtlInitializeContext and cleanup Rtl Thread routines.
- Remove all int3 and breakpoints from trap handlers, and replace them with a much better "UNHANDLED_PATH" macro which freezes the system, beeps, and displays a message with the line of code that's unhandled. This is to clearly tell the user that something is unhandled, instead of nesting infinite exceptions due to the int3.
- Fix a bug in INT_PROLOG.
- Sanitize EFLAGS and Code Segments in KeContextToTrapFrame and KeTrapFrameToContext.
- Implement KiUpdateDr7 and KiRecordDr7 as well as DR_MASK and other DR-validation macros and functions to protect against DR-vulnerabilites as well as to properly account for each active hardware breakpoint in a per-thread fashion by using the dispatcher header.
- Allow CR0_EM when running in a VDM.
- Fix FPU/NPX Register handling in KeContextToTrapFrame and KeTrapFrameToContext, and also speed it up by manual copying instead of a memory move.
- Properly give IOPL 3 to user-mode threads if they requested it.
- Detect GPF during GPF.
- Detect pagefault with a trap-frame spread over two or more pages and nested.
- Properly sanitize and set correct trap frame in KiInitailizeUserApc.
- Return STATUS_ACCESS_VIOLATION during page faults instead of STATUS_UNSUCESSFUL.
- Fix assert in VdmSwapContext, as well as Code Selector check which was broken.
- Fix delayed object deletion (ObDeferDeleteObject) and the Ob Repear Routine and list.
- Update Kernel Fun.
- BUGBUG: Temporaily hack VMWare to detection to always detect VMWare.
svn path=/trunk/; revision=25238
2006-12-30 02:49:00 +08:00
|
|
|
ObpDeferObjectDeletion(Header);
|
2006-07-14 23:26:19 +08:00
|
|
|
}
|
|
|
|
}
|
2006-06-05 13:07:44 +08:00
|
|
|
|
2006-07-14 23:26:19 +08:00
|
|
|
#undef ObDereferenceObject
|
2006-06-05 13:07:44 +08:00
|
|
|
VOID
|
|
|
|
NTAPI
|
|
|
|
ObDereferenceObject(IN PVOID Object)
|
|
|
|
{
|
|
|
|
/* Call the fastcall function */
|
|
|
|
ObfDereferenceObject(Object);
|
|
|
|
}
|
|
|
|
|
2006-06-05 08:32:26 +08:00
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
2006-05-25 06:07:11 +08:00
|
|
|
ObReferenceObjectByPointer(IN PVOID Object,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN POBJECT_TYPE ObjectType,
|
|
|
|
IN KPROCESSOR_MODE AccessMode)
|
|
|
|
{
|
|
|
|
POBJECT_HEADER Header;
|
|
|
|
|
2006-06-05 08:32:26 +08:00
|
|
|
/* Get the header */
|
2006-05-26 04:14:09 +08:00
|
|
|
Header = OBJECT_TO_OBJECT_HEADER(Object);
|
2006-05-25 06:07:11 +08:00
|
|
|
|
2006-06-05 08:32:26 +08:00
|
|
|
/*
|
|
|
|
* Validate object type if the call is for UserMode.
|
|
|
|
* NOTE: Unless it's a symbolic link (Caz Yokoyama [MSFT])
|
|
|
|
*/
|
|
|
|
if ((Header->Type != ObjectType) && ((AccessMode != KernelMode) ||
|
2018-02-14 04:33:04 +08:00
|
|
|
(ObjectType == ObpSymbolicLinkObjectType)))
|
2006-05-25 06:07:11 +08:00
|
|
|
{
|
2006-06-05 08:32:26 +08:00
|
|
|
/* Invalid type */
|
|
|
|
return STATUS_OBJECT_TYPE_MISMATCH;
|
2006-05-25 06:07:11 +08:00
|
|
|
}
|
|
|
|
|
2007-01-08 16:03:47 +08:00
|
|
|
/* Increment the reference count and return success */
|
2018-01-30 03:31:07 +08:00
|
|
|
InterlockedIncrementSizeT(&Header->PointerCount);
|
2006-06-05 08:32:26 +08:00
|
|
|
return STATUS_SUCCESS;
|
2006-05-25 06:07:11 +08:00
|
|
|
}
|
|
|
|
|
2006-05-25 12:17:29 +08:00
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
2007-01-08 16:03:47 +08:00
|
|
|
ObReferenceObjectByName(IN PUNICODE_STRING ObjectPath,
|
|
|
|
IN ULONG Attributes,
|
|
|
|
IN PACCESS_STATE PassedAccessState,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN POBJECT_TYPE ObjectType,
|
|
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
|
|
IN OUT PVOID ParseContext,
|
|
|
|
OUT PVOID* ObjectPtr)
|
2006-05-25 06:07:11 +08:00
|
|
|
{
|
|
|
|
PVOID Object = NULL;
|
|
|
|
UNICODE_STRING ObjectName;
|
|
|
|
NTSTATUS Status;
|
|
|
|
OBP_LOOKUP_CONTEXT Context;
|
2008-06-16 16:54:21 +08:00
|
|
|
AUX_ACCESS_DATA AuxData;
|
2006-05-25 12:17:29 +08:00
|
|
|
ACCESS_STATE AccessState;
|
2007-01-08 16:03:47 +08:00
|
|
|
PAGED_CODE();
|
|
|
|
|
|
|
|
/* Fail quickly */
|
|
|
|
if (!ObjectPath) return STATUS_OBJECT_NAME_INVALID;
|
2006-05-25 06:07:11 +08:00
|
|
|
|
|
|
|
/* Capture the name */
|
2006-05-29 11:32:43 +08:00
|
|
|
Status = ObpCaptureObjectName(&ObjectName, ObjectPath, AccessMode, TRUE);
|
2006-05-25 12:17:29 +08:00
|
|
|
if (!NT_SUCCESS(Status)) return Status;
|
|
|
|
|
2007-01-08 16:03:47 +08:00
|
|
|
/* We also need a valid name after capture */
|
|
|
|
if (!ObjectName.Length) return STATUS_OBJECT_NAME_INVALID;
|
|
|
|
|
2006-05-25 12:17:29 +08:00
|
|
|
/* Check if we didn't get an access state */
|
|
|
|
if (!PassedAccessState)
|
2006-05-25 06:07:11 +08:00
|
|
|
{
|
2006-05-25 12:17:29 +08:00
|
|
|
/* Use our built-in access state */
|
|
|
|
PassedAccessState = &AccessState;
|
|
|
|
Status = SeCreateAccessState(&AccessState,
|
|
|
|
&AuxData,
|
|
|
|
DesiredAccess,
|
|
|
|
&ObjectType->TypeInfo.GenericMapping);
|
|
|
|
if (!NT_SUCCESS(Status)) goto Quickie;
|
2006-05-25 06:07:11 +08:00
|
|
|
}
|
|
|
|
|
2006-05-29 03:05:19 +08:00
|
|
|
/* Find the object */
|
2006-06-14 12:02:02 +08:00
|
|
|
*ObjectPtr = NULL;
|
2007-01-08 16:03:47 +08:00
|
|
|
Status = ObpLookupObjectName(NULL,
|
|
|
|
&ObjectName,
|
|
|
|
Attributes,
|
|
|
|
ObjectType,
|
|
|
|
AccessMode,
|
|
|
|
ParseContext,
|
|
|
|
NULL,
|
|
|
|
NULL,
|
|
|
|
PassedAccessState,
|
|
|
|
&Context,
|
|
|
|
&Object);
|
2007-01-09 17:07:36 +08:00
|
|
|
|
|
|
|
/* Cleanup after lookup */
|
2008-06-18 20:28:29 +08:00
|
|
|
ObpReleaseLookupContext(&Context);
|
2007-01-08 16:03:47 +08:00
|
|
|
|
|
|
|
/* Check if the lookup succeeded */
|
2006-06-14 12:02:02 +08:00
|
|
|
if (NT_SUCCESS(Status))
|
2006-05-25 06:07:11 +08:00
|
|
|
{
|
2007-01-08 16:03:47 +08:00
|
|
|
/* Check if access is allowed */
|
|
|
|
if (ObpCheckObjectReference(Object,
|
|
|
|
PassedAccessState,
|
|
|
|
FALSE,
|
|
|
|
AccessMode,
|
|
|
|
&Status))
|
|
|
|
{
|
|
|
|
/* Return the object */
|
|
|
|
*ObjectPtr = Object;
|
|
|
|
}
|
2006-05-25 06:07:11 +08:00
|
|
|
}
|
2006-05-25 12:17:29 +08:00
|
|
|
|
|
|
|
/* Free the access state */
|
|
|
|
if (PassedAccessState == &AccessState)
|
|
|
|
{
|
|
|
|
SeDeleteAccessState(PassedAccessState);
|
|
|
|
}
|
|
|
|
|
|
|
|
Quickie:
|
|
|
|
/* Free the captured name if we had one, and return status */
|
2007-01-09 05:02:22 +08:00
|
|
|
ObpFreeObjectNameBuffer(&ObjectName);
|
2006-05-25 12:17:29 +08:00
|
|
|
return Status;
|
2006-05-25 06:07:11 +08:00
|
|
|
}
|
|
|
|
|
2006-06-05 13:07:44 +08:00
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ObReferenceObjectByHandle(IN HANDLE Handle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN POBJECT_TYPE ObjectType,
|
|
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
|
|
OUT PVOID* Object,
|
|
|
|
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
|
2006-05-25 06:07:11 +08:00
|
|
|
{
|
|
|
|
PHANDLE_TABLE_ENTRY HandleEntry;
|
|
|
|
POBJECT_HEADER ObjectHeader;
|
|
|
|
ACCESS_MASK GrantedAccess;
|
|
|
|
ULONG Attributes;
|
2006-06-05 13:07:44 +08:00
|
|
|
PEPROCESS CurrentProcess;
|
|
|
|
PVOID HandleTable;
|
|
|
|
PETHREAD CurrentThread;
|
|
|
|
NTSTATUS Status;
|
2006-05-25 06:07:11 +08:00
|
|
|
PAGED_CODE();
|
|
|
|
|
2007-01-10 11:35:59 +08:00
|
|
|
/* Assume failure */
|
|
|
|
*Object = NULL;
|
2006-05-25 06:07:11 +08:00
|
|
|
|
2007-09-30 16:32:34 +08:00
|
|
|
/* Check if this is a special handle */
|
|
|
|
if (HandleToLong(Handle) < 0)
|
2006-05-25 06:07:11 +08:00
|
|
|
{
|
2007-09-30 16:32:34 +08:00
|
|
|
/* Check if this is the current process */
|
|
|
|
if (Handle == NtCurrentProcess())
|
2006-05-25 06:07:11 +08:00
|
|
|
{
|
2007-09-30 16:32:34 +08:00
|
|
|
/* Check if this is the right object type */
|
|
|
|
if ((ObjectType == PsProcessType) || !(ObjectType))
|
|
|
|
{
|
|
|
|
/* Get the current process and granted access */
|
|
|
|
CurrentProcess = PsGetCurrentProcess();
|
|
|
|
GrantedAccess = CurrentProcess->GrantedAccess;
|
2007-10-20 07:21:45 +08:00
|
|
|
|
2007-09-30 16:32:34 +08:00
|
|
|
/* Validate access */
|
2007-10-12 17:52:23 +08:00
|
|
|
/* ~GrantedAccess = RefusedAccess.*/
|
|
|
|
/* ~GrantedAccess & DesiredAccess = list of refused bits. */
|
|
|
|
/* !(~GrantedAccess & DesiredAccess) == TRUE means ALL requested rights are granted */
|
2007-09-30 16:32:34 +08:00
|
|
|
if ((AccessMode == KernelMode) ||
|
|
|
|
!(~GrantedAccess & DesiredAccess))
|
2007-10-20 07:21:45 +08:00
|
|
|
{
|
2007-09-30 16:32:34 +08:00
|
|
|
/* Check if the caller wanted handle information */
|
|
|
|
if (HandleInformation)
|
|
|
|
{
|
|
|
|
/* Return it */
|
|
|
|
HandleInformation->HandleAttributes = 0;
|
|
|
|
HandleInformation->GrantedAccess = GrantedAccess;
|
|
|
|
}
|
2007-10-20 07:21:45 +08:00
|
|
|
|
2007-09-30 16:32:34 +08:00
|
|
|
/* Reference ourselves */
|
|
|
|
ObjectHeader = OBJECT_TO_OBJECT_HEADER(CurrentProcess);
|
2018-01-30 03:31:07 +08:00
|
|
|
InterlockedExchangeAddSizeT(&ObjectHeader->PointerCount, 1);
|
2007-10-20 07:21:45 +08:00
|
|
|
|
2007-09-30 16:32:34 +08:00
|
|
|
/* Return the pointer */
|
|
|
|
*Object = CurrentProcess;
|
|
|
|
ASSERT(*Object != NULL);
|
|
|
|
Status = STATUS_SUCCESS;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
/* Access denied */
|
|
|
|
Status = STATUS_ACCESS_DENIED;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
/* The caller used this special handle value with a non-process type */
|
|
|
|
Status = STATUS_OBJECT_TYPE_MISMATCH;
|
|
|
|
}
|
2007-10-20 07:21:45 +08:00
|
|
|
|
2007-09-30 16:32:34 +08:00
|
|
|
/* Return the status */
|
|
|
|
return Status;
|
2006-05-25 06:07:11 +08:00
|
|
|
}
|
2007-09-30 16:32:34 +08:00
|
|
|
else if (Handle == NtCurrentThread())
|
2006-05-25 06:07:11 +08:00
|
|
|
{
|
2007-09-30 16:32:34 +08:00
|
|
|
/* Check if this is the right object type */
|
|
|
|
if ((ObjectType == PsThreadType) || !(ObjectType))
|
|
|
|
{
|
|
|
|
/* Get the current process and granted access */
|
|
|
|
CurrentThread = PsGetCurrentThread();
|
|
|
|
GrantedAccess = CurrentThread->GrantedAccess;
|
2007-10-20 07:21:45 +08:00
|
|
|
|
2007-09-30 16:32:34 +08:00
|
|
|
/* Validate access */
|
2007-10-12 17:52:23 +08:00
|
|
|
/* ~GrantedAccess = RefusedAccess.*/
|
|
|
|
/* ~GrantedAccess & DesiredAccess = list of refused bits. */
|
|
|
|
/* !(~GrantedAccess & DesiredAccess) == TRUE means ALL requested rights are granted */
|
2007-09-30 16:32:34 +08:00
|
|
|
if ((AccessMode == KernelMode) ||
|
|
|
|
!(~GrantedAccess & DesiredAccess))
|
2007-10-20 07:21:45 +08:00
|
|
|
{
|
2007-09-30 16:32:34 +08:00
|
|
|
/* Check if the caller wanted handle information */
|
|
|
|
if (HandleInformation)
|
|
|
|
{
|
|
|
|
/* Return it */
|
|
|
|
HandleInformation->HandleAttributes = 0;
|
|
|
|
HandleInformation->GrantedAccess = GrantedAccess;
|
|
|
|
}
|
2007-10-20 07:21:45 +08:00
|
|
|
|
2007-09-30 16:32:34 +08:00
|
|
|
/* Reference ourselves */
|
|
|
|
ObjectHeader = OBJECT_TO_OBJECT_HEADER(CurrentThread);
|
2018-01-30 03:31:07 +08:00
|
|
|
InterlockedExchangeAddSizeT(&ObjectHeader->PointerCount, 1);
|
2007-10-20 07:21:45 +08:00
|
|
|
|
2007-09-30 16:32:34 +08:00
|
|
|
/* Return the pointer */
|
|
|
|
*Object = CurrentThread;
|
|
|
|
ASSERT(*Object != NULL);
|
|
|
|
Status = STATUS_SUCCESS;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
/* Access denied */
|
|
|
|
Status = STATUS_ACCESS_DENIED;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
/* The caller used this special handle value with a non-process type */
|
|
|
|
Status = STATUS_OBJECT_TYPE_MISMATCH;
|
|
|
|
}
|
2007-10-20 07:21:45 +08:00
|
|
|
|
2007-09-30 16:32:34 +08:00
|
|
|
/* Return the status */
|
|
|
|
return Status;
|
|
|
|
}
|
|
|
|
else if (AccessMode == KernelMode)
|
|
|
|
{
|
|
|
|
/* Use the kernel handle table and get the actual handle value */
|
|
|
|
Handle = ObKernelHandleToHandle(Handle);
|
|
|
|
HandleTable = ObpKernelHandleTable;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
/* Invalid access, fail */
|
|
|
|
return STATUS_INVALID_HANDLE;
|
2006-05-25 06:07:11 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
2006-06-05 13:07:44 +08:00
|
|
|
/* Otherwise use this process's handle table */
|
|
|
|
HandleTable = PsGetCurrentProcess()->ObjectTable;
|
2006-05-25 06:07:11 +08:00
|
|
|
}
|
|
|
|
|
2006-06-05 13:07:44 +08:00
|
|
|
/* Enter a critical region while we touch the handle table */
|
2007-01-10 11:35:59 +08:00
|
|
|
ASSERT(HandleTable != NULL);
|
2006-05-25 06:07:11 +08:00
|
|
|
KeEnterCriticalRegion();
|
|
|
|
|
2006-06-05 13:07:44 +08:00
|
|
|
/* Get the handle entry */
|
|
|
|
HandleEntry = ExMapHandleToPointer(HandleTable, Handle);
|
|
|
|
if (HandleEntry)
|
2006-05-25 06:07:11 +08:00
|
|
|
{
|
2006-06-05 13:07:44 +08:00
|
|
|
/* Get the object header and validate the type*/
|
2007-01-22 16:15:17 +08:00
|
|
|
ObjectHeader = ObpGetHandleObject(HandleEntry);
|
2006-06-05 13:07:44 +08:00
|
|
|
if (!(ObjectType) || (ObjectType == ObjectHeader->Type))
|
2006-05-25 06:07:11 +08:00
|
|
|
{
|
2006-06-05 13:07:44 +08:00
|
|
|
/* Get the granted access and validate it */
|
|
|
|
GrantedAccess = HandleEntry->GrantedAccess;
|
2007-10-20 07:21:45 +08:00
|
|
|
|
2007-09-30 16:32:34 +08:00
|
|
|
/* Validate access */
|
2007-10-12 17:52:23 +08:00
|
|
|
/* ~GrantedAccess = RefusedAccess.*/
|
|
|
|
/* ~GrantedAccess & DesiredAccess = list of refused bits. */
|
|
|
|
/* !(~GrantedAccess & DesiredAccess) == TRUE means ALL requested rights are granted */
|
2006-06-05 13:07:44 +08:00
|
|
|
if ((AccessMode == KernelMode) ||
|
2007-09-30 16:32:34 +08:00
|
|
|
!(~GrantedAccess & DesiredAccess))
|
2006-06-05 13:07:44 +08:00
|
|
|
{
|
|
|
|
/* Reference the object directly since we have its header */
|
2018-01-30 03:31:07 +08:00
|
|
|
InterlockedIncrementSizeT(&ObjectHeader->PointerCount);
|
2006-06-05 13:07:44 +08:00
|
|
|
|
|
|
|
/* Mask out the internal attributes */
|
2007-01-22 16:15:17 +08:00
|
|
|
Attributes = HandleEntry->ObAttributes & OBJ_HANDLE_ATTRIBUTES;
|
2006-06-05 13:07:44 +08:00
|
|
|
|
|
|
|
/* Check if the caller wants handle information */
|
|
|
|
if (HandleInformation)
|
|
|
|
{
|
|
|
|
/* Fill out the information */
|
|
|
|
HandleInformation->HandleAttributes = Attributes;
|
|
|
|
HandleInformation->GrantedAccess = GrantedAccess;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Return the pointer */
|
|
|
|
*Object = &ObjectHeader->Body;
|
|
|
|
|
|
|
|
/* Unlock the handle */
|
|
|
|
ExUnlockHandleTableEntry(HandleTable, HandleEntry);
|
2007-01-10 11:35:59 +08:00
|
|
|
KeLeaveCriticalRegion();
|
2006-06-05 13:07:44 +08:00
|
|
|
|
|
|
|
/* Return success */
|
2007-01-10 11:35:59 +08:00
|
|
|
ASSERT(*Object != NULL);
|
2006-06-05 13:07:44 +08:00
|
|
|
return STATUS_SUCCESS;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
/* Requested access failed */
|
2007-09-01 18:04:15 +08:00
|
|
|
DPRINT("Rights not granted: %x\n", ~GrantedAccess & DesiredAccess);
|
2006-06-05 13:07:44 +08:00
|
|
|
Status = STATUS_ACCESS_DENIED;
|
|
|
|
}
|
2006-05-25 06:07:11 +08:00
|
|
|
}
|
2006-06-05 13:07:44 +08:00
|
|
|
else
|
2006-05-25 06:07:11 +08:00
|
|
|
{
|
2006-06-05 13:07:44 +08:00
|
|
|
/* Invalid object type */
|
|
|
|
Status = STATUS_OBJECT_TYPE_MISMATCH;
|
2006-05-25 06:07:11 +08:00
|
|
|
}
|
|
|
|
|
2006-06-05 13:07:44 +08:00
|
|
|
/* Unlock the entry */
|
|
|
|
ExUnlockHandleTableEntry(HandleTable, HandleEntry);
|
2006-05-25 06:07:11 +08:00
|
|
|
}
|
2006-06-05 13:07:44 +08:00
|
|
|
else
|
2006-05-25 06:07:11 +08:00
|
|
|
{
|
2006-06-05 13:07:44 +08:00
|
|
|
/* Invalid handle */
|
|
|
|
Status = STATUS_INVALID_HANDLE;
|
2006-05-25 06:07:11 +08:00
|
|
|
}
|
|
|
|
|
2006-06-05 13:07:44 +08:00
|
|
|
/* Return failure status */
|
2006-05-25 06:07:11 +08:00
|
|
|
KeLeaveCriticalRegion();
|
2006-06-05 13:07:44 +08:00
|
|
|
*Object = NULL;
|
|
|
|
return Status;
|
2006-05-25 06:07:11 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/* EOF */
|