https://git.reactos.org/?p=reactos.git;a=commitdiff;h=55857674608c9e06593e5bf31d33e390c10df23f
commit 55857674608c9e06593e5bf31d33e390c10df23f Author: Eric Kohl <[email protected]> AuthorDate: Sun May 2 12:46:19 2021 +0200 Commit: Eric Kohl <[email protected]> CommitDate: Sun May 2 12:46:55 2021 +0200 [NTOS:PS] Rewrite NtQueryInformationThread to match NtQueryInformationProcess The information length must always be checked before referencing the thread object. This fixes the remaining test failure. --- ntoskrnl/ps/query.c | 133 +++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 122 insertions(+), 11 deletions(-) diff --git a/ntoskrnl/ps/query.c b/ntoskrnl/ps/query.c index 7c8737cba93..fa8d201c249 100644 --- a/ntoskrnl/ps/query.c +++ b/ntoskrnl/ps/query.c @@ -2538,15 +2538,6 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, /* Check what class this is */ Access = THREAD_QUERY_INFORMATION; - /* Reference the process */ - Status = ObReferenceObjectByHandle(ThreadHandle, - Access, - PsThreadType, - PreviousMode, - (PVOID*)&Thread, - NULL); - if (!NT_SUCCESS(Status)) return Status; - /* Check what kind of information class this is */ switch (ThreadInformationClass) { @@ -2561,6 +2552,17 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = STATUS_INFO_LENGTH_MISMATCH; break; } + + /* Reference the process */ + Status = ObReferenceObjectByHandle(ThreadHandle, + Access, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Protect writes with SEH */ _SEH2_TRY { @@ -2578,6 +2580,9 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = _SEH2_GetExceptionCode(); } _SEH2_END; + + /* Dereference the thread */ + ObDereferenceObject(Thread); break; /* Thread time information */ @@ -2591,6 +2596,17 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = STATUS_INFO_LENGTH_MISMATCH; break; } + + /* Reference the process */ + Status = ObReferenceObjectByHandle(ThreadHandle, + Access, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Protect writes with SEH */ _SEH2_TRY { @@ -2615,6 +2631,9 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = _SEH2_GetExceptionCode(); } _SEH2_END; + + /* Dereference the thread */ + ObDereferenceObject(Thread); break; case ThreadQuerySetWin32StartAddress: @@ -2627,6 +2646,17 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = STATUS_INFO_LENGTH_MISMATCH; break; } + + /* Reference the process */ + Status = ObReferenceObjectByHandle(ThreadHandle, + Access, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Protect write with SEH */ _SEH2_TRY { @@ -2639,6 +2669,9 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = _SEH2_GetExceptionCode(); } _SEH2_END; + + /* Dereference the thread */ + ObDereferenceObject(Thread); break; case ThreadPerformanceCount: @@ -2651,6 +2684,17 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = STATUS_INFO_LENGTH_MISMATCH; break; } + + /* Reference the process */ + Status = ObReferenceObjectByHandle(ThreadHandle, + Access, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Protect write with SEH */ _SEH2_TRY { @@ -2663,6 +2707,9 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = _SEH2_GetExceptionCode(); } _SEH2_END; + + /* Dereference the thread */ + ObDereferenceObject(Thread); break; case ThreadAmILastThread: @@ -2675,6 +2722,17 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = STATUS_INFO_LENGTH_MISMATCH; break; } + + /* Reference the process */ + Status = ObReferenceObjectByHandle(ThreadHandle, + Access, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Protect write with SEH */ _SEH2_TRY { @@ -2691,6 +2749,9 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = _SEH2_GetExceptionCode(); } _SEH2_END; + + /* Dereference the thread */ + ObDereferenceObject(Thread); break; case ThreadIsIoPending: @@ -2703,6 +2764,17 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = STATUS_INFO_LENGTH_MISMATCH; break; } + + /* Reference the process */ + Status = ObReferenceObjectByHandle(ThreadHandle, + Access, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Raise the IRQL to protect the IRP list */ KeRaiseIrql(APC_LEVEL, &OldIrql); @@ -2721,17 +2793,33 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, /* Lower IRQL back */ KeLowerIrql(OldIrql); + + /* Dereference the thread */ + ObDereferenceObject(Thread); break; /* LDT and GDT information */ case ThreadDescriptorTableEntry: #if defined(_X86_) + /* Reference the process */ + Status = ObReferenceObjectByHandle(ThreadHandle, + Access, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + /* Call the worker routine */ Status = PspQueryDescriptorThread(Thread, ThreadInformation, ThreadInformationLength, ReturnLength); + + /* Dereference the thread */ + ObDereferenceObject(Thread); #else /* Only implemented on x86 */ Status = STATUS_NOT_IMPLEMENTED; @@ -2749,6 +2837,16 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, break; } + /* Reference the process */ + Status = ObReferenceObjectByHandle(ThreadHandle, + Access, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + _SEH2_TRY { *(PULONG)ThreadInformation = Thread->Tcb.DisableBoost ? 1 : 0; @@ -2758,6 +2856,9 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, Status = _SEH2_GetExceptionCode(); } _SEH2_END; + + /* Dereference the thread */ + ObDereferenceObject(Thread); break; case ThreadIsTerminated: @@ -2771,6 +2872,16 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, break; } + /* Reference the process */ + Status = ObReferenceObjectByHandle(ThreadHandle, + Access, + PsThreadType, + PreviousMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + break; + ThreadTerminated = PsIsThreadTerminating(Thread); _SEH2_TRY @@ -2783,6 +2894,8 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, } _SEH2_END; + /* Dereference the thread */ + ObDereferenceObject(Thread); break; /* Anything else */ @@ -2806,8 +2919,6 @@ NtQueryInformationThread(IN HANDLE ThreadHandle, } _SEH2_END; - /* Dereference the thread, and return */ - ObDereferenceObject(Thread); return Status; }
