https://git.reactos.org/?p=reactos.git;a=commitdiff;h=e3ac541360d92cd23e38383551b8bbb6e7046536
commit e3ac541360d92cd23e38383551b8bbb6e7046536 Author: Mark Jansen <[email protected]> AuthorDate: Sun Oct 23 21:34:04 2022 +0200 Commit: Mark Jansen <[email protected]> CommitDate: Tue Nov 1 21:26:05 2022 +0100 [RTL] Use RtlApplicationVerifierStop for DPH --- sdk/include/reactos/verifier.h | 29 +++++++++++++ sdk/lib/rtl/heappage.c | 95 ++++++++++++++++++++++++++++++++++-------- 2 files changed, 107 insertions(+), 17 deletions(-) diff --git a/sdk/include/reactos/verifier.h b/sdk/include/reactos/verifier.h index b0e8413d158..112f9dd9b92 100644 --- a/sdk/include/reactos/verifier.h +++ b/sdk/include/reactos/verifier.h @@ -83,4 +83,33 @@ typedef struct _RTL_VERIFIER_PROVIDER_DESCRIPTOR { #define RTL_VRF_DBG_ENTRYPOINT_HOOKS 0x10000 #define RTL_VRF_DBG_ENTRYPOINT_CALLS 0x20000 + +// Verifier stop codes + +#define APPLICATION_VERIFIER_CORRUPT_HEAP_POINTER 0x0006 +#define APPLICATION_VERIFIER_DOUBLE_FREE 0x0007 + +#define APPLICATION_VERIFIER_EXCEPTION_WHILE_VERIFYING_BLOCK_HEADER 0x000B +#define APPLICATION_VERIFIER_CORRUPTED_HEAP_BLOCK_AFTER_FREE 0x000D +#define APPLICATION_VERIFIER_CORRUPTED_INFIX_PATTERN 0x000E +#define APPLICATION_VERIFIER_CORRUPTED_SUFFIX_PATTERN 0x000F +#define APPLICATION_VERIFIER_CORRUPTED_START_STAMP 0x0010 +#define APPLICATION_VERIFIER_CORRUPTED_END_STAMP 0x0011 +#define APPLICATION_VERIFIER_CORRUPTED_PREFIX_PATTERN 0x0012 + + +VOID NTAPI +RtlApplicationVerifierStop( + _In_ ULONG_PTR Code, + _In_ PCSTR Message, + _In_ PVOID Value1, + _In_ PCSTR Description1, + _In_ PVOID Value2, + _In_ PCSTR Description2, + _In_ PVOID Value3, + _In_ PCSTR Description3, + _In_ PVOID Value4, + _In_ PCSTR Description4); + + #endif // REACTOS_VERIFIER_H diff --git a/sdk/lib/rtl/heappage.c b/sdk/lib/rtl/heappage.c index 724cccff73f..e15d981e4ef 100644 --- a/sdk/lib/rtl/heappage.c +++ b/sdk/lib/rtl/heappage.c @@ -15,6 +15,7 @@ #include <rtl.h> #include <heap.h> +#include <reactos/verifier.h> #define NDEBUG #include <debug.h> @@ -192,7 +193,11 @@ BOOLEAN NTAPI RtlpDphIsNormalFreeHeapBlock(PVOID Block, PULONG ValidationInformation, BOOLEAN CheckFillers); VOID NTAPI -RtlpDphReportCorruptedBlock(PDPH_HEAP_ROOT DphRoot, ULONG Reserved, PVOID Block, ULONG ValidationInfo); +RtlpDphReportCorruptedBlock( + _In_ PDPH_HEAP_ROOT DphRoot, + _In_ ULONG Reserved, + _In_ PVOID Block, + _In_ ULONG ValidationInfo); BOOLEAN NTAPI RtlpDphNormalHeapValidate(PDPH_HEAP_ROOT DphRoot, ULONG Flags, PVOID BaseAddress); @@ -231,6 +236,27 @@ RtlpDphPointerFromHandle(PVOID Handle) return NULL; } +PVOID NTAPI +RtlpDphHeapFromPointer(PDPH_HEAP_ROOT DphHeap) +{ + return ((PUCHAR)DphHeap) - PAGE_SIZE; +} + +ULONG NTAPI +RtlpDphGetBlockSizeFromCorruptedBlock(PVOID Block) +{ + PDPH_BLOCK_INFORMATION BlockInfo; + BlockInfo = (PDPH_BLOCK_INFORMATION)Block - 1; + + /* Check stamps */ + if (BlockInfo->StartStamp != DPH_FILL_START_STAMP_1 && BlockInfo->StartStamp != DPH_FILL_START_STAMP_2) + { + return 0; + } + + return BlockInfo->RequestedSize; +} + VOID NTAPI RtlpDphEnterCriticalSection(PDPH_HEAP_ROOT DphRoot, ULONG Flags) { @@ -1297,59 +1323,94 @@ RtlpDphVerifyIntegrity(PDPH_HEAP_ROOT DphRoot) } VOID NTAPI -RtlpDphReportCorruptedBlock(PDPH_HEAP_ROOT DphRoot, - ULONG Reserved, - PVOID Block, - ULONG ValidationInfo) +RtlpDphReportCorruptedBlock( + _In_ PDPH_HEAP_ROOT DphRoot, + _In_ ULONG Reserved, + _In_ PVOID Block, + _In_ ULONG ValidationInfo) { - //RtlpDphGetBlockSizeFromCorruptedBlock(); + PVOID Size = (PVOID)(ULONG_PTR)RtlpDphGetBlockSizeFromCorruptedBlock(Block); + DPH_BLOCK_INFORMATION SafeInfo = {0}; + + DPRINT1("Corrupted heap block %p\n", Block); + + _SEH2_TRY + { + PDPH_BLOCK_INFORMATION BlockInfo = (PDPH_BLOCK_INFORMATION)Block - 1; + RtlCopyMemory(&SafeInfo, BlockInfo, sizeof(SafeInfo)); + } + _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) + { + DPRINT1("ERROR: Could not read DPH_BLOCK_INFORMATION\n"); + RtlZeroMemory(&SafeInfo, sizeof(SafeInfo)); + } + _SEH2_END; if (ValidationInfo & DPH_VALINFO_CORRUPTED_AFTER_FREE) { - DPRINT1("block corrupted after having been freed\n"); + RtlApplicationVerifierStop( + APPLICATION_VERIFIER_CORRUPTED_HEAP_BLOCK_AFTER_FREE, "block corrupted after having been freed", + RtlpDphHeapFromPointer(DphRoot), "Heap handle", Block, "Heap block", (PVOID)Size, "Block size", 0, ""); } if (ValidationInfo & DPH_VALINFO_ALREADY_FREED) { - DPRINT1("block already freed\n"); + RtlApplicationVerifierStop( + APPLICATION_VERIFIER_DOUBLE_FREE, "block already freed", RtlpDphHeapFromPointer(DphRoot), "Heap handle", + Block, "Heap block", Size, "Block size", 0, ""); } if (ValidationInfo & DPH_VALINFO_BAD_INFIX_PATTERN) { - DPRINT1("corrupted infix pattern for freed block\n"); + RtlApplicationVerifierStop( + APPLICATION_VERIFIER_CORRUPTED_INFIX_PATTERN, "corrupted infix pattern for freed block", + RtlpDphHeapFromPointer(DphRoot), "Heap handle", Block, "Heap block", Size, "Block size", 0, ""); } if (ValidationInfo & DPH_VALINFO_BAD_POINTER) { - DPRINT1("corrupted heap pointer or using wrong heap\n"); + RtlApplicationVerifierStop( + APPLICATION_VERIFIER_CORRUPT_HEAP_POINTER, "corrupted heap pointer or using wrong heap", + RtlpDphHeapFromPointer(DphRoot), "Heap handle used", Block, "Heap block", Size, "Block size", + SafeInfo.Heap, "Actual heap handle"); } if (ValidationInfo & DPH_VALINFO_BAD_SUFFIX_PATTERN) { - DPRINT1("corrupted suffix pattern\n"); + RtlApplicationVerifierStop( + APPLICATION_VERIFIER_CORRUPTED_SUFFIX_PATTERN, "corrupted suffix pattern", RtlpDphHeapFromPointer(DphRoot), + "Heap handle used", Block, "Heap block", Size, "Block size", 0, ""); } if (ValidationInfo & DPH_VALINFO_BAD_PREFIX_PATTERN) { - DPRINT1("corrupted prefix pattern\n"); + RtlApplicationVerifierStop( + APPLICATION_VERIFIER_CORRUPTED_PREFIX_PATTERN, "corrupted prefix pattern", RtlpDphHeapFromPointer(DphRoot), + "Heap handle used", Block, "Heap block", Size, "Block size", 0, ""); } if (ValidationInfo & DPH_VALINFO_BAD_START_STAMP) { - DPRINT1("corrupted start stamp\n"); + RtlApplicationVerifierStop( + APPLICATION_VERIFIER_CORRUPTED_START_STAMP, "corrupted start stamp", RtlpDphHeapFromPointer(DphRoot), + "Heap handle used", Block, "Heap block", Size, "Block size", (PVOID)(ULONG_PTR)SafeInfo.StartStamp, + "Corrupted start stamp"); } if (ValidationInfo & DPH_VALINFO_BAD_END_STAMP) { - DPRINT1("corrupted end stamp\n"); + RtlApplicationVerifierStop( + APPLICATION_VERIFIER_CORRUPTED_END_STAMP, "corrupted end stamp", RtlpDphHeapFromPointer(DphRoot), + "Heap handle used", Block, "Heap block", Size, "Block size", (PVOID)(ULONG_PTR)SafeInfo.EndStamp, + "Corrupted end stamp"); } if (ValidationInfo & DPH_VALINFO_EXCEPTION) { - DPRINT1("exception raised while verifying block\n"); + RtlApplicationVerifierStop( + APPLICATION_VERIFIER_EXCEPTION_WHILE_VERIFYING_BLOCK_HEADER, "exception raised while verifying block", + RtlpDphHeapFromPointer(DphRoot), "Heap handle used", Block, "Heap block", Size, "Block size", 0, ""); } - - DPRINT1("Corrupted heap block %p\n", Block); } BOOLEAN NTAPI
