fixed multiple vulnerabilities in sysfn70 caused by absence of user addresses check
git-svn-id: svn://kolibrios.org@8680 a494cfbc-eb01-0410-851d-a64ba20cac60
This commit is contained in:
parent
f8a8da3991
commit
7f4ba4d3e1
@ -385,7 +385,12 @@ proc get_fileinfo stdcall, file_name:dword, info:dword
|
||||
|
||||
mov eax, 70
|
||||
lea ebx, [cmd]
|
||||
int 0x40
|
||||
pushad
|
||||
cld
|
||||
call protect_from_terminate
|
||||
call file_system_lfn
|
||||
call unprotect_from_terminate
|
||||
popad
|
||||
ret
|
||||
endp
|
||||
|
||||
|
@ -168,7 +168,7 @@ iglobal
|
||||
dd syscall_move_window ; 67-Window move or resize
|
||||
dd f68 ; 68-Some internal services
|
||||
dd sys_debug_services ; 69-Debug
|
||||
dd file_system_lfn ; 70-Common file system interface, version 2
|
||||
dd syscall_file_system_lfn ; 70-Common file system interface, version 2
|
||||
dd syscall_window_settings ; 71-Window settings
|
||||
dd sys_sendwindowmsg ; 72-Send window message
|
||||
dd blit_32 ; 73-blitter;
|
||||
@ -178,7 +178,7 @@ iglobal
|
||||
dd sys_posix ; posix support
|
||||
dd undefined_syscall ; 78-free
|
||||
dd undefined_syscall ; 79-free
|
||||
dd fileSystemUnicode ; 80-File system interface for different encodings
|
||||
dd syscall_fileSystemUnicode ; 80-File system interface for different encodings
|
||||
|
||||
times 255 - ( ($-servetable2) /4 ) dd undefined_syscall
|
||||
dd sys_end ; -1-end application
|
||||
|
@ -26,6 +26,93 @@ maxPathLength = 1000h
|
||||
image_of_eax EQU esp+32
|
||||
image_of_ebx EQU esp+20
|
||||
|
||||
; System function 70 security check
|
||||
align 4
|
||||
proc file_system_is_operation_safe stdcall, inf_struct_ptr: dword
|
||||
; in:
|
||||
; inf_struct_ptr = pointer to information structure was given to sysfn70
|
||||
; out: ZF = 1 if operation is safe
|
||||
; ZF = 0 if operation can cause kernel crash
|
||||
push ebx ecx edx
|
||||
xor ecx, ecx ; ecx - length of target buffer
|
||||
|
||||
mov ebx, [inf_struct_ptr]
|
||||
mov edx, [ebx + 16] ; base of target buffer
|
||||
|
||||
cmp dword [ebx], 0 ; if 70.0
|
||||
jnz .case1
|
||||
mov ecx, dword [ebx + 12]
|
||||
jmp .end_switch
|
||||
|
||||
.case1:
|
||||
cmp dword [ebx], 1 ; if 70.1
|
||||
jnz .case2_3
|
||||
;mov ecx, 32
|
||||
cmp dword [ebx + 8], 1 ; check encoding
|
||||
jbe .case1_304 ; if encdoing <= 1 i.e cpp866
|
||||
mov ecx, 560 ; if unicode then bdvk block len is 560 bytes
|
||||
jmp .case1_end
|
||||
.case1_304:
|
||||
mov ecx, 304 ; if cp866 then bdvk block len is 304 bytes
|
||||
.case1_end:
|
||||
imul ecx, dword [ebx + 12] ; multiply bdvk length by their count
|
||||
add ecx, 32 ; add result header len
|
||||
jmp .end_switch
|
||||
|
||||
.case2_3:
|
||||
cmp dword [ebx], 3
|
||||
ja .case5 ; if subfn > 3
|
||||
mov ecx, dword [ebx + 12]
|
||||
jmp .end_switch
|
||||
|
||||
.case5:
|
||||
cmp dword [ebx], 5
|
||||
jnz .case6
|
||||
mov ecx, 40
|
||||
jmp .end_switch
|
||||
|
||||
.case6:
|
||||
cmp dword [ebx], 6
|
||||
jnz .switch_none
|
||||
mov ecx, 32
|
||||
jmp .end_switch
|
||||
|
||||
.switch_none:
|
||||
mov ecx, 1
|
||||
test ecx, ecx
|
||||
jmp .ret
|
||||
|
||||
.end_switch:
|
||||
;;
|
||||
stdcall is_region_userspace, edx, ecx
|
||||
.ret:
|
||||
pop edx ecx ebx
|
||||
ret
|
||||
endp
|
||||
|
||||
syscall_fileSystemUnicode:
|
||||
; in: ebx -> f.80 parameter structure
|
||||
stdcall file_system_is_operation_safe, ebx
|
||||
jnz @f
|
||||
|
||||
DEBUGF 1, "sysfn80 addr error\n"
|
||||
mov dword [image_of_eax], ERROR_MEMORY_POINTER
|
||||
ret
|
||||
@@:
|
||||
jmp fileSystemUnicode
|
||||
|
||||
syscall_file_system_lfn:
|
||||
; in: ebx -> f.70 parameter structure
|
||||
stdcall file_system_is_operation_safe, ebx
|
||||
jnz @f
|
||||
|
||||
DEBUGF 1, "sysfn70 addr error\n"
|
||||
mov dword [image_of_eax], ERROR_MEMORY_POINTER
|
||||
ret
|
||||
@@:
|
||||
jmp file_system_lfn
|
||||
|
||||
|
||||
; System function 70
|
||||
|
||||
file_system_lfn_protected:
|
||||
|
Loading…
Reference in New Issue
Block a user