Le vendredi 06 août 2010 19:03:57, Timo Kreuzer a écrit : > Hi, > > Please take care about proper protection of the user mode buffer. The > current solution: probe and forget is not safe. > > Possibilities are: > 1) SEH protected copying of the buffer, pass the copy of the buffer to > lower level functions -> Easy to do, large overhead for large bitmaps. > 2) SEH protected call to a lower level function, passing the user mode > buffer. -> Not possible if the lower level function is either allocating > any resources (unless also protected by SEH + finally) or can pass > execution to 3rd party provided code, like drivers. > 3) Be sure to have SEH at the lowest level (DIB) -> Not possible as the > function might end up in a driver. > 4) Use Mm to protect the buffer. Either with MmSecureVirtualMemory or > double mapping using MmProbeAndLockPages + MmGetSystemAddressForMdlSafe. > > I think 4 is the way to go. While the overhead of remapping should be > relatively small compared to a full copy, we are still wasting large > ammounts of system address space. > MmSecureVirtualMemory might at first sound like a good solution, but > beware, it has some pitfalls. While it protects a memory range from > being freed, it doesn't protect it from being paged out. That wouldn't > be a problem, unless the memory is not backed by the page file, but let > say a network resource, which becomes unavailable after a page was paged > out. In this case we would get an in page error when trying to access > the page, leading to a kernel crash. So unless we can be sure that the > memory is backed by the page file, we need to additionally lock the > pages into memory to be safe. Final thing to note is that > MmSecureVirtualMemory is not implemented yet, but I hope with current > work on the VAD code, we'll soon get a present (hint). > > Regards, > Timo > I'm OK for 4. Looking for MmSecureVirtualMemory to be implemented. Please note that for now, SURFACE::hSecure is hacked to be (HANDLE)1 so we can detect if the bitmap is a DIB. As now all **DIB** functions create a DIB, it will be securised in the process. Others bits can be PSEH-accessed during the DIB creation, as it the only place it's used.
Regards. Jérôme. _______________________________________________ Ros-dev mailing list [email protected] http://www.reactos.org/mailman/listinfo/ros-dev
