Author: tfaber
Date: Sun Sep 25 13:46:18 2016
New Revision: 72800
URL: http://svn.reactos.org/svn/reactos?rev=72800&view=rev
Log:
[NTOS:PO]
- Protect against invalid user mode pointers in NtPowerInformation
Modified:
trunk/reactos/ntoskrnl/po/power.c
Modified: trunk/reactos/ntoskrnl/po/power.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/po/power.c?rev=72800&r1=72799&r2=72800&view=diff
==============================================================================
--- trunk/reactos/ntoskrnl/po/power.c [iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/po/power.c [iso-8859-1] Sun Sep 25 13:46:18 2016
@@ -657,6 +657,7 @@
IN ULONG OutputBufferLength)
{
NTSTATUS Status;
+ KPROCESSOR_MODE PreviousMode = KeGetPreviousMode();
PAGED_CODE();
@@ -666,6 +667,20 @@
InputBuffer, InputBufferLength,
OutputBuffer, OutputBufferLength);
+ if (PreviousMode != KernelMode)
+ {
+ _SEH2_TRY
+ {
+ ProbeForRead(InputBuffer, InputBufferLength, 1);
+ ProbeForWrite(OutputBuffer, OutputBufferLength, sizeof(ULONG));
+ }
+ _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+ {
+ _SEH2_YIELD(return _SEH2_GetExceptionCode());
+ }
+ _SEH2_END;
+ }
+
switch (PowerInformationLevel)
{
case SystemBatteryState:
@@ -677,11 +692,20 @@
if (OutputBufferLength < sizeof(SYSTEM_BATTERY_STATE))
return STATUS_BUFFER_TOO_SMALL;
- /* Just zero the struct (and thus set BatteryState->BatteryPresent
= FALSE) */
- RtlZeroMemory(BatteryState, sizeof(SYSTEM_BATTERY_STATE));
- BatteryState->EstimatedTime = MAXULONG;
-
- Status = STATUS_SUCCESS;
+ _SEH2_TRY
+ {
+ /* Just zero the struct (and thus set
BatteryState->BatteryPresent = FALSE) */
+ RtlZeroMemory(BatteryState, sizeof(SYSTEM_BATTERY_STATE));
+ BatteryState->EstimatedTime = MAXULONG;
+
+ Status = STATUS_SUCCESS;
+ }
+ _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+ {
+ Status = _SEH2_GetExceptionCode();
+ }
+ _SEH2_END;
+
break;
}
@@ -694,11 +718,20 @@
if (OutputBufferLength < sizeof(SYSTEM_POWER_CAPABILITIES))
return STATUS_BUFFER_TOO_SMALL;
- /* Just zero the struct (and thus set BatteryState->BatteryPresent
= FALSE) */
- RtlZeroMemory(PowerCapabilities,
sizeof(SYSTEM_POWER_CAPABILITIES));
- //PowerCapabilities->SystemBatteriesPresent = 0;
-
- Status = STATUS_SUCCESS;
+ _SEH2_TRY
+ {
+ /* Just zero the struct (and thus set
PowerCapabilities->SystemBatteriesPresent = FALSE) */
+ RtlZeroMemory(PowerCapabilities,
sizeof(SYSTEM_POWER_CAPABILITIES));
+ //PowerCapabilities->SystemBatteriesPresent = 0;
+
+ Status = STATUS_SUCCESS;
+ }
+ _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+ {
+ Status = _SEH2_GetExceptionCode();
+ }
+ _SEH2_END;
+
break;
}
@@ -711,14 +744,23 @@
if (OutputBufferLength < sizeof(PROCESSOR_POWER_INFORMATION))
return STATUS_BUFFER_TOO_SMALL;
- PowerInformation->Number = 0;
- PowerInformation->MaxMhz = 1000;
- PowerInformation->CurrentMhz = 1000;
- PowerInformation->MhzLimit = 1000;
- PowerInformation->MaxIdleState = 0;
- PowerInformation->CurrentIdleState = 0;
-
- Status = STATUS_SUCCESS;
+ _SEH2_TRY
+ {
+ PowerInformation->Number = 0;
+ PowerInformation->MaxMhz = 1000;
+ PowerInformation->CurrentMhz = 1000;
+ PowerInformation->MhzLimit = 1000;
+ PowerInformation->MaxIdleState = 0;
+ PowerInformation->CurrentIdleState = 0;
+
+ Status = STATUS_SUCCESS;
+ }
+ _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+ {
+ Status = _SEH2_GetExceptionCode();
+ }
+ _SEH2_END;
+
break;
}
