[ros-diffs] [sir_richard] 48194: [NTOS]: Allocate the PEB at a pseudo-random address just like Windows XP SP2 and later, to prevent certain kinds of exploits. [NTOS]: Allocate PEB and TEB using VADs! The user-mode fault handler seems to work fine, and I could find no regressions. This is the beginning of the end for MAREAs for VM allocations (they will remain for sections).
sir_richard at svn.reactos.org
sir_richard at svn.reactos.org
Thu Jul 22 19:08:46 UTC 2010
Author: sir_richard
Date: Thu Jul 22 19:08:45 2010
New Revision: 48194
URL: http://svn.reactos.org/svn/reactos?rev=48194&view=rev
Log:
[NTOS]: Allocate the PEB at a pseudo-random address just like Windows XP SP2 and later, to prevent certain kinds of exploits.
[NTOS]: Allocate PEB and TEB using VADs! The user-mode fault handler seems to work fine, and I could find no regressions. This is the beginning of the end for MAREAs for VM allocations (they will remain for sections).
Modified:
trunk/reactos/ntoskrnl/mm/ARM3/procsup.c
trunk/reactos/ntoskrnl/mm/procsup.c
Modified: trunk/reactos/ntoskrnl/mm/ARM3/procsup.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/mm/ARM3/procsup.c?rev=48194&r1=48193&r2=48194&view=diff
==============================================================================
--- trunk/reactos/ntoskrnl/mm/ARM3/procsup.c [iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/mm/ARM3/procsup.c [iso-8859-1] Thu Jul 22 19:08:45 2010
@@ -17,11 +17,6 @@
#include "../ARM3/miarm.h"
extern MM_SYSTEMSIZE MmSystemSize;
-
-PVOID
-NTAPI
-MiCreatePebOrTeb(PEPROCESS Process,
- PVOID BaseAddress);
/* PRIVATE FUNCTIONS **********************************************************/
@@ -46,6 +41,116 @@
0,
BoundaryAddressMultiple);
ASSERT(NT_SUCCESS(Status));
+}
+
+NTSTATUS
+NTAPI
+MiCreatePebOrTeb(IN PEPROCESS Process,
+ IN ULONG Size,
+ OUT PULONG_PTR Base)
+{
+ PETHREAD Thread = PsGetCurrentThread();
+ PMMVAD_LONG Vad;
+ NTSTATUS Status;
+ ULONG RandomCoeff;
+ ULONG_PTR StartAddress, EndAddress;
+ LARGE_INTEGER CurrentTime;
+
+ /* Allocate a VAD */
+ Vad = ExAllocatePoolWithTag(NonPagedPool, sizeof(MMVAD_LONG), 'ldaV');
+ if (!Vad) return STATUS_NO_MEMORY;
+
+ /* Setup the primary flags with the size, and make it commited, private, RW */
+ Vad->u.LongFlags = 0;
+ Vad->u.VadFlags.CommitCharge = BYTES_TO_PAGES(Size);
+ Vad->u.VadFlags.MemCommit = TRUE;
+ Vad->u.VadFlags.PrivateMemory = TRUE;
+ Vad->u.VadFlags.Protection = MM_READWRITE;
+ Vad->u.VadFlags.NoChange = TRUE;
+
+ /* Setup the secondary flags to make it a secured, writable, long VAD */
+ Vad->u2.LongFlags2 = 0;
+ Vad->u2.VadFlags2.OneSecured = TRUE;
+ Vad->u2.VadFlags2.LongVad = TRUE;
+ Vad->u2.VadFlags2.ReadOnly = FALSE;
+
+ /* Lock the process address space */
+ KeAcquireGuardedMutex(&Process->AddressCreationLock);
+
+ /* Check if this is a PEB creation */
+ if (Size == sizeof(PEB))
+ {
+ /* Start at the highest valid address */
+ StartAddress = (ULONG_PTR)MM_HIGHEST_VAD_ADDRESS + 1;
+
+ /* Select the random coefficient */
+ KeQueryTickCount(&CurrentTime);
+ CurrentTime.LowPart &= ((64 * _1KB) >> PAGE_SHIFT) - 1;
+ if (CurrentTime.LowPart <= 1) CurrentTime.LowPart = 2;
+ RandomCoeff = CurrentTime.LowPart << PAGE_SHIFT;
+
+ /* Select the highest valid address minus the random coefficient */
+ StartAddress -= RandomCoeff;
+ EndAddress = StartAddress + ROUND_TO_PAGES(Size) - 1;
+
+ /* See if this VA range can be obtained */
+ if (!MiCheckForConflictingNode(StartAddress >> PAGE_SHIFT,
+ EndAddress >> PAGE_SHIFT,
+ &Process->VadRoot))
+ {
+ /* No conflict, use this address */
+ *Base = StartAddress;
+ goto AfterFound;
+ }
+ }
+
+ /* For TEBs, or if a PEB location couldn't be found, scan the VAD root */
+ Status = MiFindEmptyAddressRangeDownTree(ROUND_TO_PAGES(Size),
+ (ULONG_PTR)MM_HIGHEST_VAD_ADDRESS + 1,
+ PAGE_SIZE,
+ &Process->VadRoot,
+ Base);
+ ASSERT(NT_SUCCESS(Status));
+
+AfterFound:
+ /* Validate that it came from the VAD ranges */
+ ASSERT(*Base >= (ULONG_PTR)MI_LOWEST_VAD_ADDRESS);
+
+ /* Build the rest of the VAD now */
+ Vad->StartingVpn = (*Base) >> PAGE_SHIFT;
+ Vad->EndingVpn = ((*Base) + Size - 1) >> PAGE_SHIFT;
+ Vad->u3.Secured.StartVpn = *Base;
+ Vad->u3.Secured.EndVpn = (Vad->EndingVpn << PAGE_SHIFT) | (PAGE_SIZE - 1);
+
+ /* FIXME: Should setup VAD bitmap */
+ Status = STATUS_SUCCESS;
+
+ /* Pretend as if we own the working set */
+ MiLockProcessWorkingSet(Process, Thread);
+
+ /* Insert the VAD */
+ ASSERT(Vad->EndingVpn >= Vad->StartingVpn);
+ Process->VadRoot.NodeHint = Vad;
+ MiInsertNode((PVOID)Vad, &Process->VadRoot);
+
+ /* Release the working set */
+ MiUnlockProcessWorkingSet(Process, Thread);
+
+ /* Release the address space lock */
+ KeReleaseGuardedMutex(&Process->AddressCreationLock);
+
+ /* Return the status */
+ DPRINT("Allocated PEB/TEB at: 0x%p for %16s\n", *Base, Process->ImageFileName);
+ return Status;
+}
+
+VOID
+NTAPI
+MmDeleteTeb(IN PEPROCESS Process,
+ IN PTEB Teb)
+{
+ /* Oops J */
+ DPRINT("Leaking 4KB at thread exit, this will be fixed later\n");
}
VOID
@@ -415,9 +520,8 @@
//
// Allocate the PEB
//
- Peb = MiCreatePebOrTeb(Process,
- (PVOID)((ULONG_PTR)MM_HIGHEST_VAD_ADDRESS + 1));
- if (!Peb) return STATUS_INSUFFICIENT_RESOURCES;
+ Status = MiCreatePebOrTeb(Process, sizeof(PEB), (PULONG_PTR)&Peb);
+ ASSERT(NT_SUCCESS(Status));
//
// Map NLS Tables
@@ -651,9 +755,8 @@
//
// Allocate the TEB
//
- Teb = MiCreatePebOrTeb(Process,
- (PVOID)((ULONG_PTR)MM_HIGHEST_VAD_ADDRESS + 1));
- if (!Teb) return STATUS_INSUFFICIENT_RESOURCES;
+ Status = MiCreatePebOrTeb(Process, sizeof(TEB), (PULONG_PTR)&Teb);
+ ASSERT(NT_SUCCESS(Status));
//
// Use SEH in case we can't load the TEB
Modified: trunk/reactos/ntoskrnl/mm/procsup.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/mm/procsup.c?rev=48194&r1=48193&r2=48194&view=diff
==============================================================================
--- trunk/reactos/ntoskrnl/mm/procsup.c [iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/mm/procsup.c [iso-8859-1] Thu Jul 22 19:08:45 2010
@@ -17,80 +17,6 @@
/* FUNCTIONS *****************************************************************/
-PVOID
-NTAPI
-MiCreatePebOrTeb(PEPROCESS Process,
- PVOID BaseAddress)
-{
- NTSTATUS Status;
- PMMSUPPORT ProcessAddressSpace = &Process->Vm;
- PMEMORY_AREA MemoryArea;
- PHYSICAL_ADDRESS BoundaryAddressMultiple;
- PVOID AllocatedBase = BaseAddress;
- BoundaryAddressMultiple.QuadPart = 0;
-
- /* Acquire the Lock */
- MmLockAddressSpace(ProcessAddressSpace);
-
- /*
- * Create a Peb or Teb.
- * Loop until it works, decreasing by PAGE_SIZE each time. The logic here
- * is that a PEB allocation should never fail since the address is free,
- * while TEB allocation can fail, and we should simply try the address
- * below. Is there a nicer way of doing this automagically? (ie: findning)
- * a gap region? -- Alex
- */
- do {
- DPRINT("Trying to allocate: %x\n", AllocatedBase);
- Status = MmCreateMemoryArea(ProcessAddressSpace,
- MEMORY_AREA_PEB_OR_TEB,
- &AllocatedBase,
- PAGE_SIZE,
- PAGE_READWRITE,
- &MemoryArea,
- TRUE,
- 0,
- BoundaryAddressMultiple);
- AllocatedBase = RVA(AllocatedBase, -PAGE_SIZE);
- } while (Status != STATUS_SUCCESS);
-
- /* Initialize the Region */
- MmInitializeRegion(&MemoryArea->Data.VirtualMemoryData.RegionListHead,
- PAGE_SIZE,
- MEM_COMMIT,
- PAGE_READWRITE);
-
- /* Reserve the pages */
- MmReserveSwapPages(PAGE_SIZE);
-
- /* Unlock Address Space */
- DPRINT("Returning\n");
- MmUnlockAddressSpace(ProcessAddressSpace);
- return RVA(AllocatedBase, PAGE_SIZE);
-}
-
-VOID
-NTAPI
-MmDeleteTeb(PEPROCESS Process,
- PTEB Teb)
-{
- PMMSUPPORT ProcessAddressSpace = &Process->Vm;
- PMEMORY_AREA MemoryArea;
-
- /* Lock the Address Space */
- MmLockAddressSpace(ProcessAddressSpace);
-
- MemoryArea = MmLocateMemoryAreaByAddress(ProcessAddressSpace, (PVOID)Teb);
- if (MemoryArea)
- {
- /* Delete the Teb */
- MmFreeVirtualMemory(Process, MemoryArea);
- }
-
- /* Unlock the Address Space */
- MmUnlockAddressSpace(ProcessAddressSpace);
-}
-
NTSTATUS
NTAPI
MmInitializeHandBuiltProcess2(IN PEPROCESS Process)
More information about the Ros-diffs
mailing list