[ros-diffs] [reactos] 02/03: [NTOS:KD] Protect against invalid user arguments in KdpPrintString. CORE-14057

Sun, 10 Dec 2017 06:28:45 -0800 

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=34ccecbce889ec2d8ce659e6fcdf9719775fd960

commit 34ccecbce889ec2d8ce659e6fcdf9719775fd960
Author: Thomas Faber <[email protected]>
AuthorDate: Fri Dec 8 14:41:41 2017 +0100

    [NTOS:KD] Protect against invalid user arguments in KdpPrintString. 
CORE-14057
---
 ntoskrnl/include/internal/kd.h |  4 ++--
 ntoskrnl/kd/kdio.c             | 28 ++++++++++++++++++++++++++--
 2 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/ntoskrnl/include/internal/kd.h b/ntoskrnl/include/internal/kd.h
index 9bb744319a..05179ea6d3 100644
--- a/ntoskrnl/include/internal/kd.h
+++ b/ntoskrnl/include/internal/kd.h
@@ -193,8 +193,8 @@ KdpCallGdb(
 ULONG
 NTAPI
 KdpPrintString(
-    LPSTR String,
-    ULONG Length);
+    _In_reads_bytes_(Length) PCHAR UnsafeString,
+    _In_ ULONG Length);
 
 ULONG
 NTAPI
diff --git a/ntoskrnl/kd/kdio.c b/ntoskrnl/kd/kdio.c
index 8dc3366f03..3fedfd7ca5 100644
--- a/ntoskrnl/kd/kdio.c
+++ b/ntoskrnl/kd/kdio.c
@@ -567,14 +567,38 @@ KdpScreenInit(PKD_DISPATCH_TABLE DispatchTable,
 
 ULONG
 NTAPI
-KdpPrintString(LPSTR String,
-               ULONG Length)
+KdpPrintString(
+    _In_reads_bytes_(Length) PCHAR UnsafeString,
+    _In_ ULONG Length)
 {
     PLIST_ENTRY CurrentEntry;
     PKD_DISPATCH_TABLE CurrentTable;
+    PCHAR String;
 
     if (!KdpDebugMode.Value) return 0;
 
+    Length = min(Length, 512);
+
+    if (ExGetPreviousMode() != KernelMode)
+    {
+        _SEH2_TRY
+        {
+            ProbeForRead(UnsafeString, Length, 1);
+            String = _alloca(Length + 1);
+            RtlCopyMemory(String, UnsafeString, Length);
+            String[Length] = ANSI_NULL;
+        }
+        _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+        {
+            return 0;
+        }
+        _SEH2_END;
+    }
+    else
+    {
+        String = UnsafeString;
+    }
+
     /* Call the registered handlers */
     CurrentEntry = KdProviders.Flink;
     while (CurrentEntry != &KdProviders)

Reply via email to