https://git.reactos.org/?p=reactos.git;a=commitdiff;h=5e891f727f5bb07cf93fb96959168c75865c3bda
commit 5e891f727f5bb07cf93fb96959168c75865c3bda
Author: Thomas Faber <thomas.fa...@reactos.org>
AuthorDate: Tue Jan 28 19:52:55 2020 +0100
Commit: Thomas Faber <thomas.fa...@reactos.org>
CommitDate: Sat Feb 15 20:43:26 2020 +0100
[NTOS:WMI] WMIP_GUID_OBJECT must start with an event object, as it is
waitable.
The initializer for WmipGuidObjectType does not set UseDefaultObject,
and it's possible for user mode to obtain a handle to a GUID object
with SYNCHRONIZE access. Therefore that handle can be passed to
NtWaitForSingleObject, which means it must start with a DISPATCHER_HEADER.
---
ntoskrnl/wmi/guidobj.c | 1 +
ntoskrnl/wmi/wmip.h | 1 +
2 files changed, 2 insertions(+)
diff --git a/ntoskrnl/wmi/guidobj.c b/ntoskrnl/wmi/guidobj.c
index 1a13d36a03c..48b8481fd9a 100644
--- a/ntoskrnl/wmi/guidobj.c
+++ b/ntoskrnl/wmi/guidobj.c
@@ -204,6 +204,7 @@ WmipCreateGuidObject(
}
RtlZeroMemory(GuidObject, sizeof(*GuidObject));
+ KeInitializeEvent(&GuidObject->Event, NotificationEvent, FALSE);
GuidObject->Guid = *Guid;
*OutGuidObject = GuidObject;
diff --git a/ntoskrnl/wmi/wmip.h b/ntoskrnl/wmi/wmip.h
index 69ecf7d0572..f45cba01139 100644
--- a/ntoskrnl/wmi/wmip.h
+++ b/ntoskrnl/wmi/wmip.h
@@ -12,6 +12,7 @@ typedef struct _WMIP_IRP_CONTEXT
typedef struct _WMIP_GUID_OBJECT
{
+ KEVENT Event;
GUID Guid;
PIRP Irp;
LIST_ENTRY IrpLink;
