* [PATCH 1/3] fix possible TunDispatchSecurityDescriptor leak.
@ 2020-04-24 23:43 Shawn Hoffman
2020-04-24 23:43 ` [PATCH 2/3] use ExEnterCriticalRegionAndAcquireResourceExclusive and ExReleaseResourceAndLeaveCriticalRegion Shawn Hoffman
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Shawn Hoffman @ 2020-04-24 23:43 UTC (permalink / raw)
To: wireguard; +Cc: Shawn Hoffman
TunDispatchSecurityDescriptor will leak if second
RtlAbsoluteToSelfRelativeSD fails. Practically this can't happen, but
from wintun code it's unclear.
Signed-off-by: Shawn Hoffman <godisgovernment@gmail.com>
---
wintun.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/wintun.c b/wintun.c
index 624de2f..90e7930 100644
--- a/wintun.c
+++ b/wintun.c
@@ -820,6 +820,14 @@ static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID)
return STATUS_SUCCESS;
}
+static VOID TunFreeDispatchSecurityDescriptor(VOID)
+{
+ if (!TunDispatchSecurityDescriptor)
+ return;
+ ExFreePoolWithTag(TunDispatchSecurityDescriptor, TUN_MEMORY_TAG);
+ TunDispatchSecurityDescriptor = NULL;
+}
+
_IRQL_requires_max_(PASSIVE_LEVEL)
static VOID
TunProcessNotification(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create)
@@ -1387,7 +1395,7 @@ TunUnload(PDRIVER_OBJECT DriverObject)
NdisMDeregisterMiniportDriver(NdisMiniportDriverHandle);
ExDeleteResourceLite(&TunDispatchCtxGuard);
ExDeleteResourceLite(&TunDispatchDeviceListLock);
- ExFreePoolWithTag(TunDispatchSecurityDescriptor, TUN_MEMORY_TAG);
+ TunFreeDispatchSecurityDescriptor();
}
DRIVER_INITIALIZE DriverEntry;
@@ -1398,7 +1406,7 @@ DriverEntry(DRIVER_OBJECT *DriverObject, UNICODE_STRING *RegistryPath)
NTSTATUS Status;
if (!NT_SUCCESS(Status = TunInitializeDispatchSecurityDescriptor()))
- return Status;
+ goto cleanupSD;
NdisVersion = NdisGetVersion();
if (NdisVersion < NDIS_MINIPORT_VERSION_MIN)
@@ -1461,6 +1469,7 @@ cleanupNotifier:
cleanupResources:
ExDeleteResourceLite(&TunDispatchCtxGuard);
ExDeleteResourceLite(&TunDispatchDeviceListLock);
- ExFreePoolWithTag(TunDispatchSecurityDescriptor, TUN_MEMORY_TAG);
+cleanupSD:
+ TunFreeDispatchSecurityDescriptor();
return Status;
}
--
2.26.2.windows.1
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 2/3] use ExEnterCriticalRegionAndAcquireResourceExclusive and ExReleaseResourceAndLeaveCriticalRegion
2020-04-24 23:43 [PATCH 1/3] fix possible TunDispatchSecurityDescriptor leak Shawn Hoffman
@ 2020-04-24 23:43 ` Shawn Hoffman
2020-04-26 3:52 ` Shawn Hoffman
2020-04-24 23:43 ` [PATCH 3/3] use RtlSubAuthoritySid instead of directly poking SID Shawn Hoffman
2020-10-30 16:05 ` [PATCH 1/3] fix possible TunDispatchSecurityDescriptor leak Jason A. Donenfeld
2 siblings, 1 reply; 8+ messages in thread
From: Shawn Hoffman @ 2020-04-24 23:43 UTC (permalink / raw)
To: wireguard; +Cc: Shawn Hoffman
Signed-off-by: Shawn Hoffman <godisgovernment@gmail.com>
---
wintun.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/wintun.c b/wintun.c
index 90e7930..00ac378 100644
--- a/wintun.c
+++ b/wintun.c
@@ -884,15 +884,13 @@ TunDispatchDeviceControl(DEVICE_OBJECT *DeviceObject, IRP *Irp)
switch (Stack->Parameters.DeviceIoControl.IoControlCode)
{
case TUN_IOCTL_REGISTER_RINGS: {
- KeEnterCriticalRegion();
- ExAcquireResourceSharedLite(&TunDispatchCtxGuard, TRUE);
+ ExEnterCriticalRegionAndAcquireResourceExclusive(&TunDispatchCtxGuard);
#pragma warning(suppress : 28175)
TUN_CTX *Ctx = DeviceObject->Reserved;
Status = NDIS_STATUS_ADAPTER_NOT_READY;
if (Ctx)
Status = TunRegisterBuffers(Ctx, Irp);
- ExReleaseResourceLite(&TunDispatchCtxGuard);
- KeLeaveCriticalRegion();
+ ExReleaseResourceAndLeaveCriticalRegion(&TunDispatchCtxGuard);
break;
}
case TUN_IOCTL_FORCE_CLOSE_HANDLES:
@@ -913,14 +911,12 @@ _Use_decl_annotations_
static NTSTATUS
TunDispatchClose(DEVICE_OBJECT *DeviceObject, IRP *Irp)
{
- KeEnterCriticalRegion();
- ExAcquireResourceSharedLite(&TunDispatchCtxGuard, TRUE);
+ ExEnterCriticalRegionAndAcquireResourceExclusive(&TunDispatchCtxGuard);
#pragma warning(suppress : 28175)
TUN_CTX *Ctx = DeviceObject->Reserved;
if (Ctx)
TunUnregisterBuffers(Ctx, IoGetCurrentIrpStackLocation(Irp)->FileObject);
- ExReleaseResourceLite(&TunDispatchCtxGuard);
- KeLeaveCriticalRegion();
+ ExReleaseResourceAndLeaveCriticalRegion(&TunDispatchCtxGuard);
return NdisDispatchClose(DeviceObject, Irp);
}
--
2.26.2.windows.1
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 3/3] use RtlSubAuthoritySid instead of directly poking SID
2020-04-24 23:43 [PATCH 1/3] fix possible TunDispatchSecurityDescriptor leak Shawn Hoffman
2020-04-24 23:43 ` [PATCH 2/3] use ExEnterCriticalRegionAndAcquireResourceExclusive and ExReleaseResourceAndLeaveCriticalRegion Shawn Hoffman
@ 2020-04-24 23:43 ` Shawn Hoffman
2020-10-30 15:59 ` Jason A. Donenfeld
2020-10-30 16:05 ` [PATCH 1/3] fix possible TunDispatchSecurityDescriptor leak Jason A. Donenfeld
2 siblings, 1 reply; 8+ messages in thread
From: Shawn Hoffman @ 2020-04-24 23:43 UTC (permalink / raw)
To: wireguard; +Cc: Shawn Hoffman
Signed-off-by: Shawn Hoffman <godisgovernment@gmail.com>
---
wintun.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/wintun.c b/wintun.c
index 00ac378..a6a0e16 100644
--- a/wintun.c
+++ b/wintun.c
@@ -788,7 +788,7 @@ static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID)
SID LocalSystem = { 0 };
if (!NT_SUCCESS(Status = RtlInitializeSid(&LocalSystem, &NtAuthority, 1)))
return Status;
- LocalSystem.SubAuthority[0] = 18;
+ *RtlSubAuthoritySid(&LocalSystem, 0) = SECURITY_LOCAL_SYSTEM_RID;
struct
{
ACL Dacl;
--
2.26.2.windows.1
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/3] use ExEnterCriticalRegionAndAcquireResourceExclusive and ExReleaseResourceAndLeaveCriticalRegion
2020-04-24 23:43 ` [PATCH 2/3] use ExEnterCriticalRegionAndAcquireResourceExclusive and ExReleaseResourceAndLeaveCriticalRegion Shawn Hoffman
@ 2020-04-26 3:52 ` Shawn Hoffman
2020-10-30 16:05 ` Jason A. Donenfeld
0 siblings, 1 reply; 8+ messages in thread
From: Shawn Hoffman @ 2020-04-26 3:52 UTC (permalink / raw)
To: wireguard
Looking back over this, the enter+acquire of the existing code is
shared here, so replacing with exclusive will change behavior.
For now, please ignore this patch.
On Fri, Apr 24, 2020 at 4:44 PM Shawn Hoffman <godisgovernment@gmail.com> wrote:
>
> Signed-off-by: Shawn Hoffman <godisgovernment@gmail.com>
> ---
> wintun.c | 12 ++++--------
> 1 file changed, 4 insertions(+), 8 deletions(-)
>
> diff --git a/wintun.c b/wintun.c
> index 90e7930..00ac378 100644
> --- a/wintun.c
> +++ b/wintun.c
> @@ -884,15 +884,13 @@ TunDispatchDeviceControl(DEVICE_OBJECT *DeviceObject, IRP *Irp)
> switch (Stack->Parameters.DeviceIoControl.IoControlCode)
> {
> case TUN_IOCTL_REGISTER_RINGS: {
> - KeEnterCriticalRegion();
> - ExAcquireResourceSharedLite(&TunDispatchCtxGuard, TRUE);
> + ExEnterCriticalRegionAndAcquireResourceExclusive(&TunDispatchCtxGuard);
> #pragma warning(suppress : 28175)
> TUN_CTX *Ctx = DeviceObject->Reserved;
> Status = NDIS_STATUS_ADAPTER_NOT_READY;
> if (Ctx)
> Status = TunRegisterBuffers(Ctx, Irp);
> - ExReleaseResourceLite(&TunDispatchCtxGuard);
> - KeLeaveCriticalRegion();
> + ExReleaseResourceAndLeaveCriticalRegion(&TunDispatchCtxGuard);
> break;
> }
> case TUN_IOCTL_FORCE_CLOSE_HANDLES:
> @@ -913,14 +911,12 @@ _Use_decl_annotations_
> static NTSTATUS
> TunDispatchClose(DEVICE_OBJECT *DeviceObject, IRP *Irp)
> {
> - KeEnterCriticalRegion();
> - ExAcquireResourceSharedLite(&TunDispatchCtxGuard, TRUE);
> + ExEnterCriticalRegionAndAcquireResourceExclusive(&TunDispatchCtxGuard);
> #pragma warning(suppress : 28175)
> TUN_CTX *Ctx = DeviceObject->Reserved;
> if (Ctx)
> TunUnregisterBuffers(Ctx, IoGetCurrentIrpStackLocation(Irp)->FileObject);
> - ExReleaseResourceLite(&TunDispatchCtxGuard);
> - KeLeaveCriticalRegion();
> + ExReleaseResourceAndLeaveCriticalRegion(&TunDispatchCtxGuard);
> return NdisDispatchClose(DeviceObject, Irp);
> }
>
> --
> 2.26.2.windows.1
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 3/3] use RtlSubAuthoritySid instead of directly poking SID
2020-04-24 23:43 ` [PATCH 3/3] use RtlSubAuthoritySid instead of directly poking SID Shawn Hoffman
@ 2020-10-30 15:59 ` Jason A. Donenfeld
0 siblings, 0 replies; 8+ messages in thread
From: Jason A. Donenfeld @ 2020-10-30 15:59 UTC (permalink / raw)
To: Shawn Hoffman; +Cc: WireGuard mailing list
Applied, thanks.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/3] fix possible TunDispatchSecurityDescriptor leak.
2020-04-24 23:43 [PATCH 1/3] fix possible TunDispatchSecurityDescriptor leak Shawn Hoffman
2020-04-24 23:43 ` [PATCH 2/3] use ExEnterCriticalRegionAndAcquireResourceExclusive and ExReleaseResourceAndLeaveCriticalRegion Shawn Hoffman
2020-04-24 23:43 ` [PATCH 3/3] use RtlSubAuthoritySid instead of directly poking SID Shawn Hoffman
@ 2020-10-30 16:05 ` Jason A. Donenfeld
2 siblings, 0 replies; 8+ messages in thread
From: Jason A. Donenfeld @ 2020-10-30 16:05 UTC (permalink / raw)
To: Shawn Hoffman; +Cc: WireGuard mailing list
Thanks for the report. Fixed slightly differently here
https://git.zx2c4.com/wintun/commit/?id=b19c7abd417e62dbb08a8d3aa4db96ce9cfd0830
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/3] use ExEnterCriticalRegionAndAcquireResourceExclusive and ExReleaseResourceAndLeaveCriticalRegion
2020-04-26 3:52 ` Shawn Hoffman
@ 2020-10-30 16:05 ` Jason A. Donenfeld
0 siblings, 0 replies; 8+ messages in thread
From: Jason A. Donenfeld @ 2020-10-30 16:05 UTC (permalink / raw)
To: Shawn Hoffman; +Cc: WireGuard mailing list
Do you have a replacement for this or was it a botched idea?
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 3/3] use RtlSubAuthoritySid instead of directly poking SID
2020-04-24 18:59 [PATCH 0/3] misc code cleanup Shawn Hoffman
@ 2020-04-24 18:59 ` Shawn Hoffman
0 siblings, 0 replies; 8+ messages in thread
From: Shawn Hoffman @ 2020-04-24 18:59 UTC (permalink / raw)
To: wireguard; +Cc: Shawn Hoffman
---
wintun.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/wintun.c b/wintun.c
index 00ac378..a6a0e16 100644
--- a/wintun.c
+++ b/wintun.c
@@ -788,7 +788,7 @@ static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID)
SID LocalSystem = { 0 };
if (!NT_SUCCESS(Status = RtlInitializeSid(&LocalSystem, &NtAuthority, 1)))
return Status;
- LocalSystem.SubAuthority[0] = 18;
+ *RtlSubAuthoritySid(&LocalSystem, 0) = SECURITY_LOCAL_SYSTEM_RID;
struct
{
ACL Dacl;
--
2.25.0.windows.1
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-10-30 16:06 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-24 23:43 [PATCH 1/3] fix possible TunDispatchSecurityDescriptor leak Shawn Hoffman
2020-04-24 23:43 ` [PATCH 2/3] use ExEnterCriticalRegionAndAcquireResourceExclusive and ExReleaseResourceAndLeaveCriticalRegion Shawn Hoffman
2020-04-26 3:52 ` Shawn Hoffman
2020-10-30 16:05 ` Jason A. Donenfeld
2020-04-24 23:43 ` [PATCH 3/3] use RtlSubAuthoritySid instead of directly poking SID Shawn Hoffman
2020-10-30 15:59 ` Jason A. Donenfeld
2020-10-30 16:05 ` [PATCH 1/3] fix possible TunDispatchSecurityDescriptor leak Jason A. Donenfeld
-- strict thread matches above, loose matches on Subject: below --
2020-04-24 18:59 [PATCH 0/3] misc code cleanup Shawn Hoffman
2020-04-24 18:59 ` [PATCH 3/3] use RtlSubAuthoritySid instead of directly poking SID Shawn Hoffman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).