Development discussion of WireGuard
 help / color / mirror / Atom feed
* [PATCH 1/3] fix possible TunDispatchSecurityDescriptor leak.
@ 2020-04-24 23:43 Shawn Hoffman
  2020-04-24 23:43 ` [PATCH 2/3] use ExEnterCriticalRegionAndAcquireResourceExclusive and ExReleaseResourceAndLeaveCriticalRegion Shawn Hoffman
                   ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: Shawn Hoffman @ 2020-04-24 23:43 UTC (permalink / raw)
  To: wireguard; +Cc: Shawn Hoffman

TunDispatchSecurityDescriptor will leak if second
RtlAbsoluteToSelfRelativeSD fails. Practically this can't happen, but
from wintun code it's unclear.

Signed-off-by: Shawn Hoffman <godisgovernment@gmail.com>
---
 wintun.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/wintun.c b/wintun.c
index 624de2f..90e7930 100644
--- a/wintun.c
+++ b/wintun.c
@@ -820,6 +820,14 @@ static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID)
     return STATUS_SUCCESS;
 }
 
+static VOID TunFreeDispatchSecurityDescriptor(VOID)
+{
+    if (!TunDispatchSecurityDescriptor)
+        return;
+    ExFreePoolWithTag(TunDispatchSecurityDescriptor, TUN_MEMORY_TAG);
+    TunDispatchSecurityDescriptor = NULL;
+}
+
 _IRQL_requires_max_(PASSIVE_LEVEL)
 static VOID
 TunProcessNotification(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create)
@@ -1387,7 +1395,7 @@ TunUnload(PDRIVER_OBJECT DriverObject)
     NdisMDeregisterMiniportDriver(NdisMiniportDriverHandle);
     ExDeleteResourceLite(&TunDispatchCtxGuard);
     ExDeleteResourceLite(&TunDispatchDeviceListLock);
-    ExFreePoolWithTag(TunDispatchSecurityDescriptor, TUN_MEMORY_TAG);
+    TunFreeDispatchSecurityDescriptor();
 }
 
 DRIVER_INITIALIZE DriverEntry;
@@ -1398,7 +1406,7 @@ DriverEntry(DRIVER_OBJECT *DriverObject, UNICODE_STRING *RegistryPath)
     NTSTATUS Status;
 
     if (!NT_SUCCESS(Status = TunInitializeDispatchSecurityDescriptor()))
-        return Status;
+        goto cleanupSD;
 
     NdisVersion = NdisGetVersion();
     if (NdisVersion < NDIS_MINIPORT_VERSION_MIN)
@@ -1461,6 +1469,7 @@ cleanupNotifier:
 cleanupResources:
     ExDeleteResourceLite(&TunDispatchCtxGuard);
     ExDeleteResourceLite(&TunDispatchDeviceListLock);
-    ExFreePoolWithTag(TunDispatchSecurityDescriptor, TUN_MEMORY_TAG);
+cleanupSD:
+    TunFreeDispatchSecurityDescriptor();
     return Status;
 }
-- 
2.26.2.windows.1


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 2/3] use ExEnterCriticalRegionAndAcquireResourceExclusive and ExReleaseResourceAndLeaveCriticalRegion
  2020-04-24 23:43 [PATCH 1/3] fix possible TunDispatchSecurityDescriptor leak Shawn Hoffman
@ 2020-04-24 23:43 ` Shawn Hoffman
  2020-04-26  3:52   ` Shawn Hoffman
  2020-04-24 23:43 ` [PATCH 3/3] use RtlSubAuthoritySid instead of directly poking SID Shawn Hoffman
  2020-10-30 16:05 ` [PATCH 1/3] fix possible TunDispatchSecurityDescriptor leak Jason A. Donenfeld
  2 siblings, 1 reply; 8+ messages in thread
From: Shawn Hoffman @ 2020-04-24 23:43 UTC (permalink / raw)
  To: wireguard; +Cc: Shawn Hoffman

Signed-off-by: Shawn Hoffman <godisgovernment@gmail.com>
---
 wintun.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/wintun.c b/wintun.c
index 90e7930..00ac378 100644
--- a/wintun.c
+++ b/wintun.c
@@ -884,15 +884,13 @@ TunDispatchDeviceControl(DEVICE_OBJECT *DeviceObject, IRP *Irp)
     switch (Stack->Parameters.DeviceIoControl.IoControlCode)
     {
     case TUN_IOCTL_REGISTER_RINGS: {
-        KeEnterCriticalRegion();
-        ExAcquireResourceSharedLite(&TunDispatchCtxGuard, TRUE);
+        ExEnterCriticalRegionAndAcquireResourceExclusive(&TunDispatchCtxGuard);
 #pragma warning(suppress : 28175)
         TUN_CTX *Ctx = DeviceObject->Reserved;
         Status = NDIS_STATUS_ADAPTER_NOT_READY;
         if (Ctx)
             Status = TunRegisterBuffers(Ctx, Irp);
-        ExReleaseResourceLite(&TunDispatchCtxGuard);
-        KeLeaveCriticalRegion();
+        ExReleaseResourceAndLeaveCriticalRegion(&TunDispatchCtxGuard);
         break;
     }
     case TUN_IOCTL_FORCE_CLOSE_HANDLES:
@@ -913,14 +911,12 @@ _Use_decl_annotations_
 static NTSTATUS
 TunDispatchClose(DEVICE_OBJECT *DeviceObject, IRP *Irp)
 {
-    KeEnterCriticalRegion();
-    ExAcquireResourceSharedLite(&TunDispatchCtxGuard, TRUE);
+    ExEnterCriticalRegionAndAcquireResourceExclusive(&TunDispatchCtxGuard);
 #pragma warning(suppress : 28175)
     TUN_CTX *Ctx = DeviceObject->Reserved;
     if (Ctx)
         TunUnregisterBuffers(Ctx, IoGetCurrentIrpStackLocation(Irp)->FileObject);
-    ExReleaseResourceLite(&TunDispatchCtxGuard);
-    KeLeaveCriticalRegion();
+    ExReleaseResourceAndLeaveCriticalRegion(&TunDispatchCtxGuard);
     return NdisDispatchClose(DeviceObject, Irp);
 }
 
-- 
2.26.2.windows.1


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 3/3] use RtlSubAuthoritySid instead of directly poking SID
  2020-04-24 23:43 [PATCH 1/3] fix possible TunDispatchSecurityDescriptor leak Shawn Hoffman
  2020-04-24 23:43 ` [PATCH 2/3] use ExEnterCriticalRegionAndAcquireResourceExclusive and ExReleaseResourceAndLeaveCriticalRegion Shawn Hoffman
@ 2020-04-24 23:43 ` Shawn Hoffman
  2020-10-30 15:59   ` Jason A. Donenfeld
  2020-10-30 16:05 ` [PATCH 1/3] fix possible TunDispatchSecurityDescriptor leak Jason A. Donenfeld
  2 siblings, 1 reply; 8+ messages in thread
From: Shawn Hoffman @ 2020-04-24 23:43 UTC (permalink / raw)
  To: wireguard; +Cc: Shawn Hoffman

Signed-off-by: Shawn Hoffman <godisgovernment@gmail.com>
---
 wintun.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wintun.c b/wintun.c
index 00ac378..a6a0e16 100644
--- a/wintun.c
+++ b/wintun.c
@@ -788,7 +788,7 @@ static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID)
     SID LocalSystem = { 0 };
     if (!NT_SUCCESS(Status = RtlInitializeSid(&LocalSystem, &NtAuthority, 1)))
         return Status;
-    LocalSystem.SubAuthority[0] = 18;
+    *RtlSubAuthoritySid(&LocalSystem, 0) = SECURITY_LOCAL_SYSTEM_RID;
     struct
     {
         ACL Dacl;
-- 
2.26.2.windows.1


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH 2/3] use ExEnterCriticalRegionAndAcquireResourceExclusive and ExReleaseResourceAndLeaveCriticalRegion
  2020-04-24 23:43 ` [PATCH 2/3] use ExEnterCriticalRegionAndAcquireResourceExclusive and ExReleaseResourceAndLeaveCriticalRegion Shawn Hoffman
@ 2020-04-26  3:52   ` Shawn Hoffman
  2020-10-30 16:05     ` Jason A. Donenfeld
  0 siblings, 1 reply; 8+ messages in thread
From: Shawn Hoffman @ 2020-04-26  3:52 UTC (permalink / raw)
  To: wireguard

Looking back over this, the enter+acquire of the existing code is
shared here, so replacing with exclusive will change behavior.
For now, please ignore this patch.


On Fri, Apr 24, 2020 at 4:44 PM Shawn Hoffman <godisgovernment@gmail.com> wrote:
>
> Signed-off-by: Shawn Hoffman <godisgovernment@gmail.com>
> ---
>  wintun.c | 12 ++++--------
>  1 file changed, 4 insertions(+), 8 deletions(-)
>
> diff --git a/wintun.c b/wintun.c
> index 90e7930..00ac378 100644
> --- a/wintun.c
> +++ b/wintun.c
> @@ -884,15 +884,13 @@ TunDispatchDeviceControl(DEVICE_OBJECT *DeviceObject, IRP *Irp)
>      switch (Stack->Parameters.DeviceIoControl.IoControlCode)
>      {
>      case TUN_IOCTL_REGISTER_RINGS: {
> -        KeEnterCriticalRegion();
> -        ExAcquireResourceSharedLite(&TunDispatchCtxGuard, TRUE);
> +        ExEnterCriticalRegionAndAcquireResourceExclusive(&TunDispatchCtxGuard);
>  #pragma warning(suppress : 28175)
>          TUN_CTX *Ctx = DeviceObject->Reserved;
>          Status = NDIS_STATUS_ADAPTER_NOT_READY;
>          if (Ctx)
>              Status = TunRegisterBuffers(Ctx, Irp);
> -        ExReleaseResourceLite(&TunDispatchCtxGuard);
> -        KeLeaveCriticalRegion();
> +        ExReleaseResourceAndLeaveCriticalRegion(&TunDispatchCtxGuard);
>          break;
>      }
>      case TUN_IOCTL_FORCE_CLOSE_HANDLES:
> @@ -913,14 +911,12 @@ _Use_decl_annotations_
>  static NTSTATUS
>  TunDispatchClose(DEVICE_OBJECT *DeviceObject, IRP *Irp)
>  {
> -    KeEnterCriticalRegion();
> -    ExAcquireResourceSharedLite(&TunDispatchCtxGuard, TRUE);
> +    ExEnterCriticalRegionAndAcquireResourceExclusive(&TunDispatchCtxGuard);
>  #pragma warning(suppress : 28175)
>      TUN_CTX *Ctx = DeviceObject->Reserved;
>      if (Ctx)
>          TunUnregisterBuffers(Ctx, IoGetCurrentIrpStackLocation(Irp)->FileObject);
> -    ExReleaseResourceLite(&TunDispatchCtxGuard);
> -    KeLeaveCriticalRegion();
> +    ExReleaseResourceAndLeaveCriticalRegion(&TunDispatchCtxGuard);
>      return NdisDispatchClose(DeviceObject, Irp);
>  }
>
> --
> 2.26.2.windows.1
>

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH 3/3] use RtlSubAuthoritySid instead of directly poking SID
  2020-04-24 23:43 ` [PATCH 3/3] use RtlSubAuthoritySid instead of directly poking SID Shawn Hoffman
@ 2020-10-30 15:59   ` Jason A. Donenfeld
  0 siblings, 0 replies; 8+ messages in thread
From: Jason A. Donenfeld @ 2020-10-30 15:59 UTC (permalink / raw)
  To: Shawn Hoffman; +Cc: WireGuard mailing list

Applied, thanks.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH 1/3] fix possible TunDispatchSecurityDescriptor leak.
  2020-04-24 23:43 [PATCH 1/3] fix possible TunDispatchSecurityDescriptor leak Shawn Hoffman
  2020-04-24 23:43 ` [PATCH 2/3] use ExEnterCriticalRegionAndAcquireResourceExclusive and ExReleaseResourceAndLeaveCriticalRegion Shawn Hoffman
  2020-04-24 23:43 ` [PATCH 3/3] use RtlSubAuthoritySid instead of directly poking SID Shawn Hoffman
@ 2020-10-30 16:05 ` Jason A. Donenfeld
  2 siblings, 0 replies; 8+ messages in thread
From: Jason A. Donenfeld @ 2020-10-30 16:05 UTC (permalink / raw)
  To: Shawn Hoffman; +Cc: WireGuard mailing list

Thanks for the report. Fixed slightly differently here
https://git.zx2c4.com/wintun/commit/?id=b19c7abd417e62dbb08a8d3aa4db96ce9cfd0830

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH 2/3] use ExEnterCriticalRegionAndAcquireResourceExclusive and ExReleaseResourceAndLeaveCriticalRegion
  2020-04-26  3:52   ` Shawn Hoffman
@ 2020-10-30 16:05     ` Jason A. Donenfeld
  0 siblings, 0 replies; 8+ messages in thread
From: Jason A. Donenfeld @ 2020-10-30 16:05 UTC (permalink / raw)
  To: Shawn Hoffman; +Cc: WireGuard mailing list

Do you have a replacement for this or was it a botched idea?

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 3/3] use RtlSubAuthoritySid instead of directly poking SID
  2020-04-24 18:59 [PATCH 0/3] misc code cleanup Shawn Hoffman
@ 2020-04-24 18:59 ` Shawn Hoffman
  0 siblings, 0 replies; 8+ messages in thread
From: Shawn Hoffman @ 2020-04-24 18:59 UTC (permalink / raw)
  To: wireguard; +Cc: Shawn Hoffman

---
 wintun.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wintun.c b/wintun.c
index 00ac378..a6a0e16 100644
--- a/wintun.c
+++ b/wintun.c
@@ -788,7 +788,7 @@ static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID)
     SID LocalSystem = { 0 };
     if (!NT_SUCCESS(Status = RtlInitializeSid(&LocalSystem, &NtAuthority, 1)))
         return Status;
-    LocalSystem.SubAuthority[0] = 18;
+    *RtlSubAuthoritySid(&LocalSystem, 0) = SECURITY_LOCAL_SYSTEM_RID;
     struct
     {
         ACL Dacl;
-- 
2.25.0.windows.1


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2020-10-30 16:06 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-24 23:43 [PATCH 1/3] fix possible TunDispatchSecurityDescriptor leak Shawn Hoffman
2020-04-24 23:43 ` [PATCH 2/3] use ExEnterCriticalRegionAndAcquireResourceExclusive and ExReleaseResourceAndLeaveCriticalRegion Shawn Hoffman
2020-04-26  3:52   ` Shawn Hoffman
2020-10-30 16:05     ` Jason A. Donenfeld
2020-04-24 23:43 ` [PATCH 3/3] use RtlSubAuthoritySid instead of directly poking SID Shawn Hoffman
2020-10-30 15:59   ` Jason A. Donenfeld
2020-10-30 16:05 ` [PATCH 1/3] fix possible TunDispatchSecurityDescriptor leak Jason A. Donenfeld
  -- strict thread matches above, loose matches on Subject: below --
2020-04-24 18:59 [PATCH 0/3] misc code cleanup Shawn Hoffman
2020-04-24 18:59 ` [PATCH 3/3] use RtlSubAuthoritySid instead of directly poking SID Shawn Hoffman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).