Details
-
Bug
-
Resolution: Fixed
-
Major
Description
During reactos install, freeloader reports two disks(as we can see from PcInitializeBootDevices -> PcBiosDiskCount).
Now DetectBiosDisks will fill PCONFIGURATION_COMPONENT_DATA of LoaderBlock->ConfigurationRoot with info about each
detected disk, including the identifier. As we can see, for second disk(boot disk) the identifer is not filled in
GetHarddiskInformation.
DetectBiosDisks will call GetHarddiskIdentifier(0x80 + i) for second device but, disk 2 has no identifer.
When CmpInitializeHardwareConfiguration(KeLoaderBlock) is called, it will build "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 and 1"
with information about the disks(including the identifier).
Now, if we attach a usb storage device, EnumerateBusKey will try to search in registry for respective device.
Since no verification are made for identifier length, RtlCompareString will access out of bounds memory.
As can be seen 'disk_new', have a check for invalid identifier(DiskSaveBusDetectInfo line 611).
To reproduce this, do the following steps:
1. Activate MM special pool
2. Start bootcd instalation
3. Attach a USB storage device to VBOX.
This patch does following:
- Checks for invalid identifier
- Prevent possible memory leak
- Compute correct size for identifer unicode string, since FldrSetIdentifier allocate space for ANSI_NULL(IdentifierLength = strlen(IdentifierString) + 1 ).
Last problem exist also in 'disk_new'