Critical Description
With many QueryInformation/SetInformation functions, we attempt check for valid InformationClass values, then access an array based on the (supposedly validated) value, e.g.
2161 if ((FileInformationClass >= FileMaximumInformation) ||
|
2162 !(IopQueryOperationLength[FileInformationClass]))
|
2163 {
|
2164 /* Invalid class */
|
2165 return STATUS_INVALID_INFO_CLASS;
|
2166 }
|
However, enum types are signed, which means these checks will not catch negative values and allow out-of-bounds access to the array. In many cases this allows user mode to crash the system or read kernel address space.