Uploaded image for project: 'Core ReactOS'
  1. Core ReactOS
  2. CORE-15651

Buffer overruns due to incorrect InformationClass enum bounds checks

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Fix Version/s: 0.4.12
    • Component/s: NTCore
    • Labels:
      None

      Description

      With many QueryInformation/SetInformation functions, we attempt check for valid InformationClass values, then access an array based on the (supposedly validated) value, e.g.

      2161         if ((FileInformationClass >= FileMaximumInformation) ||
      2162             !(IopQueryOperationLength[FileInformationClass]))
      2163         {
      2164             /* Invalid class */
      2165             return STATUS_INVALID_INFO_CLASS;
      2166         }
      

      However, enum types are signed, which means these checks will not catch negative values and allow out-of-bounds access to the array. In many cases this allows user mode to crash the system or read kernel address space.

        Attachments

          Activity

            People

            • Assignee:
              ThFabba ThFabba
              Reporter:
              ThFabba ThFabba
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: