Public/VeraCrypt
1
0
Fork 0
mirror of https://github.com/veracrypt/VeraCrypt.git synced 2025-11-11 11:08:02 -06:00
Code Activity

Windows: fix low severity vulnerability in driver that allowed reading 3 bytes of kernel stack memory (with a rare possibility of 25 additional bytes). Reported by Tim Harrison.

Browse Source
This commit is contained in:
Mounir IDRASSI
2018-09-19 18:26:01 +02:00
parent fcb66ecc2c
commit f30f9339c9
1 changed files with 92 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
src/Driver/Ntdriver.c
View File

@@ -1902,11 +1902,24 @@ NTSTATUS ProcessMainDeviceControlIrp (PDEVICE_OBJECT DeviceObject, PEXTENSION Ex
UNICODE_STRING FullFileName; UNICODE_STRING FullFileName;
IO_STATUS_BLOCK IoStatus; IO_STATUS_BLOCK IoStatus;
LARGE_INTEGER offset; LARGE_INTEGER offset;
byte readBuffer [TC_SECTOR_SIZE_BIOS]; size_t devicePathLen = 0;
if (!ValidateIOBufferSize (Irp, sizeof (GetSystemDriveConfigurationRequest), ValidateInputOutput)) if (!ValidateIOBufferSize (Irp, sizeof (GetSystemDriveConfigurationRequest), ValidateInputOutput))
break; break;
// check that request->DevicePath has the expected format "\\Device\\HarddiskXXX\\Partition0"
if ( !NT_SUCCESS (RtlUnalignedStringCchLengthW (request->DevicePath, TC_MAX_PATH, &devicePathLen))
|| (devicePathLen < 28) // 28 is the length of "\\Device\\Harddisk0\\Partition0" which is the minimum
|| (devicePathLen > 30) // 30 is the length of "\\Device\\Harddisk255\\Partition0" which is the maximum
|| (memcmp (request->DevicePath, L"\\Device\\Harddisk", 16 * sizeof (WCHAR)))
|| (memcmp (&request->DevicePath[devicePathLen - 11], L"\\Partition0", 11 * sizeof (WCHAR)))
)
{
Irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
Irp->IoStatus.Information = 0;
break;
}
EnsureNullTerminatedString (request->DevicePath, sizeof (request->DevicePath)); EnsureNullTerminatedString (request->DevicePath, sizeof (request->DevicePath));
RtlInitUnicodeString (&FullFileName, request->DevicePath); RtlInitUnicodeString (&FullFileName, request->DevicePath);
@@ -1917,6 +1930,14 @@ NTSTATUS ProcessMainDeviceControlIrp (PDEVICE_OBJECT DeviceObject, PEXTENSION Ex
FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT | FILE_RANDOM_ACCESS, NULL, 0); FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT | FILE_RANDOM_ACCESS, NULL, 0);
if (NT_SUCCESS (ntStatus)) if (NT_SUCCESS (ntStatus))
{
byte *readBuffer = TCalloc (TC_MAX_VOLUME_SECTOR_SIZE);
if (!readBuffer)
{
Irp->IoStatus.Status = STATUS_INSUFFICIENT_RESOURCES;
Irp->IoStatus.Information = 0;
}
else
{ {
// Determine if the first sector contains a portion of the VeraCrypt Boot Loader // Determine if the first sector contains a portion of the VeraCrypt Boot Loader
offset.QuadPart = 0; // MBR offset.QuadPart = 0; // MBR
@@ -1927,11 +1948,14 @@ NTSTATUS ProcessMainDeviceControlIrp (PDEVICE_OBJECT DeviceObject, PEXTENSION Ex
NULL, NULL,
&IoStatus, &IoStatus,
readBuffer, readBuffer,
sizeof(readBuffer), TC_MAX_VOLUME_SECTOR_SIZE,
&offset, &offset,
NULL); NULL);
if (NT_SUCCESS (ntStatus)) if (NT_SUCCESS (ntStatus))
{
// check that we could read all needed data
if (IoStatus.Information >= TC_SECTOR_SIZE_BIOS)
{ {
size_t i; size_t i;
@@ -1977,11 +2001,20 @@ NTSTATUS ProcessMainDeviceControlIrp (PDEVICE_OBJECT DeviceObject, PEXTENSION Ex
Irp->IoStatus.Information = sizeof (*request); Irp->IoStatus.Information = sizeof (*request);
} }
else else
{
Irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
Irp->IoStatus.Information = 0;
}
}
else
{ {
Irp->IoStatus.Status = ntStatus; Irp->IoStatus.Status = ntStatus;
Irp->IoStatus.Information = 0; Irp->IoStatus.Information = 0;
} }
TCfree (readBuffer);
}
ZwClose (NtFileHandle); ZwClose (NtFileHandle);
} }