Changeset 45444 in vbox for trunk

Timestamp:

Apr 9, 2013 7:08:17 PM (12 years ago)

Author:

vboxsync

Message:

IPRT: Use MmIsAddressValid since the try/except stuff doesn't really work for everything (/anything useful).

File:

• trunk/src/VBox/Runtime/r0drv/nt/initterm-r0drv-nt.cpp (modified) (7 diffs)

trunk/src/VBox/Runtime/r0drv/nt/initterm-r0drv-nt.cpp

@@ -141 +141 @@
     /*
      * Do the CPU vendor test.
-     */
+     *
+     * Note! The MmIsAddressValid call is the real #PF security here as the
+     *       __try/__except has limited/no ability to catch everything we need.
+     */
+    char *pszPrcbVendorString = (char *)&pbPrcb[pSet->KPRCB.offVendorString];
+    if (!MmIsAddressValid(&pszPrcbVendorString[4 * 3 - 1]))
+    {
+        DbgPrint("IPRT: #%d invalid vendor string address.\n", pSet - &g_artNtSdbSets[0]);
+        return false;
+    }
     __try
     {
-        if (memcmp(&pbPrcb[pSet->KPRCB.offVendorString], pszVendor,
-                   RT_MIN(4 * 3, pSet->KPRCB.cbVendorString)) != 0)
+        if (memcmp(pszPrcbVendorString, pszVendor, RT_MIN(4 * 3, pSet->KPRCB.cbVendorString)) != 0)
         {
-            //DbgPrint("IPRT: #%d Vendor string mismatch.\n");
+            DbgPrint("IPRT: #%d Vendor string mismatch.\n", pSet - &g_artNtSdbSets[0]);
             return false;
         }
     }
-    __except(EXCEPTION_EXECUTE_HANDLER) /** @todo this handler doesn't seem to work... Because of Irql? */
-    {
-        //DbgPrint("IPRT: Exception\n");
+    __except(EXCEPTION_EXECUTE_HANDLER)
+    {
+        DbgPrint("IPRT: %#d Exception\n", pSet - &g_artNtSdbSets[0]);
         return false;
     }
@@ -224 +232 @@
 
     /*
-     * HACK ALERT (and déjà vu warning)!
+     * HACK ALERT! (and déjà vu warning - remember win32k.sys?)
      *
      * Try find _KPRCB::QuantumEnd and _KPRCB::[DpcData.]DpcQueueDepth.
@@ -230 +238 @@
      *
      * The offsets was initially derived by poking around with windbg
-     * (dt _KPRCB, !prcb ++, and such like). Systematic harvesting is now done
-     * by means of dia2dump, grep and the symbol packs. Typically:
+     * (dt _KPRCB, !prcb ++, and such like). Systematic harvesting was then
+     * planned using dia2dump, grep and the symbol pack in a manner like this:
      *      dia2dump -type _KDPC_DATA -type _KPRCB EXE\ntkrnlmp.pdb | grep -wE "QuantumEnd|DpcData|DpcQueueDepth|VendorString"
+     *
+     * The final solution ended up using a custom harvester program called
+     * ntBldSymDb that recursively searches thru unpacked symbol packages for
+     * the desired structure offsets.  The program assumes that the packages
+     * are unpacked into directories with the same name as the package, with
+     * exception of some of the w2k packages which requires a 'w2k' prefix to
+     * be distinguishable from another.
      */
 
@@ -253 +268 @@
 
     uint8_t *pbPrcb;
-    __try
+    __try /* Warning. This try/except statement may provide some false safety. */
     {
 #if defined(RT_ARCH_X86)
@@ -266 +281 @@
 #endif
     }
-    __except(EXCEPTION_EXECUTE_HANDLER) /** @todo this handler doesn't seem to work... Because of Irql? */
+    __except(EXCEPTION_EXECUTE_HANDLER)
     {
         pbPrcb = NULL;
     }
-
-    KeLowerIrql(OldIrql); /* Lowering the IRQL early in the hope that we may catch exceptions below. */
 
     /*
@@ -310 +323 @@
             }
         }
-        iBest = RT_ELEMENTS(g_artNtSdbSets)-1;
         if (iBest < RT_ELEMENTS(g_artNtSdbSets))
         {
@@ -333 +345 @@
         DbgPrint("IPRT: Failed to get PCBR pointer.\n");
 
+    KeLowerIrql(OldIrql); /* Lowering the IRQL early in the hope that we may catch exceptions below. */
+
 #ifndef IN_GUEST
     if (!g_offrtNtPbQuantumEnd && !g_offrtNtPbDpcQueueDepth)