Changeset 57303 in vbox

Timestamp:

Aug 13, 2015 12:31:23 AM (10 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

102065

Message:

SUPDrv-win.cpp: Workaround for AudioDG.exe on windows 10 wanting to do some new cpu set management for us, not sure what it is or what I think of it. We need audio though, so allow it for now. Also modified the SUPDRVNTPROTECT handling to make sure we don't try remove structures not in the tree, in case we fail early before it's inserted. Finally, shut up a signed comparisons warning.

File:

• trunk/src/VBox/HostDrivers/Support/win/SUPDrv-win.cpp (modified) (16 diffs)

trunk/src/VBox/HostDrivers/Support/win/SUPDrv-win.cpp

@@ -207 +207 @@
     /** The kind of process we're protecting. */
     SUPDRVNTPROTECTKIND volatile enmProcessKind;
+    /** Whether this structure is in the tree. */
+    bool                fInTree : 1;
     /** 7,: Hack to allow the supid themes service duplicate handle privileges to
      *  our process. */
@@ -2938 +2940 @@
             if (fSuccess)
             {
+                pNtChild->fInTree         = true;
                 pNtParent->u.pChild       = pNtChild; /* Parent keeps the initial reference. */
                 pNtParent->enmProcessKind = kSupDrvNtProtectKind_StubParent;
@@ -3268 +3271 @@
             else
             {
+                ACCESS_MASK const fDesiredAccess = pOpInfo->Parameters->CreateHandleInformation.DesiredAccess;
+
                 /* Special case 1 on Vista, 7 & 8:
                    The CreateProcess code passes the handle over to CSRSS.EXE
@@ -3284 +3289 @@
                 {
                     if (   !pOpInfo->KernelHandle
-                        && pOpInfo->Parameters->CreateHandleInformation.DesiredAccess == s_fCsrssStupidDesires)
+                        && fDesiredAccess == s_fCsrssStupidDesires)
                     {
                         if (g_uNtVerCombined < SUP_MAKE_NT_VER_SIMPLE(6, 3))
@@ -3313 +3318 @@
                 {
                     pNtProtect->fCsrssFirstProcessCreateHandle = false;
-                    if (pOpInfo->Parameters->CreateHandleInformation.DesiredAccess == s_fCsrssStupidDesires)
+                    if (fDesiredAccess == s_fCsrssStupidDesires)
                     {
                         /* Not needed: PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID,
@@ -3333 +3338 @@
                 if (   g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 0)
                     && g_uNtVerCombined  < SUP_MAKE_NT_VER_SIMPLE(6, 2)
-                    && pOpInfo->Parameters->CreateHandleInformation.DesiredAccess == 0x1478 /* 6.1.7600.16385 (win7_rtm.090713-1255) */
+                    && fDesiredAccess == 0x1478 /* 6.1.7600.16385 (win7_rtm.090713-1255) */
                     && pNtProtect->fThemesFirstProcessCreateHandle
                     && pOpInfo->KernelHandle == 0
@@ -3344 +3349 @@
                 }
 
+                /* Special case 6a, Windows 10+: AudioDG.exe opens the process with the
+                   PROCESS_SET_LIMITED_INFORMATION right.  It seems like it need it for
+                   some myserious and weirdly placed cpu set management of our process.
+                   I'd love to understand what that's all about...
+                   Currently playing safe and only grand this right, however limited, to
+                   audiodg.exe. */
+                if (   g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(10, 0)
+                    && (   fDesiredAccess == PROCESS_SET_LIMITED_INFORMATION
+                        || fDesiredAccess == (PROCESS_SET_LIMITED_INFORMATION | PROCESS_QUERY_LIMITED_INFORMATION) /* expected fix #1 */
+                        || fDesiredAccess == (PROCESS_SET_LIMITED_INFORMATION | PROCESS_QUERY_INFORMATION)         /* expected fix #2 */
+                        )
+                    && pOpInfo->KernelHandle == 0
+                    && ExGetPreviousMode() == UserMode
+                    && supdrvNtProtectIsSystem32ProcessMatch(PsGetCurrentProcess(), "audiodg.exe") )
+                {
+                    fAllowedRights |= PROCESS_SET_LIMITED_INFORMATION;
+                    pOpInfo->CallContext = NULL; /* don't assert this. */
+                }
+
                 Log(("vboxdrv/ProcessHandlePre: %sctx=%04zx/%p wants %#x to %p/pid=%04zx [%d], allow %#x => %#x; %s [prev=%#x]\n",
                      pOpInfo->KernelHandle ? "k" : "", PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(),
-                     pOpInfo->Parameters->CreateHandleInformation.DesiredAccess,
-                     pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind, fAllowedRights,
-                     pOpInfo->Parameters->CreateHandleInformation.DesiredAccess & fAllowedRights,
+                     fDesiredAccess, pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind,
+                     fAllowedRights, fDesiredAccess & fAllowedRights,
                      PsGetProcessImageFileName(PsGetCurrentProcess()), ExGetPreviousMode() ));
 
@@ -3373 +3396 @@
             else
             {
+                ACCESS_MASK const fDesiredAccess = pOpInfo->Parameters->DuplicateHandleInformation.DesiredAccess;
+
                 /* Special case 5 on Vista, 7 & 8:
                    This is the CSRSS.EXE end of special case #1. */
@@ -3379 +3404 @@
                     && pNtProtect->cCsrssFirstProcessDuplicateHandle > 0
                     && pOpInfo->KernelHandle == 0
-                    && pOpInfo->Parameters->DuplicateHandleInformation.DesiredAccess == s_fCsrssStupidDesires
+                    && fDesiredAccess == s_fCsrssStupidDesires
                     &&    pNtProtect->hParentPid
                        == PsGetProcessId((PEPROCESS)pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess)
@@ -3399 +3424 @@
                 }
 
+                /* Special case 6b, Windows 10+: AudioDG.exe duplicates the handle it opened above. */
+                if (   g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(10, 0)
+                    && (   fDesiredAccess == PROCESS_SET_LIMITED_INFORMATION
+                        || fDesiredAccess == (PROCESS_SET_LIMITED_INFORMATION | PROCESS_QUERY_LIMITED_INFORMATION) /* expected fix #1 */
+                        || fDesiredAccess == (PROCESS_SET_LIMITED_INFORMATION | PROCESS_QUERY_INFORMATION)         /* expected fix #2 */
+                        )
+                    && pOpInfo->KernelHandle == 0
+                    && ExGetPreviousMode() == UserMode
+                    && supdrvNtProtectIsSystem32ProcessMatch(PsGetCurrentProcess(), "audiodg.exe") )
+                {
+                    fAllowedRights |= PROCESS_SET_LIMITED_INFORMATION;
+                    pOpInfo->CallContext = NULL; /* don't assert this. */
+                }
+
                 Log(("vboxdrv/ProcessHandlePre: %sctx=%04zx/%p[%p] dup from %04zx/%p with %#x to %p in pid=%04zx [%d] %s\n",
                      pOpInfo->KernelHandle ? "k" : "", PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(),
@@ -3404 +3443 @@
                      PsGetProcessId((PEPROCESS)pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess),
                      pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess,
-                     pOpInfo->Parameters->DuplicateHandleInformation.DesiredAccess,
+                     fDesiredAccess,
                      pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind,
                      PsGetProcessImageFileName(PsGetCurrentProcess()) ));
@@ -3685 +3724 @@
         RTSpinlockAcquire(g_hNtProtectLock);
         bool fSuccess = RTAvlPVInsert(&g_NtProtectTree, &pNtProtect->AvlCore);
+        pNtProtect->fInTree = fSuccess;
         RTSpinlockRelease(g_hNtProtectLock);
 
@@ -3725 +3765 @@
          */
         ASMAtomicWriteU32(&pNtProtect->u32Magic, SUPDRVNTPROTECT_MAGIC_DEAD);
-        PSUPDRVNTPROTECT pRemoved = (PSUPDRVNTPROTECT)RTAvlPVRemove(&g_NtProtectTree, pNtProtect->AvlCore.Key);
-
-        PSUPDRVNTPROTECT pRemovedChild = NULL;
+        if (pNtProtect->fInTree)
+        {
+            PSUPDRVNTPROTECT pRemoved = (PSUPDRVNTPROTECT)RTAvlPVRemove(&g_NtProtectTree, pNtProtect->AvlCore.Key);
+            Assert(pRemoved == pNtProtect);
+            pNtProtect->fInTree = false;
+        }
+
         PSUPDRVNTPROTECT pChild = NULL;
         if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubParent)
@@ -3739 +3783 @@
                 uint32_t cChildRefs = ASMAtomicDecU32(&pChild->cRefs);
                 if (!cChildRefs)
-                    pRemovedChild = (PSUPDRVNTPROTECT)RTAvlPVRemove(&g_NtProtectTree, pChild->AvlCore.Key);
+                {
+                    Assert(pChild->fInTree);
+                    if (pChild->fInTree)
+                    {
+                        PSUPDRVNTPROTECT pRemovedChild = (PSUPDRVNTPROTECT)RTAvlPVRemove(&g_NtProtectTree, pChild->AvlCore.Key);
+                        Assert(pRemovedChild == pChild);
+                        pChild->fInTree = false;
+                    }
+                }
                 else
                     pChild = NULL;
@@ -3748 +3800 @@
 
         RTSpinlockRelease(g_hNtProtectLock);
-        Assert(pRemoved == pNtProtect);
-        Assert(pRemovedChild == pChild);
 
         if (pNtProtect->pCsrssProcess)
@@ -3977 +4027 @@
                little overly paranoid as I think we can safely trust the
                system process... */
-            if (   cSystemProcessHandles < (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 3) ? 2 : 1)
+            if (   cSystemProcessHandles < (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 3) ? UINT32_C(2) : UINT32_C(1))
                 && pHandleInfo->UniqueProcessId == PsGetProcessId(PsInitialSystemProcess))
             {