From 1b42731dca0df26788dd20cb709c216dbc422dc9 Mon Sep 17 00:00:00 2001 From: Pierre Schweitzer Date: Sat, 1 Jun 2019 13:51:40 +0200 Subject: [PATCH] [NTOSKRNL] Add a few ASSERTs to ObpGetDosDevicesProtection for DBG builds --- ntoskrnl/ob/obname.c | 104 ++++++++++++++++++++++++------------------- 1 file changed, 59 insertions(+), 45 deletions(-) diff --git a/ntoskrnl/ob/obname.c b/ntoskrnl/ob/obname.c index 866ac748d84..d76ed10a919 100644 --- a/ntoskrnl/ob/obname.c +++ b/ntoskrnl/ob/obname.c @@ -41,9 +41,11 @@ ObpGetDosDevicesProtection(OUT PSECURITY_DESCRIPTOR SecurityDescriptor) { PACL Dacl; ULONG AclSize; + NTSTATUS Status; /* Initialize the SD */ - RtlCreateSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION); + Status = RtlCreateSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION); + ASSERT(NT_SUCCESS(Status)); if (ObpProtectionMode & 1) { @@ -63,42 +65,49 @@ ObpGetDosDevicesProtection(OUT PSECURITY_DESCRIPTOR SecurityDescriptor) } /* Initialize the DACL */ - RtlCreateAcl(Dacl, AclSize, ACL_REVISION); + Status = RtlCreateAcl(Dacl, AclSize, ACL_REVISION); + ASSERT(NT_SUCCESS(Status)); /* Add the ACEs */ - RtlAddAccessAllowedAce(Dacl, - ACL_REVISION, - GENERIC_READ | GENERIC_EXECUTE, - SeWorldSid); + Status = RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + GENERIC_READ | GENERIC_EXECUTE, + SeWorldSid); + ASSERT(NT_SUCCESS(Status)); - RtlAddAccessAllowedAce(Dacl, - ACL_REVISION, - GENERIC_ALL, - SeLocalSystemSid); + Status = RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + GENERIC_ALL, + SeLocalSystemSid); + ASSERT(NT_SUCCESS(Status)); - RtlAddAccessAllowedAceEx(Dacl, - ACL_REVISION, - INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, - GENERIC_EXECUTE, - SeWorldSid); + Status = RtlAddAccessAllowedAceEx(Dacl, + ACL_REVISION, + INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, + GENERIC_EXECUTE, + SeWorldSid); + ASSERT(NT_SUCCESS(Status)); - RtlAddAccessAllowedAceEx(Dacl, - ACL_REVISION, - INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, - GENERIC_ALL, - SeAliasAdminsSid); + Status = RtlAddAccessAllowedAceEx(Dacl, + ACL_REVISION, + INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, + GENERIC_ALL, + SeAliasAdminsSid); + ASSERT(NT_SUCCESS(Status)); - RtlAddAccessAllowedAceEx(Dacl, - ACL_REVISION, - INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, - GENERIC_ALL, - SeLocalSystemSid); + Status = RtlAddAccessAllowedAceEx(Dacl, + ACL_REVISION, + INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, + GENERIC_ALL, + SeLocalSystemSid); + ASSERT(NT_SUCCESS(Status)); - RtlAddAccessAllowedAceEx(Dacl, - ACL_REVISION, - INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, - GENERIC_ALL, - SeCreatorOwnerSid); + Status = RtlAddAccessAllowedAceEx(Dacl, + ACL_REVISION, + INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, + GENERIC_ALL, + SeCreatorOwnerSid); + ASSERT(NT_SUCCESS(Status)); } else { @@ -115,28 +124,33 @@ ObpGetDosDevicesProtection(OUT PSECURITY_DESCRIPTOR SecurityDescriptor) } /* Initialize the DACL */ - RtlCreateAcl(Dacl, AclSize, ACL_REVISION); + Status = RtlCreateAcl(Dacl, AclSize, ACL_REVISION); + ASSERT(NT_SUCCESS(Status)); /* Add the ACEs */ - RtlAddAccessAllowedAce(Dacl, - ACL_REVISION, - GENERIC_READ | GENERIC_EXECUTE | GENERIC_WRITE, - SeWorldSid); + Status = RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + GENERIC_READ | GENERIC_EXECUTE | GENERIC_WRITE, + SeWorldSid); + ASSERT(NT_SUCCESS(Status)); - RtlAddAccessAllowedAce(Dacl, - ACL_REVISION, - GENERIC_ALL, - SeLocalSystemSid); + Status = RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + GENERIC_ALL, + SeLocalSystemSid); + ASSERT(NT_SUCCESS(Status)); - RtlAddAccessAllowedAceEx(Dacl, - ACL_REVISION, - INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, - GENERIC_ALL, - SeWorldSid); + Status = RtlAddAccessAllowedAceEx(Dacl, + ACL_REVISION, + INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, + GENERIC_ALL, + SeWorldSid); + ASSERT(NT_SUCCESS(Status)); } /* Attach the DACL to the SD */ - RtlSetDaclSecurityDescriptor(SecurityDescriptor, TRUE, Dacl, FALSE); + Status = RtlSetDaclSecurityDescriptor(SecurityDescriptor, TRUE, Dacl, FALSE); + ASSERT(NT_SUCCESS(Status)); return STATUS_SUCCESS; }