[NTOS:SE] Assign the captured privilege or SID as NULL when releasing

Whenever a captured security property such as privilege or SID is released, we must not have such captured property point at random address in memory but rather we must assign it as NULL after it's been freed from pool memory. This avoids potential double-after-free situations where we might release a buffer twice. This is exactly the case with token filtering.
2026-05-24 08:11:38 +08:00 · 2022-02-09 10:29:56 +01:00
parent 3ed22ed326
commit 8479509a7b
3 changed files with 3 additions and 7 deletions
--- a/ntoskrnl/se/priv.c
+++ b/ntoskrnl/se/priv.c
@@ -562,6 +562,7 @@ SeReleaseLuidAndAttributesArray(
        (PreviousMode != KernelMode || CaptureIfKernel))
    {
        ExFreePoolWithTag(Privilege, TAG_LUID);
+        Privilege = NULL;
    }
 }

--- a/ntoskrnl/se/sid.c
+++ b/ntoskrnl/se/sid.c
@@ -776,6 +776,7 @@ SeReleaseSidAndAttributesArray(
        ((AccessMode != KernelMode) || CaptureIfKernel))
    {
        ExFreePoolWithTag(CapturedSidAndAttributes, TAG_SID_AND_ATTRIBUTES);
+        CapturedSidAndAttributes = NULL;
    }
 }

--- a/ntoskrnl/se/token.c
+++ b/ntoskrnl/se/token.c
@@ -3,7 +3,7 @@
 * LICENSE:         GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
 * PURPOSE:         Security token implementation support
 * COPYRIGHT:       Copyright David Welch <welch@cwcom.net>
- *                  Copyright 2021 George Bișoc <george.bisoc@reactos.org>
+ *                  Copyright 2021-2022 George Bișoc <george.bisoc@reactos.org>
 */

 /* INCLUDES *******************************************************************/
@@ -6819,8 +6819,6 @@ Quit:
        SeReleaseSidAndAttributesArray(CapturedSids,
                                       PreviousMode,
                                       TRUE);
-
-        CapturedSids = NULL;
    }

    if (CapturedPrivileges != NULL)
@@ -6828,8 +6826,6 @@ Quit:
        SeReleaseLuidAndAttributesArray(CapturedPrivileges,
                                        PreviousMode,
                                        TRUE);
-
-        CapturedPrivileges = NULL;
    }

    if (CapturedRestrictedSids != NULL)
@@ -6837,8 +6833,6 @@ Quit:
        SeReleaseSidAndAttributesArray(CapturedRestrictedSids,
                                       PreviousMode,
                                       TRUE);
-
-        CapturedRestrictedSids = NULL;
    }

    return Status;