From 8479509a7bc482ea2aaaf73a8c12d42521ced794 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?George=20Bi=C8=99oc?= <fraizeraust99@gmail.com>
Date: Wed, 9 Feb 2022 10:29:56 +0100
Subject: [PATCH] [NTOS:SE] Assign the captured privilege or SID as NULL when
 releasing

Whenever a captured security property such as privilege or SID is released, we must not have such captured property point at random address in memory but rather we must assign it as NULL after it's been freed from pool memory. This avoids potential double-after-free situations where we might release a buffer twice.
This is exactly the case with token filtering.
---
 ntoskrnl/se/priv.c  | 1 +
 ntoskrnl/se/sid.c   | 1 +
 ntoskrnl/se/token.c | 8 +-------
 3 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/ntoskrnl/se/priv.c b/ntoskrnl/se/priv.c
index a1013b1844b..ffab568d492 100644
--- a/ntoskrnl/se/priv.c
+++ b/ntoskrnl/se/priv.c
@@ -562,6 +562,7 @@ SeReleaseLuidAndAttributesArray(
         (PreviousMode != KernelMode || CaptureIfKernel))
     {
         ExFreePoolWithTag(Privilege, TAG_LUID);
+        Privilege = NULL;
     }
 }
 
diff --git a/ntoskrnl/se/sid.c b/ntoskrnl/se/sid.c
index 509b3777488..d6c0f4ad912 100644
--- a/ntoskrnl/se/sid.c
+++ b/ntoskrnl/se/sid.c
@@ -776,6 +776,7 @@ SeReleaseSidAndAttributesArray(
         ((AccessMode != KernelMode) || CaptureIfKernel))
     {
         ExFreePoolWithTag(CapturedSidAndAttributes, TAG_SID_AND_ATTRIBUTES);
+        CapturedSidAndAttributes = NULL;
     }
 }
 
diff --git a/ntoskrnl/se/token.c b/ntoskrnl/se/token.c
index fa4a0e8d847..a2a232343a7 100644
--- a/ntoskrnl/se/token.c
+++ b/ntoskrnl/se/token.c
@@ -3,7 +3,7 @@
  * LICENSE:         GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
  * PURPOSE:         Security token implementation support
  * COPYRIGHT:       Copyright David Welch <welch@cwcom.net>
- *                  Copyright 2021 George Bișoc <george.bisoc@reactos.org>
+ *                  Copyright 2021-2022 George Bișoc <george.bisoc@reactos.org>
  */
 
 /* INCLUDES *******************************************************************/
@@ -6819,8 +6819,6 @@ Quit:
         SeReleaseSidAndAttributesArray(CapturedSids,
                                        PreviousMode,
                                        TRUE);
-
-        CapturedSids = NULL;
     }
 
     if (CapturedPrivileges != NULL)
@@ -6828,8 +6826,6 @@ Quit:
         SeReleaseLuidAndAttributesArray(CapturedPrivileges,
                                         PreviousMode,
                                         TRUE);
-
-        CapturedPrivileges = NULL;
     }
 
     if (CapturedRestrictedSids != NULL)
@@ -6837,8 +6833,6 @@ Quit:
         SeReleaseSidAndAttributesArray(CapturedRestrictedSids,
                                        PreviousMode,
                                        TRUE);
-
-        CapturedRestrictedSids = NULL;
     }
 
     return Status;