From 8eff6dfb77b5ed5ef43c4fd02710c1ba3783ef6b Mon Sep 17 00:00:00 2001
From: Timo Kreuzer <timo.kreuzer@reactos.org>
Date: Thu, 11 Sep 2025 11:17:19 +0300
Subject: [PATCH] [NTOS] Don't dereference the object when ObInsertObject fails

See CORE-17904
---
 ntoskrnl/mm/section.c  | 2 +-
 ntoskrnl/se/tokenlif.c | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/ntoskrnl/mm/section.c b/ntoskrnl/mm/section.c
index 12f17022127..466c4239a9e 100644
--- a/ntoskrnl/mm/section.c
+++ b/ntoskrnl/mm/section.c
@@ -2312,7 +2312,7 @@ MmCreatePhysicalMemorySection(VOID)
                             &Handle);
     if (!NT_SUCCESS(Status))
     {
-        ObDereferenceObject(PhysSection);
+        /* Note: ObInsertObject dereferences PhysSection on failure */
         return Status;
     }
     ObCloseHandle(Handle, KernelMode);
diff --git a/ntoskrnl/se/tokenlif.c b/ntoskrnl/se/tokenlif.c
index 1bb077c9042..edbedb00ec9 100644
--- a/ntoskrnl/se/tokenlif.c
+++ b/ntoskrnl/se/tokenlif.c
@@ -417,6 +417,8 @@ SepCreateToken(
         if (!NT_SUCCESS(Status))
         {
             DPRINT1("ObInsertObject() failed (Status 0x%lx)\n", Status);
+            /* Note: ObInsertObject dereferences AccessToken on failure */
+            return Status;
         }
     }
     else
@@ -2243,6 +2245,7 @@ NtFilterToken(
     if (!NT_SUCCESS(Status))
     {
         DPRINT1("NtFilterToken(): Failed to insert the filtered token (Status 0x%lx)\n", Status);
+        /* Note: ObInsertObject dereferences FilteredToken on failure */
         goto Quit;
     }