diff options
| author | Ken Brown <kbrown@cornell.edu> | 2021-12-27 00:42:26 +0300 |
|---|---|---|
| committer | Ken Brown <kbrown@cornell.edu> | 2021-12-27 02:29:23 +0300 |
| commit | 0ce992c1e40f843d5f264e87908a6decfd6681d1 (patch) | |
| tree | 4ed473575becd2bc74eff4e7e3a947b53363f6af | |
| parent | 3328740799d7c229293f1fcbd26cbd1e4d268e70 (diff) | |
Cygwin: fhandler_pipe::get_query_hdl_per_process: avoid a crash
NtQueryInformationProcess(ProcessHandleInformation) can return
STATUS_SUCCESS with invalid handle data for certain processes
("minimal" processes on Windows 10). This can cause a crash when
there's an attempt to access that data. Fix that by setting
NumberOfHandles to zero before calling NtQueryInformationProcess.
Addresses: https://cygwin.com/pipermail/cygwin-patches/2021q4/011611.html
| -rw-r--r-- | winsup/cygwin/fhandler_pipe.cc | 13 | ||||
| -rw-r--r-- | winsup/cygwin/release/3.3.4 | 3 |
2 files changed, 14 insertions, 2 deletions
diff --git a/winsup/cygwin/fhandler_pipe.cc b/winsup/cygwin/fhandler_pipe.cc index ba6b70f55..aef0bf6be 100644 --- a/winsup/cygwin/fhandler_pipe.cc +++ b/winsup/cygwin/fhandler_pipe.cc @@ -6,8 +6,6 @@ This software is a copyrighted work licensed under the terms of the Cygwin license. Please consult the file "CYGWIN_LICENSE" for details. */ -/* FIXME: Should this really be fhandler_pipe.cc? */ - #include "winsup.h" #include <stdlib.h> #include <sys/socket.h> @@ -20,6 +18,7 @@ details. */ #include "pinfo.h" #include "shared_info.h" #include "tls_pbuf.h" +#include <assert.h> /* This is only to be used for writing. When reading, STATUS_PIPE_EMPTY simply means there's no data to be read. */ @@ -1228,6 +1227,12 @@ fhandler_pipe::get_query_hdl_per_process (WCHAR *name, HeapAlloc (GetProcessHeap (), 0, nbytes); if (!phi) goto close_proc; + /* NtQueryInformationProcess can return STATUS_SUCCESS with + invalid handle data for certain processes. See + https://github.com/processhacker/processhacker/blob/05f5e9fa477dcaa1709d9518170d18e1b3b8330d/phlib/native.c#L5754. + We need to ensure that NumberOfHandles is zero in this + case to avoid a crash in the for loop below. */ + phi->NumberOfHandles = 0; status = NtQueryInformationProcess (proc, ProcessHandleInformation, phi, nbytes, &len); if (NT_SUCCESS (status)) @@ -1239,6 +1244,10 @@ fhandler_pipe::get_query_hdl_per_process (WCHAR *name, if (!NT_SUCCESS (status)) goto close_proc; + /* Sanity check in case Microsoft changes + NtQueryInformationProcess and the initialization of + NumberOfHandles above is no longer sufficient. */ + assert (phi->NumberOfHandles <= n_handle); for (ULONG j = 0; j < phi->NumberOfHandles; j++) { /* Check for the peculiarity of cygwin read pipe */ diff --git a/winsup/cygwin/release/3.3.4 b/winsup/cygwin/release/3.3.4 index a15684fdb..048426942 100644 --- a/winsup/cygwin/release/3.3.4 +++ b/winsup/cygwin/release/3.3.4 @@ -14,3 +14,6 @@ Bug Fixes rather than io_handle while neither read() nor select() is called after the cygwin app is started from non-cygwin app. Addresses: https://cygwin.com/pipermail/cygwin-patches/2021q4/011587.html + +- Avoid a crash when NtQueryInformationProcess returns invalid handle data. + Addresses: https://cygwin.com/pipermail/cygwin-patches/2021q4/011611.html |