[ros-dev] Security problem in NtGdiCreateCompatibleDC?
Timo Kreuzer
timo.kreuzer at web.de
Sat Feb 3 07:16:13 CET 2007
Please have a look at that code:
NtGdiCreateCompatibleDC @ 192:
...
hNewDC = DC_AllocDC
<http://www.reactos.org/generated/doxygen/de/dcc/dc_8h.html#a12>(&OrigDC->DriverName
<http://www.reactos.org/generated/doxygen/d9/de9/struct__DC.html#o8>);
if (NULL == hNewDC)
{
DC_UnlockDc(OrigDC);
if (NULL != DisplayDC)
{
NtGdiDeleteObjectApp <http://www.reactos.org/generated/doxygen/d7/de8/subsystems_2win32_2win32k_2objects_2dc_8c.html#a21>(DisplayDC);
}
return NULL;
}
NewDC = DC_LockDc( hNewDC );
...
I am not completely sure (GreatLord said it was fine) but i think it
might not be.
Let's think of a condition when process x, thread 0 does try call
NtGdiCreateCompatibleDC and Allocates the DC.
Wouldn't there be the chance of thread 1 to get a lock on the DC (by
guessing it's handle) just after it was created and make DC_LockDC
return NULL?
GDIOBJ_LockObj checks if the ProcessID is the same as
PsGetCurrentProcessId() , but not more.
So I think a second thread might do a timed attack and get a lock on the
just created DC.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.reactos.org/pipermail/ros-dev/attachments/20070203/db20ebf1/attachment.html
More information about the Ros-dev
mailing list