From 501c2bdd63c4d4b97c4bc3b54241abe53e0fabdf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Herm=C3=A8s=20B=C3=A9lusca-Ma=C3=AFto?= Date: Sun, 22 Oct 2023 21:57:59 +0200 Subject: [PATCH] [NTOS:LPC] Fix input parameter for ProbeAndCaptureUnicodeString (#5815) Addendum to commit b3c55b9e6 (PR #4399). Passing &CapturedObjectName as pointer to be probed and captured would fail if e.g. PreviousMode == UserMode, since that pointer is always in kernel space. Instead, pass the original user-mode pointer. Bug caught by Timo Kreuzer ;) --- ntoskrnl/lpc/create.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ntoskrnl/lpc/create.c b/ntoskrnl/lpc/create.c index 7c017b6b7e146..2f4d5b9622a83 100644 --- a/ntoskrnl/lpc/create.c +++ b/ntoskrnl/lpc/create.c @@ -83,8 +83,9 @@ LpcpCreatePort(OUT PHANDLE PortHandle, } else { - if (ObjectAttributes->ObjectName) - CapturedObjectName = *(ObjectAttributes->ObjectName); + ObjectName = ObjectAttributes->ObjectName; + if (ObjectName) + CapturedObjectName = *ObjectName; } /* Normalize the buffer pointer in case we don't have @@ -96,7 +97,7 @@ LpcpCreatePort(OUT PHANDLE PortHandle, /* Capture the port name for DPRINT only - ObCreateObject does its * own capture. As it is used only for debugging, ignore any failure; * the string is zeroed out in such case. */ - ProbeAndCaptureUnicodeString(&CapturedPortName, PreviousMode, &CapturedObjectName); + ProbeAndCaptureUnicodeString(&CapturedPortName, PreviousMode, ObjectName); LPCTRACE(LPC_CREATE_DEBUG, "Name: %wZ\n", &CapturedPortName); ReleaseCapturedUnicodeString(&CapturedPortName, PreviousMode); #endif