Re: [PATCH] fhandler_pipe: add sanity limit to handle loops

public inbox for cygwin-patches@cygwin.com
 help / color / mirror / Atom feed

From: Ken Brown <kbrown@cornell.edu>
To: Jeremy Drake <cygwin@jdrake.com>
Cc: cygwin-patches@cygwin.com
Subject: Re: [PATCH] fhandler_pipe: add sanity limit to handle loops
Date: Sun, 26 Dec 2021 17:18:48 -0500	[thread overview]
Message-ID: <b278775d-03d9-6683-ec43-62729bb0054c@cornell.edu> (raw)
In-Reply-To: <alpine.BSO.2.21.2112261331090.11760@resin.csoft.net>

[-- Attachment #1: Type: text/plain, Size: 1813 bytes --]

On 12/26/2021 4:35 PM, Jeremy Drake wrote:
> On Sun, 26 Dec 2021, Ken Brown wrote:
> 
>> On 12/26/2021 11:04 AM, Ken Brown wrote:
>>> On 12/26/2021 10:09 AM, Ken Brown wrote:
>>>> 1. For some processes, NtQueryInformationProcess(ProcessHandleInformation)
>>>> can return STATUS_SUCCESS with invalid handle information.  See the
>>>> comment starting at line 5754, where it is shown how to detect this.
> 
> I kind of thought something like this (that NumberOfHandles was
> uninitialized memory).
> 
>>> If I'm right, the following patch should fix the problem:
>>>
>>> diff --git a/winsup/cygwin/fhandler_pipe.cc b/winsup/cygwin/fhandler_pipe.cc
>>> index ba6b70f55..4cef3e4ca 100644
>>> --- a/winsup/cygwin/fhandler_pipe.cc
>>> +++ b/winsup/cygwin/fhandler_pipe.cc
>>> @@ -1228,6 +1228,7 @@ fhandler_pipe::get_query_hdl_per_process (WCHAR *name,
>>>               HeapAlloc (GetProcessHeap (), 0, nbytes);
>>>             if (!phi)
>>>               goto close_proc;
>>> +         phi->NumberOfHandles = 0;
>>>             status = NtQueryInformationProcess (proc,
>>> ProcessHandleInformation,
>>>                                                 phi, nbytes, &len);
>>>             if (NT_SUCCESS (status))
>>
>> Actually, this first hunk should suffice.
>>
>>> Jeremy, could you try this?
>>>
>>> Ken
> 
> 
> I've built (leaving the assert in place too), and I've got 3 loops going
> on server 2022 and 1 going on ARM64.  So far so good.  I don't know how
> long before calling it good though.

Great, thanks for testing.  I'm attaching the complete patch (with 
documentation).  I'll push it once you're convinced that it fixes the problem, 
assuming Takashi agrees.  (I think Corinna is unavailable.)

Ken

[-- Attachment #2: 0001-Cygwin-fhandler_pipe-get_query_hdl_per_process-avoid.patch --]
[-- Type: text/plain, Size: 2146 bytes --]

From 4858e73321a0618a8b1e1060416ef7d546cda895 Mon Sep 17 00:00:00 2001
From: Ken Brown <kbrown@cornell.edu>
Date: Sun, 26 Dec 2021 16:42:26 -0500
Subject: [PATCH] Cygwin: fhandler_pipe::get_query_hdl_per_process: avoid a
 crash

NtQueryInformationProcess(ProcessHandleInformation) can return
STATUS_SUCCESS with invalid handle data for certain processes
("minimal" processes on Windows 10).  This can cause a crash when
there's an attempt to access that data.  Fix that by setting
NumberOfHandles to zero before calling NtQueryInformationProcess.

Addresses: https://cygwin.com/pipermail/cygwin-patches/2021q4/011611.html
---
 winsup/cygwin/fhandler_pipe.cc | 6 ++++++
 winsup/cygwin/release/3.3.4    | 3 +++
 2 files changed, 9 insertions(+)

diff --git a/winsup/cygwin/fhandler_pipe.cc b/winsup/cygwin/fhandler_pipe.cc
index 25a092262..2674d154c 100644
--- a/winsup/cygwin/fhandler_pipe.cc
+++ b/winsup/cygwin/fhandler_pipe.cc
@@ -1256,6 +1256,12 @@ fhandler_pipe::get_query_hdl_per_process (WCHAR *name,
 	    HeapAlloc (GetProcessHeap (), 0, nbytes);
 	  if (!phi)
 	    goto close_proc;
+	  /* NtQueryInformationProcess can return STATUS_SUCCESS with
+	     invalid handle data for certain processes.  See
+	     https://github.com/processhacker/processhacker/blob/master/phlib/native.c#L5754.
+	     We need to ensure that NumberOfHandles is zero in this
+	     case to avoid a crash in the loop below. */
+	  phi->NumberOfHandles = 0;
 	  status = NtQueryInformationProcess (proc, ProcessHandleInformation,
 					      phi, nbytes, &len);
 	  if (NT_SUCCESS (status))
diff --git a/winsup/cygwin/release/3.3.4 b/winsup/cygwin/release/3.3.4
index a15684fdb..048426942 100644
--- a/winsup/cygwin/release/3.3.4
+++ b/winsup/cygwin/release/3.3.4
@@ -14,3 +14,6 @@ Bug Fixes
   rather than io_handle while neither read() nor select() is called
   after the cygwin app is started from non-cygwin app.
   Addresses: https://cygwin.com/pipermail/cygwin-patches/2021q4/011587.html
+
+- Avoid a crash when NtQueryInformationProcess returns invalid handle data.
+  Addresses: https://cygwin.com/pipermail/cygwin-patches/2021q4/011611.html
-- 
2.34.1

next prev parent reply	other threads:[~2021-12-26 22:18 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-12-23 23:10 Jeremy Drake
2021-12-24  0:06 ` Ken Brown
2021-12-24  0:29   ` Jeremy Drake
2021-12-24 17:17     ` Ken Brown
2021-12-24 19:42       ` Jeremy Drake
2021-12-24 22:46         ` Ken Brown
2021-12-24 23:42           ` Jeremy Drake
2021-12-25  0:39           ` Jeremy Drake
2021-12-25  3:19             ` Takashi Yano
2021-12-25  3:47               ` Jeremy Drake
2021-12-25  4:12                 ` Takashi Yano
2021-12-25  5:40                   ` Jeremy Drake
2021-12-25 17:10                     ` Takashi Yano
2021-12-25 17:16                       ` Takashi Yano
2021-12-25 19:00                         ` Marco Atzeri
2021-12-25 19:20                       ` Jeremy Drake
2021-12-25 22:18                         ` Ken Brown
2021-12-25 23:00                         ` Jeremy Drake
2021-12-26  3:04                           ` Ken Brown
2021-12-26  4:56                             ` Jeremy Drake
2021-12-26 15:09                               ` Ken Brown
2021-12-26 16:04                                 ` Ken Brown
2021-12-26 16:24                                   ` Ken Brown
2021-12-26 21:35                                     ` Jeremy Drake
2021-12-26 22:18                                       ` Ken Brown [this message]
2021-12-26 22:43                                         ` Jeremy Drake
2021-12-26 23:12                                           ` Ken Brown
2021-12-26 23:23                                             ` Jeremy Drake
2021-12-27  2:42                                               ` Ken Brown
2021-12-27 21:12                                                 ` Jeremy Drake
2021-12-29 21:59                                             ` Ken Brown
2021-12-29 23:29                                               ` Jeremy Drake
2021-12-27 20:01     ` Jon Turney
2021-12-29  5:45       ` Jeremy Drake
2021-12-30 15:44         ` Jon Turney

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b278775d-03d9-6683-ec43-62729bb0054c@cornell.edu \
    --to=kbrown@cornell.edu \
    --cc=cygwin-patches@cygwin.com \
    --cc=cygwin@jdrake.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).