[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[win-pv-devel] [PATCH] Fix pool leaks exposed by DriverVerifier



From: Owen Smith <owen.smith@xxxxxxxxxx>

* RegistryCloseKey was not called in DriverRequestReboot
* RegistryTeardown was not being called in DriverUnload
* __RegistryFree was not being called in RegistryCreateKey
* Reordered DriverEntry slightly for improved code consistancy

Signed-off-by: Owen Smith <owen.smith@xxxxxxxxxx>
---
 src/xenvbd/driver.c   | 37 +++++++++++++++++++++++++------------
 src/xenvbd/registry.c |  2 ++
 2 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/src/xenvbd/driver.c b/src/xenvbd/driver.c
index 3fb2fcc..776d5ae 100644
--- a/src/xenvbd/driver.c
+++ b/src/xenvbd/driver.c
@@ -198,6 +198,8 @@ DriverRequestReboot(
 
     RegistryCloseKey(SubKey);
 
+    RegistryCloseKey(RequestKey);
+
     RegistryFreeSzValue(Ansi);
 
     return;
@@ -470,6 +472,7 @@ DriverUnload(
     Driver.StorPortDriverUnload(_DriverObject);
     BufferTerminate();
     RegistryCloseKey(Driver.ParametersKey);
+    RegistryTeardown();
 
     Trace("<=== (Irql=%d)\n", KeGetCurrentIrql());
 }
@@ -517,6 +520,7 @@ DriverEntry(
     Driver.ParametersKey = ParametersKey;
 
     RegistryCloseKey(ServiceKey);
+    ServiceKey = NULL;
 
     KeInitializeSpinLock(&Driver.Lock);
     Driver.Fdo = NULL;
@@ -555,23 +559,32 @@ DriverEntry(
                                 RegistryPath,
                                 &InitData,
                                 NULL);
-    if (NT_SUCCESS(status)) {
-        Driver.StorPortDispatchPnp     = 
_DriverObject->MajorFunction[IRP_MJ_PNP];
-        Driver.StorPortDispatchPower   = 
_DriverObject->MajorFunction[IRP_MJ_POWER];
-        Driver.StorPortDriverUnload    = _DriverObject->DriverUnload;
-
-        _DriverObject->MajorFunction[IRP_MJ_PNP]    = DispatchPnp;
-        _DriverObject->MajorFunction[IRP_MJ_POWER]  = DispatchPower;
-        _DriverObject->DriverUnload                 = DriverUnload;
-    }
+    if (!NT_SUCCESS(status))
+        goto fail4;
 
-    Trace("<=== (%08x) (Irql=%d)\n", status, KeGetCurrentIrql());
-    return status;
+    Driver.StorPortDispatchPnp     = _DriverObject->MajorFunction[IRP_MJ_PNP];
+    Driver.StorPortDispatchPower   = 
_DriverObject->MajorFunction[IRP_MJ_POWER];
+    Driver.StorPortDriverUnload    = _DriverObject->DriverUnload;
+
+    _DriverObject->MajorFunction[IRP_MJ_PNP]    = DispatchPnp;
+    _DriverObject->MajorFunction[IRP_MJ_POWER]  = DispatchPower;
+    _DriverObject->DriverUnload                 = DriverUnload;
+
+    Trace("<=== (%08x) (Irql=%d)\n", STATUS_SUCCESS, KeGetCurrentIrql());
+    return STATUS_SUCCESS;
+
+fail4:
+    Error("fail4\n");
+
+    BufferTerminate();
+    RegistryCloseKey(Driver.ParametersKey);
+    Driver.ParametersKey = NULL;
 
 fail3:
     Error("fail3\n");
 
-    RegistryCloseKey(ServiceKey);
+    if (ServiceKey)
+        RegistryCloseKey(ServiceKey);
 
 fail2:
     Error("fail2\n");
diff --git a/src/xenvbd/registry.c b/src/xenvbd/registry.c
index b70bc89..9ceffa5 100644
--- a/src/xenvbd/registry.c
+++ b/src/xenvbd/registry.c
@@ -234,6 +234,8 @@ RegistryCreateKey(
 
     *Key = Child;
 
+    __RegistryFree(Buffer);
+
     return STATUS_SUCCESS;
 
 fail4:
-- 
2.8.3


_______________________________________________
win-pv-devel mailing list
win-pv-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/cgi-bin/mailman/listinfo/win-pv-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.