Ah, I see. Wouldn't it be cleaner to put a whitelist inside of device.c and see if the incoming object type is on that whitelist? This seems like it would be a more self-contained solution to the problem.
On Fri, Mar 15, 2019 at 2:32 PM Jacek Caban jacek@codeweavers.com wrote:
Hi Derek,
On 3/15/19 6:15 PM, Derek Lesho wrote:
I am also curious about something, what was wrong w/ the old infrastructure where the object structure held the list to kernel_objects?
It's mostly about safety. Note that server does not trust clients to be sane, even if the client is a kernel in Windows sense. The patchset allowed storing a reference to an arbitrary handle-accessible object. Although from object's perspective it mostly behaves like yet another handle, it's not exactly the same (otherwise it wouldn't make sense to introduce it). There are some corner cases where kernel process could harm wineserver if it's not treated with care. For example it could try store a reference to device manager (something Windows application would not do since there is no such thing as server device manager handle on Windows), which would cause circular dependency and a leak. In previous patchset I tried to catch such cases. Avoiding the above needed a special case, which wasn't really nice. Allowing references on only explicitly whitelisted object types solves the problem.
Jacek