[PATCH v3 3/3] server: Check for zero access in alloc_handle().

6 Dec 2024

From: Paul Gofman pgofman@codeweavers.com
---
 dlls/advapi32/tests/security.c |  4 --
 dlls/kernel32/tests/sync.c     |  2 -
 dlls/ntdll/tests/om.c          | 76 +++++++++++++++++-----------------
 server/device.c                |  2 +-
 server/handle.c                |  7 +++-
 5 files changed, 45 insertions(+), 46 deletions(-)

diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index e215ab9e5f2..56b10cee97f 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -5542,9 +5542,7 @@ static void test_mutex_security(HANDLE token)
SetLastError(0xdeadbeef);
         dup = OpenMutexA(0, FALSE, "WineTestMutex");
-        todo_wine
         ok(!dup, "OpenMutex should fail\n");
-        todo_wine
         ok(GetLastError() == ERROR_ACCESS_DENIED, "wrong error %lu\n", GetLastError());
     }
@@ -5599,9 +5597,7 @@ static void test_event_security(HANDLE token)
SetLastError(0xdeadbeef);
         dup = OpenEventA(0, FALSE, "WineTestEvent");
-        todo_wine
         ok(!dup, "OpenEvent should fail\n");
-        todo_wine
         ok(GetLastError() == ERROR_ACCESS_DENIED, "wrong error %lu\n", GetLastError());
     }
diff --git a/dlls/kernel32/tests/sync.c b/dlls/kernel32/tests/sync.c
index 49420e4519f..b722f38a1a7 100644
--- a/dlls/kernel32/tests/sync.c
+++ b/dlls/kernel32/tests/sync.c
@@ -248,9 +248,7 @@ static void test_mutex(void)
SetLastError(0xdeadbeef);
     hOpened = OpenMutexA(0, FALSE, "WineTestMutex");
-    todo_wine
     ok(hOpened == NULL, "OpenMutex succeeded\n");
-    todo_wine
     ok(GetLastError() == ERROR_ACCESS_DENIED, "wrong error %lu\n", GetLastError());
SetLastError(0xdeadbeef);
diff --git a/dlls/ntdll/tests/om.c b/dlls/ntdll/tests/om.c
index cbc4ad27921..953b1458555 100644
--- a/dlls/ntdll/tests/om.c
+++ b/dlls/ntdll/tests/om.c
@@ -3410,17 +3410,17 @@ static void test_zero_access(void)
     ok( status == STATUS_OBJECT_NAME_EXISTS, "got %#lx.\n", status );
     CloseHandle( h2 );
     status = pNtCreateEvent( &h2, 0, &attr, NotificationEvent, FALSE );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h2 );
     status = pNtOpenEvent( &h2, EVENT_ALL_ACCESS, &attr );
     ok( !status, "got %#lx.\n", status );
     CloseHandle( h2 );
     status = pNtOpenEvent( &h2, 0, &attr );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h2 );
     InitializeObjectAttributes( &attr, &str, OBJ_INHERIT, 0, NULL );
     status = pNtOpenEvent( &h2, 0, &attr );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h2 );
status = pNtDuplicateObject( GetCurrentProcess(), h1, GetCurrentProcess(), &h2, 0, 0, 0 );
@@ -3443,10 +3443,10 @@ static void test_zero_access(void)
     ok( status == STATUS_OBJECT_NAME_EXISTS, "got %#lx.\n", status );
     CloseHandle( h2 );
     status = pNtCreateMutant( &h2, 0, &attr, FALSE );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h2 );
     status = pNtOpenMutant( &h2, 0, &attr );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h2 );
     CloseHandle( h1 );
@@ -3461,10 +3461,10 @@ static void test_zero_access(void)
     ok( status == STATUS_OBJECT_NAME_EXISTS, "got %#lx.\n", status );
     CloseHandle( h2 );
     status = pNtCreateSemaphore( &h2, 0, &attr, 1, 2 );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h2 );
     status = pNtOpenSemaphore( &h2, 0, &attr );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h2 );
     CloseHandle( h1 );
@@ -3479,10 +3479,10 @@ static void test_zero_access(void)
     ok( status == STATUS_OBJECT_NAME_EXISTS, "got %#lx.\n", status );
     CloseHandle( h2 );
     status = pNtCreateKeyedEvent( &h2, 0, &attr, 0 );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h2 );
     status = pNtOpenKeyedEvent( &h2, 0, &attr );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h2 );
     CloseHandle( h1 );
@@ -3497,10 +3497,10 @@ static void test_zero_access(void)
     ok( status == STATUS_OBJECT_NAME_EXISTS, "got %#lx.\n", status );
     CloseHandle( h2 );
     status = pNtCreateIoCompletion( &h2, 0, &attr, 0 );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h2 );
     status = pNtOpenIoCompletion( &h2, 0, &attr );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h2 );
     CloseHandle( h1 );
@@ -3516,10 +3516,10 @@ static void test_zero_access(void)
         "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h2 );
     status = pNtCreateJobObject( &h2, 0, &attr );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h2 );
     status = pNtOpenJobObject( &h2, 0, &attr );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h2 );
     CloseHandle( h1 );
@@ -3534,10 +3534,10 @@ static void test_zero_access(void)
     ok( status == STATUS_OBJECT_NAME_EXISTS, "got %#lx.\n", status );
     CloseHandle( h2 );
     status = pNtCreateDirectoryObject( &h2, 0, &attr );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h2 );
     status = pNtOpenDirectoryObject( &h2, 0, &attr );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h2 );
     CloseHandle( h1 );
@@ -3552,10 +3552,10 @@ static void test_zero_access(void)
     ok( status == STATUS_OBJECT_NAME_EXISTS, "got %#lx.\n", status );
     CloseHandle( h2 );
     status = pNtCreateTimer( &h2, 0, &attr, NotificationTimer );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h2 );
     status = pNtOpenTimer( &h2, 0, &attr );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h2 );
     CloseHandle( h1 );
@@ -3571,10 +3571,10 @@ static void test_zero_access(void)
         "got %#lx.\n", status );
     CloseHandle( h2 );
     status = pNtCreateSymbolicLinkObject( &h2, 0, &attr, &target );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h2 );
     status = pNtOpenSymbolicLinkObject( &h2, 0, &attr );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h2 );
     CloseHandle( h1 );
@@ -3589,10 +3589,10 @@ static void test_zero_access(void)
     ok( status == STATUS_OBJECT_NAME_EXISTS, "got %#lx.\n", status );
     CloseHandle( h2 );
     status = pNtCreateSection( &h2, 0, &attr, &size, PAGE_READWRITE, SEC_COMMIT, 0 );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h2 );
     status = pNtOpenSection( &h2, 0, &attr );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h2 );
     CloseHandle( h1 );
@@ -3605,7 +3605,7 @@ static void test_zero_access(void)
     ok( status == STATUS_OBJECT_NAME_EXISTS, "got %#lx.\n", status );
     CloseHandle( h2 );
     status = pNtCreateDebugObject( &h2, 0, &attr, 0 );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h2 );
     CloseHandle( h1 );
@@ -3616,7 +3616,7 @@ static void test_zero_access(void)
     CloseHandle( h1 );
     status = NtCreateFile( &h1, 0, &attr, &iosb, NULL, 0,
                            FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, 0, NULL, 0 );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h1 );
pRtlInitUnicodeString( &str, L"\??\c:\windows\system32\ntdll.dll" );
@@ -3626,12 +3626,12 @@ static void test_zero_access(void)
     CloseHandle( h1 );
     status = NtCreateFile( &h1, 0, &attr, &iosb, NULL, 0,
                            FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, 0, NULL, 0 );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h1 );
pRtlInitUnicodeString( &str, L"\Device\MailSlot\abc" );
     status = pNtCreateMailslotFile( &h1, 0, &attr, &iosb, 0, 0, 0, NULL );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h1 );
     status = pNtCreateMailslotFile( &h1, GENERIC_ALL, &attr, &iosb, 0, 0, 0, NULL );
     ok( !status, "got %#lx.\n", status );
@@ -3645,7 +3645,7 @@ static void test_zero_access(void)
     status = pNtCreateNamedPipeFile( &h1, 0, &attr, &iosb,
                                      FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_CREATE,
                                      FILE_PIPE_FULL_DUPLEX, FALSE, FALSE, FALSE, 1, 256, 256, &timeout );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h1 );
     status = pNtCreateNamedPipeFile( &h1, GENERIC_READ | GENERIC_WRITE, &attr, &iosb,
                                      FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_CREATE,
@@ -3664,7 +3664,7 @@ static void test_zero_access(void)
pRtlInitUnicodeString( &str, L"\REGISTRY\Machine" );
     status = pNtCreateKey( &h1, 0, &attr, 0, 0, 0, 0 );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h1 );
     status = pNtCreateKey( &h1, KEY_READ, &attr, 0, 0, 0, 0 );
     ok( !status, "got %#lx.\n", status );
@@ -3673,7 +3673,7 @@ static void test_zero_access(void)
     ok( !status, "got %#lx.\n", status );
     CloseHandle( h1 );
     status = pNtOpenKey( &h1, 0, &attr );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h1 );
pRtlInitUnicodeString( &str, L"\REGISTRY\Machine\Software\foobar-test" );
@@ -3697,25 +3697,25 @@ static void test_zero_access(void)
     ok( !status, "got %#lx.\n", status );
     CloseHandle( h1 );
     status = pNtOpenProcessToken( GetCurrentProcess(), 0, &h1 );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h1 );
status = NtGetNextThread(GetCurrentProcess(), NULL, 0, 0, 0, &h1);
-    todo_wine ok( status == STATUS_NO_MORE_ENTRIES, "got %#lx.\n", status );
+    ok( status == STATUS_NO_MORE_ENTRIES, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h1 );
InitializeObjectAttributes( &attr, NULL, 0, 0, NULL );
     cid.UniqueProcess = ULongToHandle( GetCurrentProcessId() );
     cid.UniqueThread  = 0;
     status = pNtOpenProcess( &h1, 0, &attr, &cid );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h1 );
InitializeObjectAttributes( &attr, NULL, 0, 0, NULL );
     cid.UniqueProcess = 0;
     cid.UniqueThread  = ULongToHandle( GetCurrentThreadId() );
     status = pNtOpenThread( &h1, 0, &attr, &cid );
-    todo_wine ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
+    ok( status == STATUS_ACCESS_DENIED, "got %#lx.\n", status );
     if (NT_SUCCESS(status)) CloseHandle( h1 );
h1 = CreateWindowStationA( "WinSta0", 0, WINSTA_ALL_ACCESS, NULL );
@@ -3728,8 +3728,8 @@ static void test_zero_access(void)
         CloseWindowStation( h1 );
         h1 = CreateWindowStationA( "WinSta0", 0, 0, NULL );
         err = GetLastError();
-        todo_wine ok( !h1, "CreateWindowStationA succeeded\n" );
-        todo_wine ok( err == ERROR_ACCESS_DENIED, "CreateWindowStationA failed %lu\n", err );
+        ok( !h1, "CreateWindowStationA succeeded\n" );
+        ok( err == ERROR_ACCESS_DENIED, "CreateWindowStationA failed %lu\n", err );
         if (h1) CloseWindowStation( h1 );
     }
     else if (err == ERROR_ACCESS_DENIED) win_skip( "Not enough privileges for CreateWindowStation\n" );
@@ -3739,8 +3739,8 @@ static void test_zero_access(void)
     CloseWindowStation( h1 );
     h1 = OpenWindowStationA( "WinSta0", TRUE, 0 );
     err = GetLastError();
-    todo_wine ok( !h1, "OpenWindowStation succeeeded\n" );
-    todo_wine ok( err == ERROR_ACCESS_DENIED, "OpenWindowStation failed %lu\n", err );
+    ok( !h1, "OpenWindowStation succeeeded\n" );
+    ok( err == ERROR_ACCESS_DENIED, "OpenWindowStation failed %lu\n", err );
     if (h1) CloseWindowStation( h1 );
h1 = CreateDesktopA( "default", NULL, NULL, 0, DESKTOP_ALL_ACCESS, NULL );
@@ -3749,8 +3749,8 @@ static void test_zero_access(void)
     SetLastError( 0xdeadbeef );
     h1 = CreateDesktopA( "default", NULL, NULL, 0, 0, NULL );
     err = GetLastError();
-    todo_wine ok( !h1, "CreateDesktopA succeeded\n" );
-    todo_wine ok( err == ERROR_ACCESS_DENIED, "CreateDesktopA failed %lu\n", err );
+    ok( !h1, "CreateDesktopA succeeded\n" );
+    ok( err == ERROR_ACCESS_DENIED, "CreateDesktopA failed %lu\n", err );
     if (h1) CloseDesktop( h1 );
h1 = OpenDesktopA( "default", 0, TRUE, DESKTOP_ALL_ACCESS );
diff --git a/server/device.c b/server/device.c
index cab09700d8c..ecfc058bc91 100644
--- a/server/device.c
+++ b/server/device.c
@@ -1003,7 +1003,7 @@ DECL_HANDLER(get_next_device_request)
if (iosb && iosb->in_size > get_reply_max_size())
             set_error( STATUS_BUFFER_OVERFLOW );
-        else if (!irp->file || (reply->next = alloc_handle( current->process, irp, 0, 0 )))
+        else if (!irp->file || (reply->next = alloc_handle_no_access_check( current->process, irp, 0, 0 )))
         {
             if (fill_irp_params( manager, irp, &reply->params ))
             {
diff --git a/server/handle.c b/server/handle.c
index e65831b3b22..b7e9cf80121 100644
--- a/server/handle.c
+++ b/server/handle.c
@@ -284,7 +284,12 @@ obj_handle_t alloc_handle( struct process *process, void *ptr, unsigned int acce
 {
     struct object *obj = ptr;
     access = obj->ops->map_access( obj, access ) & ~RESERVED_ALL;
-    if (access && !check_object_access( NULL, obj, &access )) return 0;
+    if (!access)
+    {
+        set_error( STATUS_ACCESS_DENIED );
+        return 0;
+    }
+    if (!check_object_access( NULL, obj, &access )) return 0;
     return alloc_handle_entry( process, ptr, access, attr );
 }
-- 
GitLab

https://gitlab.winehq.org/wine/wine/-/merge_requests/6047

    

2025

2024

2023

2022

[PATCH v3 3/3] server: Check for zero access in alloc_handle().