On Thu Jun 8 16:32:57 2023 +0000, Zebediah Figura wrote:
I'm sorry, but I think you're still misunderstanding. Review comments like "this check doesn't look like it should be done here" are not directives to do the check somewhere else, they are a request to figure out whether the check *should* be done somewhere else, and then do so if and only if it actually is the right thing to do. In the case where the difference can be tested, that may mean actually writing those tests. In this specific case: according to my *faulty* memory, BUFFERED ioctls always have their buffers validated, possibly even regardless of whether they're used or not, and this makes sense, because in order to be buffered, they need to be copied from user space to a kernel space buffer even before reaching the the kernel driver. It also makes sense because IIRC the kernel driver is allowed to assume that InputBuffer [or whatever the field is called] points to valid memory. The fact that DeviceIoControl(handle, IOCTL_STORAGE_GET_DEVICE_NUMBER, NULL, 4, ...) apparently succeeds in your tests contradicts this. So, I would test: is this memory of mine correct in general? If so, what's the difference in this case? DeviceIoControl() versus NtDeviceIoControlFile()? The specific ioctl number [and are there any other ioctls that get similar treatment]? NtDeviceIoControlFile() versus NtFsControlFile()? Passing NULL instead of a non-NULL invalid pointer? Only by running tests can you figure out for yourself where the right place is to have these checks. And then, hopefully, keep whichever tests are necessary to prove the conclusion.
Thank you for the very detailed explanation, I did not realize that NtDeviceIoControlFile is a "public" API and can also be simply used in tests.
I added more tests. These show DeviceIoControl and NtDeviceIoControlFile behave equally. Therefore I assume the check should take place in NtDeviceIoControlFile.
The NtFsControlFile tests do all fail, so I assume that it isn't supposed to handle this ioctl at all. So I guess I can drop tests for NtFsControlFile?
If the modified function is inside ntdll should then the test be also moved into ntdll?