ntdll: Always clear the returned handle in Nt object functions.

Signed-off-by: Alexandre Julliard <julliard@winehq.org>

ntdll: Always clear the returned handle in Nt object functions.
3fb4d1f7 · Alexandre Julliard · b0a7a652 · 3fb4d1f7 · 3fb4d1f7 · 3fb4d1f7
Commit 3fb4d1f7 authored Jul 23, 2021 by Alexandre Julliard
9 changed files
--- a/dlls/ntdll/tests/info.c
+++ b/dlls/ntdll/tests/info.c
@@ -3081,6 +3081,8 @@ static void test_thread_lookup(void)
    cid.UniqueThread = ULongToHandle(GetCurrentThreadId());
    status = pNtOpenThread(&handle, THREAD_QUERY_INFORMATION, &attr, &cid);
    ok(!status, "NtOpenThread returned %#x\n", status);
+    status = pNtOpenThread((HANDLE *)0xdeadbee0, THREAD_QUERY_INFORMATION, &attr, &cid);
+    ok( status == STATUS_ACCESS_VIOLATION, "NtOpenThread returned %#x\n", status);

    status = pNtQueryObject(handle, ObjectBasicInformation, &obj_info, sizeof(obj_info), NULL);
    ok(!status, "NtQueryObject returned: %#x\n", status);
@@ -3110,16 +3112,21 @@ static void test_thread_lookup(void)

    cid.UniqueProcess = ULongToHandle(0xdeadbeef);
    cid.UniqueThread = ULongToHandle(GetCurrentThreadId());
-    status = pNtOpenThread(&handle, THREAD_QUERY_INFORMATION, &attr, &cid);
+    handle = (HANDLE)0xdeadbeef;
+    status = NtOpenThread(&handle, THREAD_QUERY_INFORMATION, &attr, &cid);
    todo_wine
    ok(status == STATUS_INVALID_CID, "NtOpenThread returned %#x\n", status);
+    todo_wine
+    ok( !handle || broken(handle == (HANDLE)0xdeadbeef) /* vista */, "handle set %p\n", handle );
    if (!status) pNtClose(handle);

    cid.UniqueProcess = 0;
    cid.UniqueThread = ULongToHandle(0xdeadbeef);
+    handle = (HANDLE)0xdeadbeef;
    status = pNtOpenThread(&handle, THREAD_QUERY_INFORMATION, &attr, &cid);
    ok(status == STATUS_INVALID_CID || broken(status == STATUS_INVALID_PARAMETER) /* winxp */,
       "NtOpenThread returned %#x\n", status);
+    ok( !handle || broken(handle == (HANDLE)0xdeadbeef) /* vista */, "handle set %p\n", handle );
 }

 static void test_thread_info(void)

--- a/dlls/ntdll/tests/om.c
+++ b/dlls/ntdll/tests/om.c
--- a/dlls/ntdll/unix/file.c
+++ b/dlls/ntdll/unix/file.c
@@ -3750,6 +3750,7 @@ NTSTATUS WINAPI NtCreateFile( HANDLE *handle, ACCESS_MASK access, OBJECT_ATTRIBU
           attr->RootDirectory, attr->SecurityDescriptor, io, alloc_size,
           attributes, sharing, disposition, options, ea_buffer, ea_length );

+    *handle = 0;
    if (!attr || !attr->ObjectName) return STATUS_INVALID_PARAMETER;

    if (alloc_size) FIXME( "alloc_size not supported\n" );
@@ -3844,9 +3845,8 @@ NTSTATUS WINAPI NtCreateMailslotFile( HANDLE *handle, ULONG access, OBJECT_ATTRI
    TRACE( "%p %08x %p %p %08x %08x %08x %p\n",
           handle, access, attr, io, options, quota, msg_size, timeout );

-    if (!handle) return STATUS_ACCESS_VIOLATION;
+    *handle = 0;
    if (!attr) return STATUS_INVALID_PARAMETER;
-
    if ((status = alloc_object_attributes( attr, &objattr, &len ))) return status;

    SERVER_START_REQ( create_mailslot )
@@ -3877,6 +3877,7 @@ NTSTATUS WINAPI NtCreateNamedPipeFile( HANDLE *handle, ULONG access, OBJECT_ATTR
    data_size_t len;
    struct object_attributes *objattr;

+    *handle = 0;
    if (!attr) return STATUS_INVALID_PARAMETER;

    TRACE( "(%p %x %s %p %x %d %x %d %d %d %d %d %d %p)\n",

--- a/dlls/ntdll/unix/process.c
+++ b/dlls/ntdll/unix/process.c
@@ -1546,6 +1546,8 @@ NTSTATUS WINAPI NtOpenProcess( HANDLE *handle, ACCESS_MASK access,
 {
    NTSTATUS status;

+    *handle = 0;
+
    SERVER_START_REQ( open_process )
    {
        req->pid        = HandleToULong( id->UniqueProcess );

--- a/dlls/ntdll/unix/registry.c
+++ b/dlls/ntdll/unix/registry.c
@@ -79,14 +79,13 @@ NTSTATUS WINAPI NtCreateKey( HANDLE *key, ACCESS_MASK access, const OBJECT_ATTRI
    data_size_t len;
    struct object_attributes *objattr;

-    if (!key || !attr) return STATUS_ACCESS_VIOLATION;
-    if (attr->Length > sizeof(OBJECT_ATTRIBUTES)) return STATUS_INVALID_PARAMETER;
+    *key = 0;
+    if (attr->Length != sizeof(OBJECT_ATTRIBUTES)) return STATUS_INVALID_PARAMETER;
+    if ((ret = alloc_object_attributes( attr, &objattr, &len ))) return ret;

    TRACE( "(%p,%s,%s,%x,%x,%p)\n", attr->RootDirectory, debugstr_us(attr->ObjectName),
           debugstr_us(class), options, access, key );

-    if ((ret = alloc_object_attributes( attr, &objattr, &len ))) return ret;
-
    SERVER_START_REQ( create_key )
    {
        req->access     = access;
@@ -125,7 +124,7 @@ NTSTATUS WINAPI NtOpenKeyEx( HANDLE *key, ACCESS_MASK access, const OBJECT_ATTRI
 {
    NTSTATUS ret;

-    if (!key || !attr || !attr->ObjectName) return STATUS_ACCESS_VIOLATION;
+    *key = 0;
    if (attr->Length != sizeof(*attr)) return STATUS_INVALID_PARAMETER;
    if (attr->ObjectName->Length & 1) return STATUS_OBJECT_NAME_INVALID;


--- a/dlls/ntdll/unix/security.c
+++ b/dlls/ntdll/unix/security.c
@@ -55,6 +55,8 @@ NTSTATUS WINAPI NtOpenProcessTokenEx( HANDLE process, DWORD access, DWORD attrib

    TRACE( "(%p,0x%08x,0x%08x,%p)\n", process, access, attributes, handle );

+    *handle = 0;
+
    SERVER_START_REQ( open_token )
    {
        req->handle     = wine_server_obj_handle( process );
@@ -88,6 +90,8 @@ NTSTATUS WINAPI NtOpenThreadTokenEx( HANDLE thread, DWORD access, BOOLEAN self, 

    TRACE( "(%p,0x%08x,%u,0x%08x,%p)\n", thread, access, self, attributes, handle );

+    *handle = 0;
+
    SERVER_START_REQ( open_token )
    {
        req->handle     = wine_server_obj_handle( thread );
@@ -113,6 +117,7 @@ NTSTATUS WINAPI NtDuplicateToken( HANDLE token, ACCESS_MASK access, OBJECT_ATTRI
    data_size_t len;
    struct object_attributes *objattr;

+    *handle = 0;
    if ((status = alloc_object_attributes( attr, &objattr, &len ))) return status;

    if (attr && attr->SecurityQualityOfService)

--- a/dlls/ntdll/unix/server.c
+++ b/dlls/ntdll/unix/server.c
@@ -1668,6 +1668,8 @@ NTSTATUS WINAPI NtDuplicateObject( HANDLE source_process, HANDLE source, HANDLE 
    NTSTATUS ret;
    int fd = -1;

+    if (dest) *dest = 0;
+
    if ((options & DUPLICATE_CLOSE_SOURCE) && source_process != NtCurrentProcess())
    {
        apc_call_t call;

--- a/dlls/ntdll/unix/sync.c
+++ b/dlls/ntdll/unix/sync.c
@@ -249,6 +249,7 @@ NTSTATUS alloc_object_attributes( const OBJECT_ATTRIBUTES *attr, struct object_a

    if (attr->ObjectName)
    {
+        if ((ULONG_PTR)attr->ObjectName->Buffer & (sizeof(WCHAR) - 1)) return STATUS_DATATYPE_MISALIGNMENT;
        if (attr->ObjectName->Length & (sizeof(WCHAR) - 1)) return STATUS_OBJECT_NAME_INVALID;
        len += attr->ObjectName->Length;
    }
@@ -301,6 +302,7 @@ static NTSTATUS validate_open_object_attributes( const OBJECT_ATTRIBUTES *attr )

    if (attr->ObjectName)
    {
+        if ((ULONG_PTR)attr->ObjectName->Buffer & (sizeof(WCHAR) - 1)) return STATUS_DATATYPE_MISALIGNMENT;
        if (attr->ObjectName->Length & (sizeof(WCHAR) - 1)) return STATUS_OBJECT_NAME_INVALID;
    }
    else if (attr->RootDirectory) return STATUS_OBJECT_NAME_INVALID;
@@ -319,6 +321,7 @@ NTSTATUS WINAPI NtCreateSemaphore( HANDLE *handle, ACCESS_MASK access, const OBJ
    data_size_t len;
    struct object_attributes *objattr;

+    *handle = 0;
    if (max <= 0 || initial < 0 || initial > max) return STATUS_INVALID_PARAMETER;
    if ((ret = alloc_object_attributes( attr, &objattr, &len ))) return ret;

@@ -345,6 +348,7 @@ NTSTATUS WINAPI NtOpenSemaphore( HANDLE *handle, ACCESS_MASK access, const OBJEC
 {
    NTSTATUS ret;

+    *handle = 0;
    if ((ret = validate_open_object_attributes( attr ))) return ret;

    SERVER_START_REQ( open_semaphore )
@@ -427,6 +431,7 @@ NTSTATUS WINAPI NtCreateEvent( HANDLE *handle, ACCESS_MASK access, const OBJECT_
    data_size_t len;
    struct object_attributes *objattr;

+    *handle = 0;
    if (type != NotificationEvent && type != SynchronizationEvent) return STATUS_INVALID_PARAMETER;
    if ((ret = alloc_object_attributes( attr, &objattr, &len ))) return ret;

@@ -453,6 +458,7 @@ NTSTATUS WINAPI NtOpenEvent( HANDLE *handle, ACCESS_MASK access, const OBJECT_AT
 {
    NTSTATUS ret;

+    *handle = 0;
    if ((ret = validate_open_object_attributes( attr ))) return ret;

    SERVER_START_REQ( open_event )
@@ -582,6 +588,7 @@ NTSTATUS WINAPI NtCreateMutant( HANDLE *handle, ACCESS_MASK access, const OBJECT
    data_size_t len;
    struct object_attributes *objattr;

+    *handle = 0;
    if ((ret = alloc_object_attributes( attr, &objattr, &len ))) return ret;

    SERVER_START_REQ( create_mutex )
@@ -606,6 +613,7 @@ NTSTATUS WINAPI NtOpenMutant( HANDLE *handle, ACCESS_MASK access, const OBJECT_A
 {
    NTSTATUS ret;

+    *handle = 0;
    if ((ret = validate_open_object_attributes( attr ))) return ret;

    SERVER_START_REQ( open_mutex )
@@ -685,6 +693,7 @@ NTSTATUS WINAPI NtCreateJobObject( HANDLE *handle, ACCESS_MASK access, const OBJ
    data_size_t len;
    struct object_attributes *objattr;

+    *handle = 0;
    if ((ret = alloc_object_attributes( attr, &objattr, &len ))) return ret;

    SERVER_START_REQ( create_job )
@@ -707,6 +716,7 @@ NTSTATUS WINAPI NtOpenJobObject( HANDLE *handle, ACCESS_MASK access, const OBJEC
 {
    NTSTATUS ret;

+    *handle = 0;
    if ((ret = validate_open_object_attributes( attr ))) return ret;

    SERVER_START_REQ( open_job )
@@ -916,8 +926,8 @@ NTSTATUS WINAPI NtCreateDebugObject( HANDLE *handle, ACCESS_MASK access,
    data_size_t len;
    struct object_attributes *objattr;

+    *handle = 0;
    if (flags & ~DEBUG_KILL_ON_CLOSE) return STATUS_INVALID_PARAMETER;
-
    if ((ret = alloc_object_attributes( attr, &objattr, &len ))) return ret;

    SERVER_START_REQ( create_debug_obj )
@@ -1075,8 +1085,7 @@ NTSTATUS WINAPI NtCreateDirectoryObject( HANDLE *handle, ACCESS_MASK access, OBJ
    data_size_t len;
    struct object_attributes *objattr;

-    if (!handle) return STATUS_ACCESS_VIOLATION;
-
+    *handle = 0;
    if ((ret = alloc_object_attributes( attr, &objattr, &len ))) return ret;

    SERVER_START_REQ( create_directory )
@@ -1099,7 +1108,7 @@ NTSTATUS WINAPI NtOpenDirectoryObject( HANDLE *handle, ACCESS_MASK access, const
 {
    NTSTATUS ret;

-    if (!handle) return STATUS_ACCESS_VIOLATION;
+    *handle = 0;
    if ((ret = validate_open_object_attributes( attr ))) return ret;

    SERVER_START_REQ( open_directory )
@@ -1176,9 +1185,9 @@ NTSTATUS WINAPI NtCreateSymbolicLinkObject( HANDLE *handle, ACCESS_MASK access,
    data_size_t len;
    struct object_attributes *objattr;

-    if (!handle || !attr || !target) return STATUS_ACCESS_VIOLATION;
-    if (!target->Buffer) return STATUS_INVALID_PARAMETER;
-
+    *handle = 0;
+    if (!target->MaximumLength) return STATUS_INVALID_PARAMETER;
+    if (!target->Buffer) return STATUS_ACCESS_VIOLATION;
    if ((ret = alloc_object_attributes( attr, &objattr, &len ))) return ret;

    SERVER_START_REQ( create_symlink )
@@ -1203,7 +1212,7 @@ NTSTATUS WINAPI NtOpenSymbolicLinkObject( HANDLE *handle, ACCESS_MASK access,
 {
    NTSTATUS ret;

-    if (!handle) return STATUS_ACCESS_VIOLATION;
+    *handle = 0;
    if ((ret = validate_open_object_attributes( attr ))) return ret;

    SERVER_START_REQ( open_symlink )
@@ -1277,8 +1286,8 @@ NTSTATUS WINAPI NtCreateTimer( HANDLE *handle, ACCESS_MASK access, const OBJECT_
    data_size_t len;
    struct object_attributes *objattr;

+    *handle = 0;
    if (type != NotificationTimer && type != SynchronizationTimer) return STATUS_INVALID_PARAMETER;
-
    if ((ret = alloc_object_attributes( attr, &objattr, &len ))) return ret;

    SERVER_START_REQ( create_timer )
@@ -1304,6 +1313,7 @@ NTSTATUS WINAPI NtOpenTimer( HANDLE *handle, ACCESS_MASK access, const OBJECT_AT
 {
    NTSTATUS ret;

+    *handle = 0;
    if ((ret = validate_open_object_attributes( attr ))) return ret;

    SERVER_START_REQ( open_timer )
@@ -1651,6 +1661,7 @@ NTSTATUS WINAPI NtCreateKeyedEvent( HANDLE *handle, ACCESS_MASK access,
    data_size_t len;
    struct object_attributes *objattr;

+    *handle = 0;
    if ((ret = alloc_object_attributes( attr, &objattr, &len ))) return ret;

    SERVER_START_REQ( create_keyed_event )
@@ -1674,6 +1685,7 @@ NTSTATUS WINAPI NtOpenKeyedEvent( HANDLE *handle, ACCESS_MASK access, const OBJE
 {
    NTSTATUS ret;

+    *handle = 0;
    if ((ret = validate_open_object_attributes( attr ))) return ret;

    SERVER_START_REQ( open_keyed_event )
@@ -1740,7 +1752,7 @@ NTSTATUS WINAPI NtCreateIoCompletion( HANDLE *handle, ACCESS_MASK access, OBJECT

    TRACE( "(%p, %x, %p, %d)\n", handle, access, attr, threads );

-    if (!handle) return STATUS_INVALID_PARAMETER;
+    *handle = 0;
    if ((status = alloc_object_attributes( attr, &objattr, &len ))) return status;

    SERVER_START_REQ( create_completion )
@@ -1764,7 +1776,7 @@ NTSTATUS WINAPI NtOpenIoCompletion( HANDLE *handle, ACCESS_MASK access, const OB
 {
    NTSTATUS status;

-    if (!handle) return STATUS_INVALID_PARAMETER;
+    *handle = 0;
    if ((status = validate_open_object_attributes( attr ))) return status;

    SERVER_START_REQ( open_completion )
@@ -1929,6 +1941,8 @@ NTSTATUS WINAPI NtCreateSection( HANDLE *handle, ACCESS_MASK access, const OBJEC
    data_size_t len;
    struct object_attributes *objattr;

+    *handle = 0;
+
    switch (protect & 0xff)
    {
    case PAGE_READONLY:
@@ -1977,6 +1991,7 @@ NTSTATUS WINAPI NtOpenSection( HANDLE *handle, ACCESS_MASK access, const OBJECT_
 {
    NTSTATUS ret;

+    *handle = 0;
    if ((ret = validate_open_object_attributes( attr ))) return ret;

    SERVER_START_REQ( open_mapping )

--- a/dlls/ntdll/unix/thread.c
+++ b/dlls/ntdll/unix/thread.c
@@ -1535,6 +1535,8 @@ NTSTATUS WINAPI NtOpenThread( HANDLE *handle, ACCESS_MASK access,
 {
    NTSTATUS ret;

+    *handle = 0;
+
    SERVER_START_REQ( open_thread )
    {
        req->tid        = HandleToULong(id->UniqueThread);