archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/base/ntos/mm/mmpatch.c

672 lines
18 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*
  3. Copyright (c) 2001 Microsoft Corporation
  5. File name:
  7. mmpatch.c
  9. Author:
  11. Adrian Marinescu (adrmarin) Dec 20 2001
  13. Environment:
  15. Kernel mode only.
  17. Revision History:
  19. */
  21. #include "mi.h"
  22. #pragma hdrstop
  24. #define NTOS_KERNEL_RUNTIME
  26. #include "hotpatch.h"
  28. NTSTATUS
  29. MiPerformHotPatch (
  30. IN PKLDR_DATA_TABLE_ENTRY PatchHandle,
  31. IN PVOID ImageBaseAddress,
  32. IN ULONG PatchFlags
  33. );
  35. VOID
  36. MiRundownHotpatchList (
  37. IN PRTL_PATCH_HEADER PatchHead
  38. );
  40. #ifdef ALLOC_PRAGMA
  42. #pragma alloc_text(PAGE,MmLockAndCopyMemory)
  43. #pragma alloc_text(PAGE,MiPerformHotPatch)
  44. #pragma alloc_text(PAGE,MmHotPatchRoutine)
  45. #pragma alloc_text(PAGE,MiRundownHotpatchList)
  47. #endif
  49. LIST_ENTRY MiHotPatchList;
  51. #define MiInValidRange(s,offset,size,total) \
  52. (((s).offset>(total)) || \
  53. ((s).size>(total)) || \
  54. (((s).offset + (s).size)>(total)))
  56. VOID
  57. MiDoCopyMemory (
  58. IN PKDPC Dpc,
  59. IN PVOID DeferredContext,
  60. IN PVOID SystemArgument1,
  61. IN PVOID SystemArgument2
  62. )
  64. /*++
  66. Routine Description:
  68. This target function copies a captured buffer containing the new code over
  69. existing code.
  71. Arguments:
  73. Dpc - Supplies a pointer to a control object of type DPC.
  75. DeferredContext - Deferred context.
  77. SystemArgument1 - Used to signal completion of this call.
  79. SystemArgument2 - Used for internal lockstepping during this call.
  81. Return Value:
  83. None.
  85. Environment:
  87. Kernel mode, DISPATCH_LEVEL as the target of a broadcast DPC.
  89. --*/
  91. {
  92. ULONG i;
  93. KIRQL OldIrql;
  94. PSYSTEM_HOTPATCH_CODE_INFORMATION PatchInfo;
  96. ASSERT (KeGetCurrentIrql () == DISPATCH_LEVEL);
  98. UNREFERENCED_PARAMETER (Dpc);
  100. PatchInfo = (PSYSTEM_HOTPATCH_CODE_INFORMATION)DeferredContext;
  102. //
  103. // Raise IRQL and wait for all processors to synchronize to ensure no
  104. // processor can be executing the code we're about to modify.
  105. //
  107. KeRaiseIrql (IPI_LEVEL - 1, &OldIrql);
  109. if (KeSignalCallDpcSynchronize (SystemArgument2)) {
  111. PatchInfo->Flags &= ~FLG_HOTPATCH_VERIFICATION_ERROR;
  113. //
  114. // Compare the existing code.
  115. //
  117. for (i = 0; i < PatchInfo->CodeInfo.DescriptorsCount; i += 1) {
  119. if (PatchInfo->Flags & FLG_HOTPATCH_ACTIVE) {
  121. if (RtlCompareMemory (PatchInfo->CodeInfo.CodeDescriptors[i].MappedAddress,
  122. (PUCHAR)PatchInfo + PatchInfo->CodeInfo.CodeDescriptors[i].ValidationOffset,
  123. PatchInfo->CodeInfo.CodeDescriptors[i].ValidationSize)
  124. != PatchInfo->CodeInfo.CodeDescriptors[i].ValidationSize) {
  126. //
  127. // Maybe this instruction has been previously patched. See if the OrigCodeOffset matches
  128. // in this case
  129. //
  131. if (RtlCompareMemory (PatchInfo->CodeInfo.CodeDescriptors[i].MappedAddress,
  132. (PUCHAR)PatchInfo + PatchInfo->CodeInfo.CodeDescriptors[i].OrigCodeOffset,
  133. PatchInfo->CodeInfo.CodeDescriptors[i].CodeSize)
  134. != PatchInfo->CodeInfo.CodeDescriptors[i].CodeSize) {
  136. PatchInfo->Flags |= FLG_HOTPATCH_VERIFICATION_ERROR;
  137. break;
  138. }
  139. }
  140. }
  141. else {
  143. if (RtlCompareMemory (PatchInfo->CodeInfo.CodeDescriptors[i].MappedAddress,
  144. (PUCHAR)PatchInfo + PatchInfo->CodeInfo.CodeDescriptors[i].CodeOffset,
  145. PatchInfo->CodeInfo.CodeDescriptors[i].CodeSize)
  146. != PatchInfo->CodeInfo.CodeDescriptors[i].CodeSize) {
  148. PatchInfo->Flags |= FLG_HOTPATCH_VERIFICATION_ERROR;
  149. break;
  150. }
  151. }
  152. }
  154. if (!(PatchInfo->Flags & FLG_HOTPATCH_VERIFICATION_ERROR)) {
  156. for (i = 0; i < PatchInfo->CodeInfo.DescriptorsCount; i += 1) {
  158. if (PatchInfo->Flags & FLG_HOTPATCH_ACTIVE) {
  160. RtlCopyMemory (PatchInfo->CodeInfo.CodeDescriptors[i].MappedAddress,
  161. (PUCHAR)PatchInfo + PatchInfo->CodeInfo.CodeDescriptors[i].CodeOffset,
  162. PatchInfo->CodeInfo.CodeDescriptors[i].CodeSize );
  163. } else {
  165. RtlCopyMemory (PatchInfo->CodeInfo.CodeDescriptors[i].MappedAddress,
  166. (PUCHAR)PatchInfo + PatchInfo->CodeInfo.CodeDescriptors[i].OrigCodeOffset,
  167. PatchInfo->CodeInfo.CodeDescriptors[i].CodeSize );
  168. }
  169. }
  170. }
  171. }
  173. KeSignalCallDpcSynchronize (SystemArgument2);
  175. KeSweepCurrentIcache ();
  177. KeLowerIrql (OldIrql);
  179. //
  180. // Signal that all processing has been done.
  181. //
  183. KeSignalCallDpcDone (SystemArgument1);
  185. return;
  186. }
  188. NTSTATUS
  189. MmLockAndCopyMemory (
  190. IN PSYSTEM_HOTPATCH_CODE_INFORMATION PatchInfo,
  191. IN KPROCESSOR_MODE ProbeMode
  192. )
  194. /*++
  196. Routine Description:
  198. This function locks the code pages for IoWriteAccess and
  199. copy the new code at DPC, if all validations succeed.
  201. Arguments:
  203. PatchInfo - Supplies the descriptors for the target code and validation
  205. ProbeMode - Supplied the probe mode for ExLockUserBuffer
  207. Return Value:
  209. NTSTATUS.
  211. --*/
  213. {
  214. PVOID * Locks;
  215. ULONG i;
  216. NTSTATUS Status;
  218. ASSERT (KeGetCurrentIrql () <= APC_LEVEL);
  220. if (PatchInfo->CodeInfo.DescriptorsCount == 0) {
  222. //
  223. // Nothing to change
  224. //
  226. return STATUS_SUCCESS;
  227. }
  229. Locks = ExAllocatePoolWithQuotaTag (PagedPool | POOL_QUOTA_FAIL_INSTEAD_OF_RAISE,
  230. PatchInfo->CodeInfo.DescriptorsCount * sizeof(PVOID),
  231. 'PtoH');
  233. if (Locks == NULL) {
  234. return STATUS_INSUFFICIENT_RESOURCES;
  235. }
  237. RtlZeroMemory (Locks, PatchInfo->CodeInfo.DescriptorsCount * sizeof(PVOID));
  239. Status = STATUS_INVALID_PARAMETER;
  241. for (i = 0; i < PatchInfo->CodeInfo.DescriptorsCount; i += 1) {
  243. if (MiInValidRange (PatchInfo->CodeInfo.CodeDescriptors[i],CodeOffset,CodeSize, PatchInfo->InfoSize )
  244. ||
  245. MiInValidRange (PatchInfo->CodeInfo.CodeDescriptors[i],OrigCodeOffset,CodeSize, PatchInfo->InfoSize )
  246. ||
  247. MiInValidRange (PatchInfo->CodeInfo.CodeDescriptors[i],ValidationOffset,ValidationSize, PatchInfo->InfoSize )
  248. ||
  249. (PatchInfo->CodeInfo.CodeDescriptors[i].CodeSize == 0)
  250. ||
  251. (PatchInfo->CodeInfo.CodeDescriptors[i].ValidationSize < PatchInfo->CodeInfo.CodeDescriptors[i].CodeSize) ) {
  253. Status = STATUS_INVALID_PARAMETER;
  254. break;
  255. }
  257. Status = ExLockUserBuffer ((PVOID)PatchInfo->CodeInfo.CodeDescriptors[i].TargetAddress,
  258. (ULONG)PatchInfo->CodeInfo.CodeDescriptors[i].CodeSize,
  259. ProbeMode,
  260. IoWriteAccess,
  261. (PVOID)&PatchInfo->CodeInfo.CodeDescriptors[i].MappedAddress,
  262. &Locks[i]
  263. );
  265. if (!NT_SUCCESS(Status)) {
  267. break;
  268. }
  269. }
  271. if (NT_SUCCESS(Status)) {
  273. PatchInfo->Flags ^= FLG_HOTPATCH_ACTIVE;
  275. KeGenericCallDpc (MiDoCopyMemory, PatchInfo);
  277. if (PatchInfo->Flags & FLG_HOTPATCH_VERIFICATION_ERROR) {
  279. PatchInfo->Flags ^= FLG_HOTPATCH_ACTIVE;
  280. PatchInfo->Flags &= ~FLG_HOTPATCH_VERIFICATION_ERROR;
  282. Status = STATUS_DATA_ERROR;
  283. }
  284. }
  286. for (i = 0; i < PatchInfo->CodeInfo.DescriptorsCount; i += 1) {
  288. if (Locks[i] != NULL) {
  290. ExUnlockUserBuffer (Locks[i]);
  291. }
  292. }
  294. ExFreePool (Locks);
  296. return Status;
  297. }
  299. NTSTATUS
  300. MiPerformHotPatch (
  301. IN PKLDR_DATA_TABLE_ENTRY PatchHandle,
  302. IN PVOID ImageBaseAddress,
  303. IN ULONG PatchFlags
  304. )
  306. /*++
  308. Routine Description:
  310. This function performs the actual patch on the kernel or driver code.
  312. Arguments:
  314. PatchHandle - Supplies the handle for the patch module.
  316. ImageBaseAddress - Supplies the base address for the patch module. Note
  317. that the contents of the patch image include the
  318. names of the target drivers to be patched.
  320. PatchFlags - Supplies the flags for the patch being applied.
  322. Return Value:
  324. NTSTATUS.
  326. Environment:
  328. Kernel mode. Normal APCs disabled (system load mutant is held).
  330. --*/
  332. {
  333. PHOTPATCH_HEADER Patch;
  334. PRTL_PATCH_HEADER RtlPatchData;
  335. PKLDR_DATA_TABLE_ENTRY DataTableEntry = NULL;
  336. NTSTATUS Status;
  337. LOGICAL FirstLoad;
  338. PVOID KernelMappedAddress;
  339. PVOID KernelLockVariable;
  340. PLIST_ENTRY Next;
  342. Patch = RtlGetHotpatchHeader(ImageBaseAddress);
  344. if (Patch == NULL) {
  346. return (ULONG)STATUS_INVALID_IMAGE_FORMAT;
  347. }
  349. //
  350. // The caller loaded the patch driver (if it was not already loaded).
  351. //
  352. // Check whether the patch has *EVER* been applied. It's only in the
  353. // list if it has. This means being in the list says it may be active
  354. // OR inactive right now.
  355. //
  357. RtlPatchData = RtlFindRtlPatchHeader (&MiHotPatchList, PatchHandle);
  359. if (RtlPatchData == NULL) {
  361. if (!(PatchFlags & FLG_HOTPATCH_ACTIVE)) {
  363. return STATUS_NOT_SUPPORTED;
  364. }
  366. Status = RtlCreateHotPatch (&RtlPatchData, Patch, PatchHandle, PatchFlags);
  368. if (!NT_SUCCESS(Status)) {
  370. return Status;
  371. }
  373. //
  374. // Walk the table entry list to find the target driver that needs to
  375. // be patched.
  376. //
  378. ExAcquireResourceExclusiveLite (&PsLoadedModuleResource, TRUE);
  380. Next = PsLoadedModuleList.Flink;
  382. for ( ; Next != &PsLoadedModuleList; Next = Next->Flink) {
  384. DataTableEntry = CONTAINING_RECORD (Next,
  385. KLDR_DATA_TABLE_ENTRY,
  386. InLoadOrderLinks);
  388. //
  389. // Skip the session images because they are generally copy on
  390. // write (barring address collisions) and will need a different
  391. // mechanism to update.
  392. //
  394. if (MI_IS_SESSION_IMAGE_ADDRESS (DataTableEntry->DllBase)) {
  395. continue;
  396. }
  398. if (RtlpIsSameImage(RtlPatchData, DataTableEntry)) {
  400. break;
  401. }
  402. }
  404. ExReleaseResourceLite (&PsLoadedModuleResource);
  406. //
  407. // The target DLL is not loaded, just return the status.
  408. //
  410. if (RtlPatchData->TargetDllBase == NULL) {
  412. RtlFreeHotPatchData(RtlPatchData);
  413. return STATUS_DLL_NOT_FOUND;
  414. }
  416. //
  417. // Create the new rtl patch structure here.
  418. // This requires some relocation info to be processed,
  419. // so we need to allow write access to the patch DLL.
  420. //
  422. Status = ExLockUserBuffer ((PVOID)PatchHandle->DllBase,
  423. PatchHandle->SizeOfImage,
  424. KernelMode,
  425. IoWriteAccess,
  426. &KernelMappedAddress,
  427. &KernelLockVariable);
  429. if (!NT_SUCCESS(Status)) {
  430. RtlFreeHotPatchData(RtlPatchData);
  431. return Status;
  432. }
  434. Status = RtlInitializeHotPatch( RtlPatchData,
  435. (ULONG_PTR)KernelMappedAddress - (ULONG_PTR)PatchHandle->DllBase);
  437. //
  438. // Release the locked pages and system PTE alternate address.
  439. //
  441. ExUnlockUserBuffer (KernelLockVariable);
  443. if (!NT_SUCCESS(Status)) {
  444. RtlFreeHotPatchData(RtlPatchData);
  445. return Status;
  446. }
  448. FirstLoad = TRUE;
  449. }
  450. else {
  452. //
  453. // The patch has already been applied. It may currently be enabled
  454. // OR disabled. We allow changing the state, as well as reapplying
  455. // if the previous call failed for some code paths.
  456. //
  458. FirstLoad = FALSE;
  460. if (((PatchFlags ^ RtlPatchData->CodeInfo->Flags) & FLG_HOTPATCH_ACTIVE) == 0) {
  462. return STATUS_NOT_SUPPORTED;
  463. }
  465. //
  466. // Rebuild the hook information, if the hotpatch was not active
  467. //
  469. if ((RtlPatchData->CodeInfo->Flags & FLG_HOTPATCH_ACTIVE) == 0) {
  471. Status = RtlReadHookInformation( RtlPatchData );
  473. if (!NT_SUCCESS(Status)) {
  475. return Status;
  476. }
  477. }
  478. }
  480. Status = MmLockAndCopyMemory (RtlPatchData->CodeInfo, KernelMode);
  482. if (NT_SUCCESS (Status)) {
  484. //
  485. // Add the patch to the driver's loader entry the first time
  486. // this patch is loaded.
  487. //
  489. if (FirstLoad == TRUE) {
  491. if (DataTableEntry->PatchInformation != NULL) {
  493. //
  494. // Push the new patch on the existing list.
  495. //
  497. RtlPatchData->NextPatch = (PRTL_PATCH_HEADER) DataTableEntry->PatchInformation;
  498. }
  499. else {
  501. //
  502. // First time the target driver has gotten any patch.
  503. // Fall through.
  504. //
  505. }
  507. DataTableEntry->PatchInformation = RtlPatchData;
  509. InsertTailList (&MiHotPatchList, &RtlPatchData->PatchList);
  510. }
  511. }
  512. else {
  513. if (FirstLoad == TRUE) {
  514. RtlFreeHotPatchData (RtlPatchData);
  515. }
  516. }
  518. return Status;
  519. }
  522. NTSTATUS
  523. MmHotPatchRoutine (
  524. IN PSYSTEM_HOTPATCH_CODE_INFORMATION KernelPatchInfo
  525. )
  527. /*++
  529. Routine Description:
  531. This is the main routine responsible for kernel hotpatching.
  532. It loads the patch module in memory, initializes the patch information
  533. and finally applies the fixups to the existing code.
  535. NOTE: This function assumes that the KernelPatchInfo structure is properly
  536. captured and validated
  538. Arguments:
  540. KernelPatchInfo - Supplies a pointer to a kernel buffer containing
  541. the image name of the patch.
  543. Return Value:
  545. NTSTATUS.
  547. Environment:
  549. Kernel mode. PASSIVE_LEVEL on entry.
  551. --*/
  553. {
  554. NTSTATUS Status;
  555. NTSTATUS PatchStatus;
  556. ULONG PatchFlags;
  557. PVOID ImageBaseAddress;
  558. PVOID ImageHandle;
  559. UNICODE_STRING PatchImageName;
  560. PKTHREAD CurrentThread;
  562. ASSERT (KeGetCurrentIrql () == PASSIVE_LEVEL);
  564. PatchImageName.Buffer = (PWCHAR)((PUCHAR)KernelPatchInfo + KernelPatchInfo->KernelInfo.NameOffset);
  565. PatchImageName.Length = KernelPatchInfo->KernelInfo.NameLength;
  566. PatchImageName.MaximumLength = PatchImageName.Length;
  567. PatchFlags = KernelPatchInfo->Flags;
  569. CurrentThread = KeGetCurrentThread ();
  571. KeEnterCriticalRegionThread (CurrentThread);
  573. //
  574. // Acquire the loader mutant because we may discover the patch we are
  575. // trying to load is already loaded. And we want to prevent it from
  576. // being unloaded while we are using it.
  577. //
  579. KeWaitForSingleObject (&MmSystemLoadLock,
  580. WrVirtualMemory,
  581. KernelMode,
  582. FALSE,
  583. (PLARGE_INTEGER)NULL);
  585. Status = MmLoadSystemImage (&PatchImageName,
  586. NULL,
  587. NULL,
  588. 0,
  589. &ImageHandle,
  590. &ImageBaseAddress);
  592. if (NT_SUCCESS (Status) || (Status == STATUS_IMAGE_ALREADY_LOADED)) {
  594. PatchStatus = MiPerformHotPatch (ImageHandle,
  595. ImageBaseAddress,
  596. PatchFlags);
  598. if ((!NT_SUCCESS (PatchStatus)) &&
  599. (Status != STATUS_IMAGE_ALREADY_LOADED)) {
  601. //
  602. // Unload the patch DLL if applying the hotpatch failed and
  603. // we were the initial (and only) load of the patch DLL.
  604. //
  606. MmUnloadSystemImage (ImageHandle);
  607. }
  609. Status = PatchStatus;
  610. }
  612. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  613. KeLeaveCriticalRegionThread (CurrentThread);
  615. return Status;
  616. }
  618. VOID
  619. MiRundownHotpatchList (
  620. IN PRTL_PATCH_HEADER PatchHead
  621. )
  623. /*++
  625. Routine Description:
  627. The function walks the hotpatch list and unloads each patch module and
  628. free all data.
  630. Arguments:
  632. PatchHead - Supplies a pointer to the head of the patch list.
  634. Return Value:
  636. NTSTATUS.
  638. Environment:
  640. Kernel mode. System load lock held with APCs disabled.
  642. --*/
  644. {
  645. PRTL_PATCH_HEADER CrtPatch;
  647. SYSLOAD_LOCK_OWNED_BY_ME ();
  649. while (PatchHead) {
  651. CrtPatch = PatchHead;
  653. PatchHead = PatchHead->NextPatch;
  655. RemoveEntryList (&CrtPatch->PatchList);
  657. //
  658. // Unload all instances for this DLL.
  659. //
  661. if (CrtPatch->PatchLdrDataTableEntry) {
  663. MmUnloadSystemImage (CrtPatch->PatchLdrDataTableEntry);
  664. }
  666. RtlFreeHotPatchData (CrtPatch);
  667. }
  669. return;
  670. }