archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/base/win32/verifier/thread.c

694 lines
19 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) Microsoft Corporation. All rights reserved.
  5. Module Name:
  7. thread.c
  9. Abstract:
  11. This module implements verification functions for thread interfaces.
  13. Author:
  15. Silviu Calinoiu (SilviuC) 22-Feb-2001
  17. Revision History:
  19. Daniel Mihai (DMihai) 25-Apr-2002
  21. Hook thread pool and WMI threads.
  22. --*/
  24. #include "pch.h"
  26. #include "verifier.h"
  27. #include "support.h"
  28. #include "logging.h"
  29. #include "tracker.h"
  31. //
  32. // Why do we hook Exit/TerminateThread instead of NtTerminateThread?
  33. //
  34. // Because kernel32 calls NtTerminateThread in legitimate contexts.
  35. // After all this is the implementation for Exit/TerminateThread.
  36. // It would be difficult to discriminate good calls from bad calls.
  37. // So we prefer to intercept Exit/Thread and returns from thread
  38. // functions.
  39. //
  41. //
  42. // Standard function used for hooking a thread function.
  43. //
  45. DWORD
  46. WINAPI
  47. AVrfpStandardThreadFunction (
  48. LPVOID Info
  49. );
  51. //
  52. // Common point to check for thread termination.
  53. //
  55. VOID
  56. AVrfpCheckThreadTermination (
  57. HANDLE Thread
  58. );
  60. VOID
  61. AVrfpCheckCurrentThreadTermination (
  62. VOID
  63. );
  65. /////////////////////////////////////////////////////////////////////
  66. /////////////////////////////////////////////////////////////////////
  67. /////////////////////////////////////////////////////////////////////
  69. //WINBASEAPI
  70. DECLSPEC_NORETURN
  71. VOID
  72. WINAPI
  73. AVrfpExitProcess(
  74. IN UINT uExitCode
  75. )
  76. {
  77. typedef VOID (WINAPI * FUNCTION_TYPE) (UINT);
  78. FUNCTION_TYPE Function;
  80. Function = AVRFP_GET_ORIGINAL_EXPORT (AVrfpKernel32Thunks,
  81. AVRF_INDEX_KERNEL32_EXITPROCESS);
  83. //
  84. // Check out if there are other threads running while ExitProcess
  85. // gets called. This can cause problems because the threads are
  86. // terminated unconditionally and then ExitProcess() calls
  87. // LdrShutdownProcess() which will try to notify all DLLs to cleanup.
  88. // During cleanup any number of operations can happen that will result
  89. // in deadlocks since all those threads have been terminated
  90. // unconditionally
  91. //
  92. #if 0
  93. if ((AVrfpProvider.VerifierFlags & RTL_VRF_FLG_DANGEROUS_APIS) != 0) {
  95. PCHAR InfoBuffer;
  96. ULONG RequiredLength = 0;
  97. ULONG NumberOfThreads;
  98. ULONG EntryOffset;
  99. PSYSTEM_PROCESS_INFORMATION ProcessInfo;
  100. NTSTATUS Status;
  102. Status = NtQuerySystemInformation (SystemProcessInformation,
  103. NULL,
  104. 0,
  105. &RequiredLength);
  107. if (Status == STATUS_INFO_LENGTH_MISMATCH && RequiredLength != 0) {
  109. InfoBuffer = AVrfpAllocate (RequiredLength);
  111. if (InfoBuffer) {
  113. //
  114. // Note that the RequiredLength is not 100% guaranteed to be good
  115. // since in between the two query calls several other processes
  116. // may have been created. If this is the case we bail out and skip
  117. // the verification.
  118. //
  120. Status = NtQuerySystemInformation (SystemProcessInformation,
  121. InfoBuffer,
  122. RequiredLength,
  123. NULL);
  125. if (NT_SUCCESS(Status)) {
  127. EntryOffset = 0;
  128. NumberOfThreads = 0;
  130. do {
  131. ProcessInfo = (PSYSTEM_PROCESS_INFORMATION)&InfoBuffer[EntryOffset];
  133. if (ProcessInfo->UniqueProcessId == NtCurrentTeb()->ClientId.UniqueProcess) {
  134. NumberOfThreads = ProcessInfo->NumberOfThreads;
  135. break;
  136. }
  138. EntryOffset += ProcessInfo->NextEntryOffset;
  140. } while(ProcessInfo->NextEntryOffset != 0);
  142. ASSERT (NumberOfThreads > 0);
  144. if (NumberOfThreads > 1) {
  146. VERIFIER_STOP (APPLICATION_VERIFIER_INVALID_EXIT_PROCESS_CALL | APPLICATION_VERIFIER_NO_BREAK,
  147. "ExitProcess() called while multiple threads are running",
  148. NumberOfThreads, "Number of threads running",
  149. 0, NULL, 0, NULL, 0, NULL);
  151. }
  152. }
  153. else {
  155. DbgPrint ("AVRF: NtQuerySystemInformation(SystemProcessInformation) "
  156. "failed with %X \n",
  157. Status);
  159. }
  161. //
  162. // We are done with the buffer. Time to free it.
  163. //
  165. AVrfpFree (InfoBuffer);
  166. }
  167. }
  168. else {
  170. DbgPrint ("AVRF: NtQuerySystemInformation(SystemProcessInformation, null) "
  171. "failed with %X \n",
  172. Status);
  174. }
  175. }
  176. #endif // #if 0
  178. //
  179. // Make a note of who called ExitProcess(). This can be helpful for debugging
  180. // weird process shutdown hangs.
  181. //
  183. AVrfLogInTracker (AVrfThreadTracker,
  184. TRACK_EXIT_PROCESS,
  185. (PVOID)(ULONG_PTR)uExitCode,
  186. NULL, NULL, NULL, _ReturnAddress());
  188. //
  189. // Call the real thing.
  190. //
  192. (* Function)(uExitCode);
  194. }
  196. //WINBASEAPI
  197. DECLSPEC_NORETURN
  198. VOID
  199. WINAPI
  200. AVrfpExitThread(
  201. IN DWORD dwExitCode
  202. )
  203. {
  204. typedef VOID (WINAPI * FUNCTION_TYPE) (DWORD);
  205. FUNCTION_TYPE Function;
  206. PAVRF_THREAD_ENTRY Entry;
  208. Function = AVRFP_GET_ORIGINAL_EXPORT (AVrfpKernel32Thunks,
  209. AVRF_INDEX_KERNEL32_EXITTHREAD);
  211. //
  212. // Perform all typical checks for a thread that will exit.
  213. //
  215. AVrfpCheckCurrentThreadTermination ();
  217. //
  218. // Before calling the real ExitThread we need to free the thread
  219. // entry from the thread table.
  220. //
  222. Entry = AVrfpThreadTableSearchEntry (NtCurrentTeb()->ClientId.UniqueThread);
  224. //
  225. // N.B. It is possible to not find an entry in the thread table if the
  226. // thread was not created using CreateThread but rather some more
  227. // basic function from ntdll.dll.
  228. //
  230. if (Entry != NULL) {
  232. AVrfpThreadTableRemoveEntry (Entry);
  233. AVrfpFree (Entry);
  234. }
  236. //
  237. // Call the real thing.
  238. //
  240. (* Function)(dwExitCode);
  241. }
  244. //WINBASEAPI
  245. DECLSPEC_NORETURN
  246. VOID
  247. WINAPI
  248. AVrfpFreeLibraryAndExitThread(
  249. IN HMODULE hLibModule,
  250. IN DWORD dwExitCode
  251. )
  252. {
  253. typedef VOID (WINAPI * FUNCTION_TYPE) (HMODULE, DWORD);
  254. FUNCTION_TYPE Function;
  255. PAVRF_THREAD_ENTRY Entry;
  257. Function = AVRFP_GET_ORIGINAL_EXPORT (AVrfpKernel32Thunks,
  258. AVRF_INDEX_KERNEL32_FREELIBRARYANDEXITTHREAD);
  260. //
  261. // Perform all typical checks for a thread that will exit.
  262. //
  264. AVrfpCheckCurrentThreadTermination ();
  266. //
  267. // Before calling the real FreeLibraryAndExitThread we need to free the thread
  268. // entry from the thread table.
  269. //
  271. Entry = AVrfpThreadTableSearchEntry (NtCurrentTeb()->ClientId.UniqueThread);
  273. //
  274. // N.B. It is possible to not find an entry in the thread table if the
  275. // thread was not created using CreateThread but rather some more
  276. // basic function from ntdll.dll.
  277. //
  279. if (Entry != NULL) {
  281. AVrfpThreadTableRemoveEntry (Entry);
  282. AVrfpFree (Entry);
  283. }
  285. //
  286. // Call the real thing.
  287. //
  289. (* Function)(hLibModule, dwExitCode);
  290. }
  293. /////////////////////////////////////////////////////////////////////
  294. /////////////////////////////////// Terminate thread / Suspend thread
  295. /////////////////////////////////////////////////////////////////////
  297. //WINBASEAPI
  298. BOOL
  299. WINAPI
  300. AVrfpTerminateThread(
  301. IN OUT HANDLE hThread,
  302. IN DWORD dwExitCode
  303. )
  304. {
  305. typedef BOOL (WINAPI * FUNCTION_TYPE) (HANDLE, DWORD);
  306. FUNCTION_TYPE Function;
  308. Function = AVRFP_GET_ORIGINAL_EXPORT (AVrfpKernel32Thunks,
  309. AVRF_INDEX_KERNEL32_TERMINATETHREAD);
  311. //
  312. // Keep track of who calls TerminateThread() even if we are going to break
  313. // for it. This helps investigations of deadlocked processes that have run
  314. // without the dangerous_apis check enabled.
  315. //
  317. AVrfLogInTracker (AVrfThreadTracker,
  318. TRACK_TERMINATE_THREAD,
  319. hThread,
  320. NULL, NULL, NULL, _ReturnAddress());
  322. //
  323. // Perform all typical checks for a thread that will exit.
  324. //
  326. AVrfpCheckThreadTermination (hThread);
  328. //
  329. // This API should not be called. We need to report this.
  330. // This is useful if we did not detect any orphans but we still want
  331. // to complain.
  332. //
  334. if ((AVrfpProvider.VerifierFlags & RTL_VRF_FLG_DANGEROUS_APIS) != 0) {
  336. VERIFIER_STOP (APPLICATION_VERIFIER_TERMINATE_THREAD_CALL | APPLICATION_VERIFIER_CONTINUABLE_BREAK,
  337. "TerminateThread() called. This function should not be used.",
  338. NtCurrentTeb()->ClientId.UniqueThread, "Caller thread ID",
  339. 0, NULL, 0, NULL, 0, NULL);
  340. }
  342. return (* Function)(hThread, dwExitCode);
  343. }
  345. /////////////////////////////////////////////////////////////////////
  346. /////////////////////////////////////////////////////////////////////
  347. /////////////////////////////////////////////////////////////////////
  349. //WINBASEAPI
  350. DWORD
  351. WINAPI
  352. AVrfpSuspendThread(
  353. IN HANDLE hThread
  354. )
  355. {
  356. typedef DWORD (WINAPI * FUNCTION_TYPE) (HANDLE);
  357. FUNCTION_TYPE Function;
  359. Function = AVRFP_GET_ORIGINAL_EXPORT (AVrfpKernel32Thunks,
  360. AVRF_INDEX_KERNEL32_SUSPENDTHREAD);
  362. //
  363. // Keep track of who calls SuspendThread() even if we are not going to break
  364. // for it. This helps investigations of deadlocked processes.
  365. //
  367. AVrfLogInTracker (AVrfThreadTracker,
  368. TRACK_SUSPEND_THREAD,
  369. hThread,
  370. NULL, NULL, NULL, _ReturnAddress());
  372. //
  373. // One might think that we can check for orphan locks at this point
  374. // by calling RtlCheckForOrphanedCriticalSections(hThread).
  375. // Unfortunately this cannot be done because garbage collectors
  376. // for various virtual machines (Java, C#) can do this in valid
  377. // conditions.
  378. //
  380. return (* Function)(hThread);
  381. }
  383. /////////////////////////////////////////////////////////////////////
  384. /////////////////////////////////////////////////////////////////////
  385. /////////////////////////////////////////////////////////////////////
  387. //WINBASEAPI
  388. HANDLE
  389. WINAPI
  390. AVrfpCreateThread(
  391. IN LPSECURITY_ATTRIBUTES lpThreadAttributes,
  392. IN SIZE_T dwStackSize,
  393. IN LPTHREAD_START_ROUTINE lpStartAddress,
  394. IN LPVOID lpParameter,
  395. IN DWORD dwCreationFlags,
  396. OUT LPDWORD lpThreadId
  397. )
  398. /*++
  400. CreateThread hook
  402. --*/
  403. {
  404. typedef HANDLE (WINAPI * FUNCTION_TYPE) (LPSECURITY_ATTRIBUTES,
  405. SIZE_T,
  406. LPTHREAD_START_ROUTINE,
  407. LPVOID,
  408. DWORD,
  409. LPDWORD);
  410. FUNCTION_TYPE Function;
  411. HANDLE Result;
  412. PAVRF_THREAD_ENTRY Info;
  414. Function = AVRFP_GET_ORIGINAL_EXPORT (AVrfpKernel32Thunks,
  415. AVRF_INDEX_KERNEL32_CREATETHREAD);
  417. Info = AVrfpAllocate (sizeof *Info);
  419. if (Info == NULL) {
  421. NtCurrentTeb()->LastErrorValue = ERROR_NOT_ENOUGH_MEMORY;
  422. return NULL;
  423. }
  425. Info->Parameter = lpParameter;
  426. Info->Function = lpStartAddress;
  427. Info->ParentThreadId = NtCurrentTeb()->ClientId.UniqueThread;
  428. Info->StackSize = dwStackSize;
  429. Info->CreationFlags = dwCreationFlags;
  431. Result = (* Function) (lpThreadAttributes,
  432. dwStackSize,
  433. AVrfpStandardThreadFunction,
  434. (PVOID)Info,
  435. dwCreationFlags,
  436. lpThreadId);
  438. if (Result == FALSE) {
  440. AVrfpFree (Info);
  441. }
  443. return Result;
  444. }
  447. ULONG
  448. AVrfpThreadFunctionExceptionFilter (
  449. ULONG ExceptionCode,
  450. PVOID ExceptionRecord
  451. )
  452. {
  453. //
  454. // Skip timeout exceptions because they are dealt with in
  455. // the default exception handler.
  456. //
  458. if (ExceptionCode == STATUS_POSSIBLE_DEADLOCK) {
  459. return EXCEPTION_CONTINUE_SEARCH;
  460. }
  462. //
  463. // Skip breakpoint exceptions raised within thread functions.
  464. //
  466. if (ExceptionCode == STATUS_BREAKPOINT) {
  467. return EXCEPTION_CONTINUE_SEARCH;
  468. }
  470. VERIFIER_STOP (APPLICATION_VERIFIER_UNEXPECTED_EXCEPTION | APPLICATION_VERIFIER_CONTINUABLE_BREAK,
  471. "unexpected exception raised in thread function",
  472. ExceptionCode, "Exception code.",
  473. ((PEXCEPTION_POINTERS)ExceptionRecord)->ExceptionRecord, "Exception record. Use .exr to display it.",
  474. ((PEXCEPTION_POINTERS)ExceptionRecord)->ContextRecord, "Context record. Use .cxr to display it.",
  475. 0, "");
  477. //
  478. // After we issued a verifier stop, if we decide to continue then
  479. // we need to look for the next exception handler.
  480. //
  482. return EXCEPTION_CONTINUE_SEARCH;
  483. }
  486. DWORD
  487. WINAPI
  488. AVrfpStandardThreadFunction (
  489. LPVOID Context
  490. )
  491. {
  492. PAVRF_THREAD_ENTRY Info = (PAVRF_THREAD_ENTRY)Context;
  493. DWORD Result;
  494. PAVRF_THREAD_ENTRY SearchEntry;
  496. //
  497. // The initialization below matters only in case the thread function raises
  498. // an access violation. In most cases this will terminate the entire
  499. // process.
  500. //
  502. Result = 0;
  504. try {
  506. //
  507. // Add the thread entry to the thread table.
  508. //
  510. Info->Id = NtCurrentTeb()->ClientId.UniqueThread;
  511. AVrfpThreadTableAddEntry (Info);
  513. //
  514. // Call the real thing.
  515. //
  517. Result = (Info->Function)(Info->Parameter);
  518. }
  519. except (AVrfpThreadFunctionExceptionFilter (_exception_code(), _exception_info())) {
  521. //
  522. // Nothing.
  523. //
  524. }
  526. //
  527. // Perform all typical checks for a thread that has just finished.
  528. //
  530. AVrfpCheckCurrentThreadTermination ();
  532. //
  533. // The thread entry should be `Info' but we will search it in the thread
  534. // table nevertheless because there is a case when they can be different.
  535. // This happens if fibers are used and a fiber starts in one thread and
  536. // exits in another one. It is not clear if this is a safe programming
  537. // practice but it is not rejected by current implementation and
  538. // documentation.
  539. //
  541. SearchEntry = AVrfpThreadTableSearchEntry (NtCurrentTeb()->ClientId.UniqueThread);
  543. if (SearchEntry != NULL) {
  545. AVrfpThreadTableRemoveEntry (SearchEntry);
  546. AVrfpFree (SearchEntry);
  547. }
  549. return Result;
  550. }
  552. /////////////////////////////////////////////////////////////////////
  553. ///////////////////////////////////////////// thread pool thread hook
  554. /////////////////////////////////////////////////////////////////////
  556. PRTLP_START_THREAD AVrfpBaseCreateThreadPoolThreadOriginal;
  557. PRTLP_EXIT_THREAD AVrfpBaseExitThreadPoolThreadOriginal;
  559. NTSTATUS
  560. NTAPI
  561. AVrfpBaseCreateThreadPoolThread(
  562. PUSER_THREAD_START_ROUTINE Function,
  563. PVOID Parameter,
  564. HANDLE * ThreadHandleReturn
  565. )
  566. {
  567. PAVRF_THREAD_ENTRY Info;
  568. PTEB Teb;
  569. NTSTATUS Status = STATUS_SUCCESS;
  571. Teb = NtCurrentTeb();
  573. Info = AVrfpAllocate (sizeof *Info);
  575. if (Info == NULL) {
  577. Status = STATUS_NO_MEMORY;
  578. goto Done;
  579. }
  581. Info->Parameter = Parameter;
  582. Info->Function = (PTHREAD_START_ROUTINE)Function;
  583. Info->ParentThreadId = Teb->ClientId.UniqueThread;
  585. Status = (*AVrfpBaseCreateThreadPoolThreadOriginal) ((PUSER_THREAD_START_ROUTINE)AVrfpStandardThreadFunction,
  586. Info,
  587. ThreadHandleReturn);
  589. Done:
  591. if (!NT_SUCCESS(Status)) {
  593. if (Info != NULL) {
  595. AVrfpFree (Info);
  596. }
  598. Teb->LastStatusValue = Status;
  599. }
  601. return Status;
  602. }
  604. NTSTATUS
  605. NTAPI
  606. AVrfpBaseExitThreadPoolThread(
  607. NTSTATUS Status
  608. )
  609. {
  610. PAVRF_THREAD_ENTRY Entry;
  612. //
  613. // Perform all typical checks for a thread that will exit.
  614. //
  616. AVrfpCheckCurrentThreadTermination ();
  618. //
  619. // Before calling the real ExitThread we need to free the thread
  620. // entry from the thread table.
  621. //
  623. Entry = AVrfpThreadTableSearchEntry (NtCurrentTeb()->ClientId.UniqueThread);
  625. if (Entry != NULL) {
  627. AVrfpThreadTableRemoveEntry (Entry);
  628. AVrfpFree (Entry);
  629. }
  631. //
  632. // Call the real thing.
  633. //
  635. return (*AVrfpBaseExitThreadPoolThreadOriginal) (Status);
  636. }
  639. NTSTATUS
  640. NTAPI
  641. AVrfpRtlSetThreadPoolStartFunc(
  642. PRTLP_START_THREAD StartFunc,
  643. PRTLP_EXIT_THREAD ExitFunc
  644. )
  645. {
  646. //
  647. // Save the original thread pool start and exit functions.
  648. //
  650. AVrfpBaseCreateThreadPoolThreadOriginal = StartFunc;
  651. AVrfpBaseExitThreadPoolThreadOriginal = ExitFunc;
  653. //
  654. // Hook the thread pool start and exit functions to our private version.
  655. //
  657. return RtlSetThreadPoolStartFunc (AVrfpBaseCreateThreadPoolThread,
  658. AVrfpBaseExitThreadPoolThread);
  659. }
  661. /////////////////////////////////////////////////////////////////////
  662. /////////////////////////////////////////////////////////////////////
  663. /////////////////////////////////////////////////////////////////////
  665. VOID
  666. AVrfpCheckThreadTermination (
  667. HANDLE Thread
  668. )
  669. {
  670. //
  671. // Traverse the list of critical sections and look for any that
  672. // have issues (double initialized, corrupted, etc.). The function
  673. // will also break for locks abandoned (owned by the thread just
  674. // about to terminate).
  675. //
  677. RtlCheckForOrphanedCriticalSections (Thread);
  678. }
  680. VOID
  681. AVrfpCheckCurrentThreadTermination (
  682. VOID
  683. )
  684. {
  685. PAVRF_TLS_STRUCT TlsStruct;
  687. TlsStruct = AVrfpGetVerifierTlsValue();
  689. if (TlsStruct != NULL && TlsStruct->CountOfOwnedCriticalSections > 0) {
  691. AVrfpCheckThreadTermination (NtCurrentThread());
  692. }
  693. }