/*++ Copyright (c) 1999 Microsoft Corporation Module Name: altperm.c Abstract: This module contains the routines to support 4K pages on IA64. An alternate set of permissions is kept that are on 4K boundaries. Permissions are kept for all memory, not just split pages and the information is updated on any call to NtVirtualProtect() and NtAllocateVirtualMemory(). Author: Koichi Yamada 18-Aug-1998 Landy Wang (landyw) 02-June-1997 Revision History: --*/ #include "mi.h" #if defined(_MIALT4K_) ULONG MiFindProtectionForNativePte ( PVOID VirtualAddress ); VOID MiResetAccessBitForNativePtes ( IN PVOID StartVirtual, IN PVOID EndVirtual, IN PEPROCESS Process ); LOGICAL MiIsSplitPage ( IN PVOID Virtual ); VOID MiCheckDemandZeroCopyOnWriteFor4kPage ( PVOID VirtualAddress, PEPROCESS Process ); LOGICAL MiIsNativeGuardPage ( IN PVOID VirtualAddress ); VOID MiSetNativePteProtection ( IN PVOID VirtualAddress, IN ULONGLONG NewPteProtection, IN LOGICAL PageIsSplit, IN PEPROCESS CurrentProcess ); VOID MiSyncAltPte ( IN PVOID VirtualAddress ); extern PMMPTE MmPteHit; #if defined (_MI_DEBUG_ALTPTE) typedef struct _MI_ALTPTE_TRACES { PETHREAD Thread; PMMPTE PointerPte; MMPTE PteContents; MMPTE NewPteContents; PVOID Caller; PVOID CallersCaller; PVOID Temp[2]; } MI_ALTPTE_TRACES, *PMI_ALTPTE_TRACES; #define MI_ALTPTE_TRACE_SIZE 0x1000 VOID FORCEINLINE MiSnapAltPte ( IN PMMPTE PointerPte, IN MMPTE NewValue, IN ULONG Id ) { ULONG Index; SIZE_T NumberOfBytes; PMI_ALTPTE_TRACES Information; PVOID HighestUserAddress; PLONG IndexPointer; PMI_ALTPTE_TRACES TablePointer; PWOW64_PROCESS Wow64Process; HighestUserAddress = MiGetVirtualAddressMappedByPte (MmWorkingSetList->HighestUserPte); ASSERT (HighestUserAddress <= (PVOID) _4gb); NumberOfBytes = ((ULONG_PTR)HighestUserAddress >> PTI_SHIFT) / 8; Wow64Process = PsGetCurrentProcess()->Wow64Process; ASSERT (Wow64Process != NULL); IndexPointer = (PLONG) ((PCHAR) Wow64Process->AltPermBitmap + NumberOfBytes); TablePointer = (PMI_ALTPTE_TRACES)IndexPointer + 1; Index = InterlockedIncrement (IndexPointer); Index &= (MI_ALTPTE_TRACE_SIZE - 1); Information = &TablePointer[Index]; Information->Thread = PsGetCurrentThread (); Information->PteContents = *PointerPte; Information->NewPteContents = NewValue; Information->PointerPte = PointerPte; #if 1 Information->Caller = MiGetInstructionPointer (); #else // Ip generates link (not compile) errors Information->Caller = (PVOID) __getReg (CV_IA64_Ip); // StIIp generates no compiler or link errors, but bugcheck 3Bs on the // execution of the actual generated mov r19=cr.iip instruction. Information->Caller = (PVOID) __getReg (CV_IA64_StIIP); #endif Information->Temp[0] = (PVOID) (ULONG_PTR) Id; Information->CallersCaller = (PVOID) _ReturnAddress (); } #define MI_ALTPTE_TRACKING_BYTES ((MI_ALTPTE_TRACE_SIZE + 1) * sizeof (MI_ALTPTE_TRACES)) #define MI_LOG_ALTPTE_CHANGE(_PointerPte, _PteContents, Id) MiSnapAltPte(_PointerPte, _PteContents, Id) #else #define MI_ALTPTE_TRACKING_BYTES 0 #define MI_LOG_ALTPTE_CHANGE(_PointerPte, _PteContents, Id) #endif #define MI_WRITE_ALTPTE(PointerAltPte, AltPteContents, Id) { \ MI_LOG_ALTPTE_CHANGE (PointerAltPte, AltPteContents, Id); \ (PointerAltPte)->u.Long = AltPteContents.u.Long; \ } #if defined (_MI_DEBUG_PTE) && defined (_MI_DEBUG_ALTPTE) VOID MiLogPteInAltTrace ( IN PVOID InputNativeInformation ) { ULONG Index; SIZE_T NumberOfBytes; PMI_ALTPTE_TRACES Information; PVOID HighestUserAddress; PLONG IndexPointer; PMI_ALTPTE_TRACES TablePointer; PWOW64_PROCESS Wow64Process; PMI_PTE_TRACES NativeInformation; NativeInformation = (PMI_PTE_TRACES) InputNativeInformation; if (PsGetCurrentProcess()->Peb == NULL) { // // Don't log PTE traces during process creation if the altperm // bitmap pool allocation hasn't been done yet (the EPROCESS // Wow64Process pointer is already initialized) ! // return; } if (PsGetCurrentProcess()->VmDeleted == 1) { // // Don't log PTE traces during process deletion as the altperm // bitmap pool allocation may have already been freed ! // return; } HighestUserAddress = MiGetVirtualAddressMappedByPte (MmWorkingSetList->HighestUserPte); ASSERT (HighestUserAddress <= (PVOID) _4gb); NumberOfBytes = ((ULONG_PTR)HighestUserAddress >> PTI_SHIFT) / 8; Wow64Process = PsGetCurrentProcess()->Wow64Process; ASSERT (Wow64Process != NULL); IndexPointer = (PLONG) ((PCHAR) Wow64Process->AltPermBitmap + NumberOfBytes); TablePointer = (PMI_ALTPTE_TRACES)IndexPointer + 1; Index = InterlockedIncrement (IndexPointer); Index &= (MI_ALTPTE_TRACE_SIZE - 1); Information = &TablePointer[Index]; Information->Thread = NativeInformation->Thread; Information->PteContents = NativeInformation->PteContents; Information->NewPteContents = NativeInformation->NewPteContents; Information->PointerPte = NativeInformation->PointerPte; Information->Caller = NativeInformation->StackTrace[0]; Information->CallersCaller = NativeInformation->StackTrace[1]; Information->Temp[0] = (PVOID) (ULONG_PTR) -1; } #endif NTSTATUS MmX86Fault ( IN ULONG_PTR FaultStatus, IN PVOID VirtualAddress, IN KPROCESSOR_MODE PreviousMode, IN PVOID TrapInformation ) /*++ Routine Description: This function is called by the kernel on data or instruction access faults if CurrentProcess->Wow64Process is non-NULL and the faulting address is within the 32-bit user address space. This routine determines the type of fault by checking the alternate 4Kb granular page table and calls MmAccessFault() if necessary to handle the page fault or the write fault. Arguments: FaultStatus - Supplies fault status information bits. VirtualAddress - Supplies the virtual address which caused the fault. PreviousMode - Supplies the mode (kernel or user) in which the fault occurred. TrapInformation - Opaque information about the trap, interpreted by the kernel, not Mm. Needed to allow fast interlocked access to operate correctly. Return Value: Returns the status of the fault handling operation. Can be one of: - Success. - Access Violation. - Guard Page Violation. - In-page Error. Environment: Kernel mode. --*/ { ULONG i; ULONG Waited; PMMVAD TempVad; MMPTE PteContents; PMMPTE PointerAltPte; PMMPTE PointerAltPte2; PMMPTE PointerAltPteForNativePage; MMPTE AltPteContents; PMMPTE PointerPte; PMMPTE PointerPde; ULONGLONG NewPteProtection; LOGICAL FillZero; LOGICAL PageIsSplit; LOGICAL SharedPageFault; LOGICAL NativeGuardPage; PEPROCESS CurrentProcess; PWOW64_PROCESS Wow64Process; KIRQL OldIrql; NTSTATUS status; ULONGLONG ProtectionMaskOriginal; PMMPTE ProtoPte; PMMPFN Pfn1; PVOID OriginalVirtualAddress; ULONG_PTR Vpn; PVOID ZeroAddress; PMMPTE PointerPpe; ULONG FirstProtect; ASSERT (VirtualAddress < MmWorkingSetList->HighestUserAddress); if (KeGetCurrentIrql () > APC_LEVEL) { return MmAccessFault (FaultStatus, VirtualAddress, PreviousMode, TrapInformation); } NewPteProtection = 0; FillZero = FALSE; PageIsSplit = FALSE; SharedPageFault = FALSE; NativeGuardPage = FALSE; OriginalVirtualAddress = VirtualAddress; CurrentProcess = PsGetCurrentProcess (); Wow64Process = CurrentProcess->Wow64Process; PointerPte = MiGetPteAddress (VirtualAddress); PointerAltPte = MiGetAltPteAddress (VirtualAddress); Vpn = MI_VA_TO_VPN (VirtualAddress); #if DBG if (PointerPte == MmPteHit) { DbgPrint ("MM: PTE hit at %p\n", MmPteHit); DbgBreakPoint (); } #endif // // Acquire the alternate table mutex, also blocking APCs. // LOCK_ALTERNATE_TABLE (Wow64Process); // // If a fork operation is in progress and the faulting thread // is not the thread performing the fork operation, block until // the fork is completed. // if (CurrentProcess->ForkInProgress != NULL) { UNLOCK_ALTERNATE_TABLE (Wow64Process); LOCK_WS (CurrentProcess); if (MiWaitForForkToComplete (CurrentProcess) == FALSE) { ASSERT (FALSE); } UNLOCK_WS (CurrentProcess); return STATUS_SUCCESS; } // // Check to see if the protection is registered in the alternate entry. // if (MI_CHECK_BIT (Wow64Process->AltPermBitmap, Vpn) == 0) { MiSyncAltPte (VirtualAddress); } // // Read the alternate PTE contents. // AltPteContents = *PointerAltPte; // // If the alternate PTE indicates no access for this 4K page // then deliver an access violation. // if (AltPteContents.u.Alt.NoAccess != 0) { status = STATUS_ACCESS_VIOLATION; MI_BREAK_ON_AV (VirtualAddress, 0x20); goto return_status; } // // Since we release the AltTable lock before calling MmAccessFault, // there is a chance that two threads may execute concurrently inside // MmAccessFault, which would yield bad results since the initial native // PTE for the page has only READ protection on it. So if two threads // fault on the same address, one of them will execute through all of // this routine, however the other one will just return STATUS_SUCCESS // which will cause another fault to happen in which the protections // will be fixed on the native page. // // Note that in addition to the dual thread case there is also the case // of a single thread which also has an overlapped I/O pending (for example) // which can trigger an APC completion memory copy to the same page. // Protect against this by remaining at APC_LEVEL until clearing the // inpage in progress in the alternate PTE. // if (AltPteContents.u.Alt.InPageInProgress == 1) { // // Release the Alt PTE lock // UNLOCK_ALTERNATE_TABLE (Wow64Process); // // Flush the TB as MiSetNativePteProtection may have edited the PTE. // KiFlushSingleTb (OriginalVirtualAddress); // // Delay execution so that if this is a high priority thread, // it won't starve the other thread (that's doing the actual inpage) // as it may be running at a lower priority. // KeDelayExecutionThread (KernelMode, FALSE, (PLARGE_INTEGER)&MmShortTime); return STATUS_SUCCESS; } // // Check to see if the alternate entry is empty or if anyone has made any // commitments for the shared pages. // if ((AltPteContents.u.Long == 0) || ((AltPteContents.u.Alt.Commit == 0) && (AltPteContents.u.Alt.Private == 0))) { // // If empty, get the protection information and fill the entry. // LOCK_WS (CurrentProcess); ProtoPte = MiCheckVirtualAddress (VirtualAddress, &FirstProtect, &TempVad); if (ProtoPte != NULL) { if (FirstProtect == MM_UNKNOWN_PROTECTION) { // // Ultimately this must be an address backed by a prototype // PTE in an image section (and the real PTE is currently // zero). Therefore we are guaranteed that the protection // in the prototype PTE is the correct one to use (ie: there // is no WSLE overriding it). // ASSERT (!MI_IS_PHYSICAL_ADDRESS(ProtoPte)); PointerPde = MiGetPteAddress (ProtoPte); LOCK_PFN (OldIrql); if (PointerPde->u.Hard.Valid == 0) { MiMakeSystemAddressValidPfn (ProtoPte, OldIrql); } PteContents = *ProtoPte; if (PteContents.u.Long == 0) { FirstProtect = MM_NOACCESS; } else if (PteContents.u.Hard.Valid == 1) { // // The prototype PTE is valid, get the protection from // the PFN database. // Pfn1 = MI_PFN_ELEMENT (PteContents.u.Hard.PageFrameNumber); FirstProtect = (ULONG) Pfn1->OriginalPte.u.Soft.Protection; } else { // // The prototype PTE is not valid, ie: subsection format, // demand zero, pagefile or in transition - in all cases, // the protection is in the PTE. // FirstProtect = (ULONG) PteContents.u.Soft.Protection; } UNLOCK_PFN (OldIrql); ASSERT (FirstProtect != MM_INVALID_PROTECTION); } UNLOCK_WS (CurrentProcess); if (FirstProtect == MM_INVALID_PROTECTION) { status = STATUS_ACCESS_VIOLATION; MI_BREAK_ON_AV (VirtualAddress, 0x21); goto return_status; } if (FirstProtect != MM_NOACCESS) { ProtectionMaskOriginal = MiMakeProtectionAteMask (FirstProtect); SharedPageFault = TRUE; ProtectionMaskOriginal |= MM_ATE_COMMIT; AltPteContents.u.Long = ProtectionMaskOriginal; AltPteContents.u.Alt.Protection = FirstProtect; // // Atomically update the PTE. // MI_WRITE_ALTPTE (PointerAltPte, AltPteContents, 1); } } else { UNLOCK_WS (CurrentProcess); } } if (AltPteContents.u.Alt.Commit == 0) { // // If the page is not committed, return an access violation. // status = STATUS_ACCESS_VIOLATION; MI_BREAK_ON_AV (VirtualAddress, 0x22); goto return_status; } // // Check whether the faulting page is split into 4k pages. // PointerAltPte2 = MiGetAltPteAddress (PAGE_ALIGN (VirtualAddress)); PteContents = *PointerAltPte2; PageIsSplit = FALSE; for (i = 0; i < SPLITS_PER_PAGE; i += 1) { if ((PointerAltPte2->u.Long != 0) && ((PointerAltPte2->u.Alt.Commit == 0) || (PointerAltPte2->u.Alt.Accessed == 0) || (PointerAltPte2->u.Alt.CopyOnWrite != 0) || (PointerAltPte2->u.Alt.PteIndirect != 0) || (PointerAltPte2->u.Alt.FillZero != 0))) { // // If it is a NoAccess, FillZero or Guard page, CopyOnWrite, // mark it as a split page. // PageIsSplit = TRUE; break; } if (PteContents.u.Long != PointerAltPte2->u.Long) { // // If the next 4kb page is different from the 1st 4k page // the page is split. // PageIsSplit = TRUE; break; } PointerAltPte2 += 1; } // // Get the real protection for the native PTE. // NewPteProtection = 0; PointerAltPte2 -= i; for (i = 0; i < SPLITS_PER_PAGE; i += 1) { PteContents.u.Long = PointerAltPte2->u.Long; if (PteContents.u.Alt.PteIndirect == 0) { NewPteProtection |= (PointerAltPte2->u.Long & ALT_PROTECTION_MASK); } PointerAltPte2 += 1; } PointerAltPte2 -= SPLITS_PER_PAGE; // // Set the protection for the native PTE. // MiSetNativePteProtection (VirtualAddress, NewPteProtection, PageIsSplit, CurrentProcess); // // Check the indirect PTE reference case. If so, set the protection for // the indirect PTE too. // if (AltPteContents.u.Alt.PteIndirect != 0) { PointerPte = (PMMPTE)(AltPteContents.u.Alt.PteOffset + PTE_UBASE); VirtualAddress = MiGetVirtualAddressMappedByPte (PointerPte); NewPteProtection = AltPteContents.u.Long & ALT_PROTECTION_MASK; if (AltPteContents.u.Alt.CopyOnWrite != 0) { NewPteProtection |= MM_PTE_COPY_ON_WRITE_MASK; } MiSetNativePteProtection (VirtualAddress, NewPteProtection, FALSE, CurrentProcess); } // // The faulting 4kb page must be a valid page, but we need to resolve it // on a case by case basis. // ASSERT (AltPteContents.u.Long != 0); ASSERT (AltPteContents.u.Alt.Commit != 0); if (AltPteContents.u.Alt.Accessed == 0) { // // When PointerAte->u.Hard.Accessed is zero, there are 4 possibilities: // // 1. Lowest Protection // 2. 4kb Demand Zero // 3. GUARD page fault // 4. This 4kb page is no access, but the other 4K page(s) within // the native page has accessible permissions. // if (AltPteContents.u.Alt.FillZero != 0) { // // Schedule it later. // FillZero = TRUE; } if ((AltPteContents.u.Alt.Protection & MM_GUARD_PAGE) != 0) { goto CheckGuardPage; } if (FillZero == FALSE) { // // This 4kb page has permission set to no access. // status = STATUS_ACCESS_VIOLATION; MI_BREAK_ON_AV (OriginalVirtualAddress, 0x23); goto return_status; } } if (MI_FAULT_STATUS_INDICATES_EXECUTION (FaultStatus)) { // // Execute permission is already given to IA32 by setting it in // MI_MAKE_VALID_PTE(). // } else if (MI_FAULT_STATUS_INDICATES_WRITE(FaultStatus)) { // // Check to see if this is a copy-on-write page. // if (AltPteContents.u.Alt.CopyOnWrite != 0) { // // Let MmAccessFault() perform the copy-on-write. // status = MmAccessFault (FaultStatus, VirtualAddress, PreviousMode, TrapInformation); if (NT_SUCCESS(status)) { // // Change the protection of the alternate pages for this // copy on write native page. // ASSERT (PointerAltPte2 == MiGetAltPteAddress (PAGE_ALIGN(OriginalVirtualAddress))); for (i = 0; i < SPLITS_PER_PAGE; i += 1) { AltPteContents.u.Long = PointerAltPte2->u.Long; if (AltPteContents.u.Alt.Commit != 0) { // // When a copy-on-write page is touched, the native // page will be made private by MM, so all the sub-4k // pages within the native page should be made // private (if they are committed/mapped). // AltPteContents.u.Alt.Private = 1; if (AltPteContents.u.Alt.CopyOnWrite != 0) { AltPteContents.u.Alt.CopyOnWrite = 0; AltPteContents.u.Hard.Write = 1; AltPteContents.u.Alt.Protection = MI_MAKE_PROTECT_NOT_WRITE_COPY(AltPteContents.u.Alt.Protection); } // // Atomically update the PTE. // MI_WRITE_ALTPTE (PointerAltPte2, AltPteContents, 2); } PointerAltPte2 += 1; } } goto return_status; } if (AltPteContents.u.Hard.Write == 0) { status = STATUS_ACCESS_VIOLATION; MI_BREAK_ON_AV (OriginalVirtualAddress, 0x24); goto return_status; } } CheckGuardPage: // // Indicate that we have begun updating the PTE for this page. // Subsequent faults on this native page will be restarted. // This should happen only if the PTE isn't valid. // PointerAltPteForNativePage = MiGetAltPteAddress (PAGE_ALIGN (VirtualAddress)); for (i = 0; i < SPLITS_PER_PAGE; i += 1) { AltPteContents = *PointerAltPteForNativePage; AltPteContents.u.Alt.InPageInProgress = TRUE; MI_WRITE_ALTPTE (PointerAltPteForNativePage, AltPteContents, 3); PointerAltPteForNativePage += 1; } // // Let MmAccessFault() perform an inpage, dirty-bit setting, etc. // // Release the alternate table mutex but block APCs to prevent an // incoming APC that references the same page from deadlocking this thread. // It is safe to drop allow APCs only after the in progress bit in // the alternate PTE has been cleared. // KeRaiseIrql (APC_LEVEL, &OldIrql); UNLOCK_ALTERNATE_TABLE (Wow64Process); status = MmAccessFault (FaultStatus, VirtualAddress, PreviousMode, TrapInformation); LOCK_ALTERNATE_TABLE (Wow64Process); // // This IRQL lower will have no effect since the alternate table guarded // mutex is now held again. // KeLowerIrql (OldIrql); for (i = 0; i < SPLITS_PER_PAGE; i += 1) { PointerAltPteForNativePage -= 1; AltPteContents = *PointerAltPteForNativePage; AltPteContents.u.Alt.InPageInProgress = FALSE; MI_WRITE_ALTPTE (PointerAltPteForNativePage, AltPteContents, 4); } AltPteContents = *PointerAltPte; if ((AltPteContents.u.Alt.Protection & MM_GUARD_PAGE) != 0) { AltPteContents = *PointerAltPte; AltPteContents.u.Alt.Protection &= ~MM_GUARD_PAGE; AltPteContents.u.Alt.Accessed = 1; MI_WRITE_ALTPTE (PointerAltPte, AltPteContents, 5); if ((status != STATUS_PAGE_FAULT_GUARD_PAGE) && (status != STATUS_STACK_OVERFLOW)) { UNLOCK_ALTERNATE_TABLE (Wow64Process); status = MiCheckForUserStackOverflow (VirtualAddress); LOCK_ALTERNATE_TABLE (Wow64Process); } } else if (status == STATUS_GUARD_PAGE_VIOLATION) { // // Native PTE has the guard bit set, but the AltPte // doesn't have it. // // See if any of the AltPtes has the guard bit set. // ASSERT (PointerAltPteForNativePage == MiGetAltPteAddress (PAGE_ALIGN (VirtualAddress))); for (i = 0; i < SPLITS_PER_PAGE; i += 1) { if (PointerAltPteForNativePage->u.Alt.Protection & MM_GUARD_PAGE) { status = STATUS_SUCCESS; break; } PointerAltPteForNativePage += 1; } } else if ((SharedPageFault == TRUE) && (status == STATUS_ACCESS_VIOLATION)) { AltPteContents.u.Long = PointerAltPte->u.Long; AltPteContents.u.Alt.Commit = 0; MI_WRITE_ALTPTE (PointerAltPte, AltPteContents, 6); } return_status: KiFlushSingleTb (OriginalVirtualAddress); if (FillZero == TRUE) { // // Zero the specified 4k page. // PointerAltPte = MiGetAltPteAddress (VirtualAddress); PointerPte = MiGetPteAddress (VirtualAddress); PointerPde = MiGetPdeAddress (VirtualAddress); PointerPpe = MiGetPpeAddress (VirtualAddress); do { if (PointerAltPte->u.Alt.FillZero == 0) { // // Another thread has already completed the zero operation. // goto Finished; } // // Make the PPE and PDE valid as well as the // page table for the original PTE. This guarantees // TB forward progress for the TB indirect fault. // LOCK_WS_UNSAFE (CurrentProcess); if (MiDoesPpeExistAndMakeValid (PointerPpe, CurrentProcess, MM_NOIRQL, &Waited) == FALSE) { PteContents.u.Long = 0; } else if (MiDoesPdeExistAndMakeValid (PointerPde, CurrentProcess, MM_NOIRQL, &Waited) == FALSE) { PteContents.u.Long = 0; } else { // // Now it is safe to read PointerPte. // PteContents = *PointerPte; } // // The alternate PTE may have been trimmed during the period // prior to the working set mutex being acquired or when it // was released prior to being reacquired. // if (MiIsAddressValid (PointerAltPte, TRUE) == TRUE) { break; } UNLOCK_WS_UNSAFE (CurrentProcess); } while (TRUE); AltPteContents.u.Long = PointerAltPte->u.Long; if (PteContents.u.Hard.Valid != 0) { ZeroAddress = KSEG_ADDRESS (PteContents.u.Hard.PageFrameNumber); ZeroAddress = (PVOID)((ULONG_PTR)ZeroAddress + ((ULONG_PTR)PAGE_4K_ALIGN(VirtualAddress) & (PAGE_SIZE-1))); RtlZeroMemory (ZeroAddress, PAGE_4K); UNLOCK_WS_UNSAFE (CurrentProcess); AltPteContents.u.Alt.FillZero = 0; AltPteContents.u.Alt.Accessed = 1; } else { UNLOCK_WS_UNSAFE (CurrentProcess); AltPteContents.u.Alt.Accessed = 0; } MI_WRITE_ALTPTE (PointerAltPte, AltPteContents, 7); } Finished: UNLOCK_ALTERNATE_TABLE (Wow64Process); return status; } VOID MiSyncAltPte ( IN PVOID VirtualAddress ) /*++ Routine Description: This function is called to compute the alternate PTE entries for the given virtual address. It is called with the alternate table mutex held and updates the alternate table bitmap before returning. Arguments: VirtualAddress - Supplies the virtual address to evaluate. Return Value: None. Environment: Kernel mode, alternate table mutex held. --*/ { PMMVAD TempVad; MMPTE PteContents; PMMPTE PointerAltPte; MMPTE AltPteContents; PMMPTE PointerPde; PEPROCESS CurrentProcess; PWOW64_PROCESS Wow64Process; KIRQL OldIrql; PMMPTE ProtoPte; PMMPFN Pfn1; ULONG_PTR Vpn; ULONG FirstProtect; ULONG SecondProtect; PSUBSECTION Subsection; PSUBSECTION FirstSubsection; PCONTROL_AREA ControlArea; PMMVAD Vad; Vpn = MI_VA_TO_VPN (VirtualAddress); CurrentProcess = PsGetCurrentProcess (); Wow64Process = CurrentProcess->Wow64Process; LOCK_WS_UNSAFE (CurrentProcess); ASSERT ((MiGetPpeAddress (VirtualAddress)->u.Hard.Valid == 0) || (MiGetPdeAddress (VirtualAddress)->u.Hard.Valid == 0) || (MiGetPteAddress (VirtualAddress)->u.Long == 0)); ProtoPte = MiCheckVirtualAddress (VirtualAddress, &FirstProtect, &TempVad); if (FirstProtect == MM_UNKNOWN_PROTECTION) { // // Ultimately this must be an address backed by a prototype PTE in // an image section (and the real PTE is currently zero). Therefore // we are guaranteed that the protection in the prototype PTE // is the correct one to use (ie: there is no WSLE overriding it). // Vad = MiLocateAddress (VirtualAddress); ASSERT (Vad != NULL); ControlArea = Vad->ControlArea; ASSERT (ControlArea->u.Flags.Image == 1); if ((ControlArea->u.Flags.Rom == 1) || (ControlArea->u.Flags.GlobalOnlyPerSession == 1)) { FirstSubsection = (PSUBSECTION)((PLARGE_CONTROL_AREA)ControlArea + 1); } else { FirstSubsection = (PSUBSECTION)(ControlArea + 1); } ASSERT (!MI_IS_PHYSICAL_ADDRESS (ProtoPte)); // // Get the original protection information from the prototype PTE. // // A non-NULL subsection indicates split permissions need to be // applied on the ALT PTEs for this native PTE. // Subsection = NULL; // // Read the prototype PTE contents without the PFN lock - the PFN // lock is only needed if the prototype PTE is valid so that the // PFN's original PTE field can be fetched. // PteContents = *ProtoPte; DecodeProto: if (PteContents.u.Hard.Valid == 0) { if (PteContents.u.Long == 0) { FirstProtect = MM_NOACCESS; } else { // // The prototype PTE is not valid, ie: subsection format, // demand zero, pagefile or in transition - in all cases, // the protection is in the PTE. // FirstProtect = (ULONG) PteContents.u.Soft.Protection; if (PteContents.u.Soft.SplitPermissions == 1) { Subsection = (PSUBSECTION) 1; } } } else { PointerPde = MiGetPteAddress (ProtoPte); LOCK_PFN (OldIrql); if (PointerPde->u.Hard.Valid == 0) { MiMakeSystemAddressValidPfn (ProtoPte, OldIrql); } PteContents = *ProtoPte; if (PteContents.u.Hard.Valid == 0) { UNLOCK_PFN (OldIrql); goto DecodeProto; } // // The prototype PTE is valid, get the protection from // the PFN database. Unless the protection is split, in // which case it must be retrieved from the subsection. // Note that if the page has been trimmed already then // the original PTE is no longer in subsection format. // Pfn1 = MI_PFN_ELEMENT (PteContents.u.Hard.PageFrameNumber); FirstProtect = (ULONG) Pfn1->OriginalPte.u.Soft.Protection; UNLOCK_PFN (OldIrql); if (PteContents.u.Hard.Cache == MM_PTE_CACHE_RESERVED) { Subsection = (PSUBSECTION) 1; } } ASSERT (FirstProtect != MM_INVALID_PROTECTION); if (Subsection != NULL) { // // Compute the subsection address as the split permissions are // stored there. Note to reduce lock contention this was // deferred until after the PFN lock was released. // Subsection = FirstSubsection; do { ASSERT (Subsection->SubsectionBase != NULL); if ((ProtoPte >= Subsection->SubsectionBase) && (ProtoPte < Subsection->SubsectionBase + Subsection->PtesInSubsection)) { break; } Subsection = Subsection->NextSubsection; } while (TRUE); ASSERT (Subsection != NULL); // // Get the protection for each 4K page from the subsection. // FirstProtect = Subsection->u.SubsectionFlags.Protection; SecondProtect = Subsection->LastSplitPageProtection; } else { // // If demand-zero and copy-on-write, remove copy-on-write. // Note this cannot happen for images with native (ie: multiple // subsection) support. // if ((!IS_PTE_NOT_DEMAND_ZERO (PteContents)) && (PteContents.u.Soft.Protection & MM_COPY_ON_WRITE_MASK)) { FirstProtect = FirstProtect & ~MM_PROTECTION_COPY_MASK; } SecondProtect = FirstProtect; } ASSERT ((FirstProtect != MM_INVALID_PROTECTION) && (SecondProtect != MM_INVALID_PROTECTION)); UNLOCK_WS_UNSAFE (CurrentProcess); PointerAltPte = MiGetAltPteAddress (PAGE_ALIGN (VirtualAddress)); // // Update the first alternate PTE. // AltPteContents.u.Long = MiMakeProtectionAteMask (FirstProtect) | MM_ATE_COMMIT; AltPteContents.u.Alt.Protection = FirstProtect; if ((FirstProtect & MM_PROTECTION_COPY_MASK) == 0) { // // If copy-on-write is removed, make it private. // AltPteContents.u.Alt.Private = 1; } MI_WRITE_ALTPTE (PointerAltPte, AltPteContents, 8); // // Update the second alternate PTE, computing it // only if it is different from the first. // if (Subsection != NULL) { AltPteContents.u.Long = MiMakeProtectionAteMask (SecondProtect) | MM_ATE_COMMIT; AltPteContents.u.Alt.Protection = SecondProtect; if ((SecondProtect & MM_PROTECTION_COPY_MASK) == 0) { // // If copy-on-write is removed, make it private. // AltPteContents.u.Alt.Private = 1; } } } else { UNLOCK_WS_UNSAFE (CurrentProcess); AltPteContents.u.Long = MiMakeProtectionAteMask (FirstProtect); AltPteContents.u.Alt.Protection = FirstProtect; AltPteContents.u.Alt.Commit = 1; PointerAltPte = MiGetAltPteAddress (PAGE_ALIGN (VirtualAddress)); // // Update the alternate PTEs. // MI_WRITE_ALTPTE (PointerAltPte, AltPteContents, 9); } MI_WRITE_ALTPTE (PointerAltPte + 1, AltPteContents, 0xA); // // Update the bitmap. // MI_SET_BIT (Wow64Process->AltPermBitmap, Vpn); return; } VOID MiProtectImageFileFor4kPage ( IN PVOID VirtualAddress, IN SIZE_T ViewSize ) { ULONG Vpn; PVOID EndAddress; PULONG Bitmap; PWOW64_PROCESS Wow64Process; ASSERT (BYTE_OFFSET (VirtualAddress) == 0); Vpn = (ULONG) MI_VA_TO_VPN (VirtualAddress); EndAddress = (PVOID)((PCHAR) VirtualAddress + ViewSize - 1); Wow64Process = PsGetCurrentProcess()->Wow64Process; Bitmap = Wow64Process->AltPermBitmap; LOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); do { if (MI_CHECK_BIT (Bitmap, Vpn) == 0) { MiSyncAltPte (VirtualAddress); } VirtualAddress = (PVOID)((PCHAR) VirtualAddress + PAGE_SIZE); Vpn += 1; } while (VirtualAddress <= EndAddress); UNLOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); return; } // // Define and initialize the protection conversion table for the // Alternate Permission Table Entries. // ULONGLONG MmProtectToAteMask[32] = { MM_PTE_NOACCESS | MM_ATE_NOACCESS, MM_PTE_EXECUTE_READ | MM_PTE_ACCESS_MASK, MM_PTE_EXECUTE_READ | MM_PTE_ACCESS_MASK, MM_PTE_EXECUTE_READ | MM_PTE_ACCESS_MASK, MM_PTE_EXECUTE_READWRITE | MM_PTE_ACCESS_MASK, MM_PTE_EXECUTE_READ | MM_PTE_ACCESS_MASK | MM_ATE_COPY_ON_WRITE, MM_PTE_EXECUTE_READWRITE | MM_PTE_ACCESS_MASK, MM_PTE_EXECUTE_READ | MM_PTE_ACCESS_MASK | MM_ATE_COPY_ON_WRITE, MM_PTE_NOACCESS | MM_ATE_NOACCESS, MM_PTE_EXECUTE_READ | MM_PTE_ACCESS_MASK, MM_PTE_EXECUTE_READ | MM_PTE_ACCESS_MASK, MM_PTE_EXECUTE_READ | MM_PTE_ACCESS_MASK, MM_PTE_EXECUTE_READWRITE | MM_PTE_ACCESS_MASK, MM_PTE_EXECUTE_READ | MM_PTE_ACCESS_MASK | MM_ATE_COPY_ON_WRITE, MM_PTE_EXECUTE_READWRITE | MM_PTE_ACCESS_MASK, MM_PTE_EXECUTE_READ | MM_PTE_ACCESS_MASK | MM_ATE_COPY_ON_WRITE, MM_PTE_NOACCESS | MM_ATE_NOACCESS, MM_PTE_EXECUTE_READ, MM_PTE_EXECUTE_READ, MM_PTE_EXECUTE_READ, MM_PTE_EXECUTE_READWRITE, MM_PTE_EXECUTE_READ | MM_ATE_COPY_ON_WRITE, MM_PTE_EXECUTE_READWRITE, MM_PTE_EXECUTE_READ | MM_ATE_COPY_ON_WRITE, MM_PTE_NOACCESS | MM_ATE_NOACCESS, MM_PTE_EXECUTE_READ, MM_PTE_EXECUTE_READ, MM_PTE_EXECUTE_READ, MM_PTE_EXECUTE_READWRITE, MM_PTE_EXECUTE_READ | MM_ATE_COPY_ON_WRITE, MM_PTE_EXECUTE_READWRITE, MM_PTE_EXECUTE_READ | MM_ATE_COPY_ON_WRITE }; #define MiMakeProtectionAteMask(NewProtect) MmProtectToAteMask[NewProtect] VOID MiProtectFor4kPage ( IN PVOID Starting4KAddress, IN SIZE_T Size, IN ULONG NewProtect, IN ULONG Flags, IN PEPROCESS Process ) /*++ Routine Description: This routine sets the permissions on the alternate bitmap (based on 4K page sizes). The base and size are assumed to be aligned for 4K pages already. Arguments: Starting4KAddress - Supplies the base address (assumed to be 4K aligned already). Size - Supplies the size to be protected (assumed to be 4K aligned already). NewProtect - Supplies the protection for the new pages. Flags - Supplies the alternate table entry request flags. Process - Supplies a pointer to the process in which to create the protections on the alternate table. Return Value: None. Environment: Kernel mode. Address creation mutex held at APC_LEVEL. --*/ { RTL_BITMAP BitMap; ULONG NumberOfPtes; ULONG StartingNativeVpn; PVOID Ending4KAddress; ULONG NewProtectNotCopy; ULONGLONG ProtectionMask; ULONGLONG ProtectionMaskNotCopy; PMMPTE StartAltPte; PMMPTE EndAltPte; PMMPTE StartAltPte0; PMMPTE EndAltPte0; PWOW64_PROCESS Wow64Process; MMPTE AltPteContents; MMPTE TempAltPte; Ending4KAddress = (PCHAR)Starting4KAddress + Size - 1; // // If the addresses are not WOW64 then nothing needs to be done here. // if ((Starting4KAddress >= MmWorkingSetList->HighestUserAddress) || (Ending4KAddress >= MmWorkingSetList->HighestUserAddress)) { return; } // // Set up the protection to be used for this range of addresses. // ProtectionMask = MiMakeProtectionAteMask (NewProtect); if ((NewProtect & MM_COPY_ON_WRITE_MASK) == MM_COPY_ON_WRITE_MASK) { NewProtectNotCopy = NewProtect & ~MM_PROTECTION_COPY_MASK; ProtectionMaskNotCopy = MiMakeProtectionAteMask (NewProtectNotCopy); } else { NewProtectNotCopy = NewProtect; ProtectionMaskNotCopy = ProtectionMask; } if (Flags & ALT_COMMIT) { ProtectionMask |= MM_ATE_COMMIT; ProtectionMaskNotCopy |= MM_ATE_COMMIT; } // // Get the entry in the table for each of these addresses. // StartAltPte = MiGetAltPteAddress (Starting4KAddress); EndAltPte = MiGetAltPteAddress (Ending4KAddress); NumberOfPtes = (ULONG) ADDRESS_AND_SIZE_TO_SPAN_PAGES (Starting4KAddress, (ULONG_PTR)Ending4KAddress - (ULONG_PTR)Starting4KAddress); ASSERT (NumberOfPtes != 0); StartAltPte0 = MiGetAltPteAddress (PAGE_ALIGN (Starting4KAddress)); EndAltPte0 = MiGetAltPteAddress ((ULONG_PTR)PAGE_ALIGN(Ending4KAddress)+PAGE_SIZE-1); Wow64Process = Process->Wow64Process; StartingNativeVpn = (ULONG) MI_VA_TO_VPN (Starting4KAddress); TempAltPte.u.Long = 0; // // Acquire the mutex guarding the alternate page table. // LOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); if (!(Flags & ALT_ALLOCATE) && (MI_CHECK_BIT(Wow64Process->AltPermBitmap, StartingNativeVpn) == 0)) { UNLOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); return; } // // Change all of the protections. // while (StartAltPte <= EndAltPte) { AltPteContents.u.Long = StartAltPte->u.Long; TempAltPte.u.Long = ProtectionMask; TempAltPte.u.Alt.Protection = NewProtect; if (!(Flags & ALT_ALLOCATE)) { if (AltPteContents.u.Alt.Private != 0) { // // If it is already private, don't make it writecopy. // TempAltPte.u.Long = ProtectionMaskNotCopy; TempAltPte.u.Alt.Protection = NewProtectNotCopy; // // Private is sticky bit. // TempAltPte.u.Alt.Private = 1; } if (AltPteContents.u.Alt.FillZero != 0) { TempAltPte.u.Alt.Accessed = 0; TempAltPte.u.Alt.FillZero = 1; } // // Leave the other sticky attribute bits. // TempAltPte.u.Alt.Lock = AltPteContents.u.Alt.Lock; TempAltPte.u.Alt.PteIndirect = AltPteContents.u.Alt.PteIndirect; TempAltPte.u.Alt.PteOffset = AltPteContents.u.Alt.PteOffset; } if (Flags & ALT_CHANGE) { // // If it is a change request, make commit sticky. // TempAltPte.u.Alt.Commit = AltPteContents.u.Alt.Commit; } // // Atomic PTE update. // MI_WRITE_ALTPTE (StartAltPte, TempAltPte, 0xB); StartAltPte += 1; } ASSERT (TempAltPte.u.Long != 0); if (Flags & ALT_ALLOCATE) { // // Fill the empty Alt PTE as NoAccess ATE at the end. // EndAltPte += 1; while (EndAltPte <= EndAltPte0) { if (EndAltPte->u.Long == 0) { TempAltPte.u.Long = EndAltPte->u.Long; TempAltPte.u.Alt.NoAccess = 1; // // Atomic PTE update. // MI_WRITE_ALTPTE (EndAltPte, TempAltPte, 0xC); } EndAltPte += 1; } // // Update the permission bitmap. // // Initialize the bitmap inline for speed. // BitMap.SizeOfBitMap = (ULONG)((ULONG_PTR)MmWorkingSetList->HighestUserAddress >> PTI_SHIFT); BitMap.Buffer = Wow64Process->AltPermBitmap; RtlSetBits (&BitMap, StartingNativeVpn, NumberOfPtes); } MiResetAccessBitForNativePtes (Starting4KAddress, Ending4KAddress, Process); UNLOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); } VOID MiProtectMapFileFor4kPage ( IN PVOID Base, IN SIZE_T Size, IN ULONG NewProtect, IN SIZE_T CommitSize, IN PMMPTE PointerPte, IN PMMPTE LastPte, IN PEPROCESS Process ) /*++ Routine Description: This routine sets the permissions on the alternate bitmap (based on 4K page sizes). The base and size are assumed to be aligned for 4K pages already. Arguments: Base - Supplies the base address (assumed to be 4K aligned already). Size - Supplies the size to be protected (assumed to be 4K aligned already). NewProtect - Supplies the protection for the new pages. CommitSize - Supplies the commit size. PointerPte - Supplies the starting PTE. LastPte - Supplies the last PTE. Process - Supplies a pointer to the process in which to create the protections on the alternate table. Return Value: None. Environment: Kernel mode. Address creation mutex held at APC_LEVEL. --*/ { RTL_BITMAP BitMap; PVOID Starting4KAddress; PVOID Ending4KAddress; ULONGLONG ProtectionMask; PMMPTE StartAltPte; PMMPTE EndAltPte; PMMPTE EndAltPte0; PWOW64_PROCESS Wow64Process; MMPTE TempAltPte; PMMPTE LastCommitPte; ULONG Vpn; ULONG VpnRange; Wow64Process = Process->Wow64Process; Starting4KAddress = Base; Ending4KAddress = (PCHAR)Base + Size - 1; // // If the addresses are not WOW64 then nothing needs to be done here. // if ((Starting4KAddress >= MmWorkingSetList->HighestUserAddress) || (Ending4KAddress >= MmWorkingSetList->HighestUserAddress)) { return; } Vpn = (ULONG) MI_VA_TO_VPN (Base); VpnRange = (ULONG) (MI_VA_TO_VPN (Ending4KAddress) - Vpn + 1); // // Set up the protection to be used for this range of addresses. // ProtectionMask = MiMakeProtectionAteMask (NewProtect); // // Get the entry in the table for each of these addresses. // StartAltPte = MiGetAltPteAddress (Starting4KAddress); EndAltPte = MiGetAltPteAddress (Ending4KAddress); EndAltPte0 = MiGetAltPteAddress ((ULONG_PTR)PAGE_ALIGN(Ending4KAddress)+PAGE_SIZE-1); LastCommitPte = PointerPte + BYTES_TO_PAGES (CommitSize); TempAltPte.u.Long = ProtectionMask; TempAltPte.u.Alt.Protection = NewProtect; // // Initialize the bitmap inline for speed. // BitMap.SizeOfBitMap = (ULONG)((ULONG_PTR)MmWorkingSetList->HighestUserAddress >> PTI_SHIFT); BitMap.Buffer = Wow64Process->AltPermBitmap; LOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); KeAcquireGuardedMutexUnsafe (&MmSectionCommitMutex); // // And then change all of the protections. // while (StartAltPte <= EndAltPte) { if (PointerPte < LastCommitPte) { TempAltPte.u.Alt.Commit = 1; } else if ((PointerPte <= LastPte) && (PointerPte->u.Long != 0)) { TempAltPte.u.Alt.Commit = 1; } else { TempAltPte.u.Alt.Commit = 0; } // // Atomic PTE update. // MI_WRITE_ALTPTE (StartAltPte, TempAltPte, 0xD); StartAltPte += 1; if (((ULONG_PTR)StartAltPte & ((SPLITS_PER_PAGE * sizeof(MMPTE))-1)) == 0) { PointerPte += 1; } } ASSERT (TempAltPte.u.Long != 0); KeReleaseGuardedMutexUnsafe (&MmSectionCommitMutex); // // Fill the empty Alt PTE as NoAccess ATE at the end. // EndAltPte += 1; while (EndAltPte <= EndAltPte0) { if (EndAltPte->u.Long == 0) { TempAltPte.u.Long = EndAltPte->u.Long; TempAltPte.u.Alt.NoAccess = 1; // // Atomic PTE size update. // MI_WRITE_ALTPTE (EndAltPte, TempAltPte, 0xE); } EndAltPte += 1; } RtlSetBits (&BitMap, Vpn, VpnRange); UNLOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); } VOID MiReleaseFor4kPage ( IN PVOID StartVirtual, IN PVOID EndVirtual, IN PEPROCESS Process ) /*++ Routine Description: This function releases a region of pages within the virtual address space of the subject process. Arguments: StartVirtual - Supplies the start address of the region of pages to be released. EndVirtual - Supplies the end address of the region of pages to be released. Process - Supplies a pointer to the process in which to release the region of pages. Return Value: None. Environment: Kernel mode. Address creation mutex held at APC_LEVEL. --*/ { RTL_BITMAP BitMap; PMMPTE StartAltPte; PMMPTE EndAltPte; MMPTE TempAltPte; PVOID VirtualAddress; PVOID OriginalStartVa; PVOID OriginalEndVa; ULONG i; PWOW64_PROCESS Wow64Process; PFN_NUMBER NumberOfAltPtes; ASSERT (StartVirtual <= EndVirtual); OriginalStartVa = StartVirtual; OriginalEndVa = EndVirtual; Wow64Process = Process->Wow64Process; StartAltPte = MiGetAltPteAddress (StartVirtual); EndAltPte = MiGetAltPteAddress (EndVirtual); NumberOfAltPtes = EndAltPte - StartAltPte + 1; TempAltPte.u.Long = 0; TempAltPte.u.Alt.NoAccess = 1; TempAltPte.u.Alt.FillZero = 1; StartVirtual = PAGE_ALIGN (StartVirtual); VirtualAddress = StartVirtual; ASSERT ((ULONG) ADDRESS_AND_SIZE_TO_SPAN_PAGES (StartVirtual, (ULONG_PTR)EndVirtual - (ULONG_PTR)StartVirtual) != 0); LOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); do { MI_WRITE_ALTPTE (StartAltPte, TempAltPte, 0xF); NumberOfAltPtes -= 1; StartAltPte += 1; } while (NumberOfAltPtes != 0); while (VirtualAddress <= EndVirtual) { StartAltPte = MiGetAltPteAddress (VirtualAddress); TempAltPte = *StartAltPte; i = 0; // // Note that this check must be made as the ATE fill above may not // have begun on a native page boundary and this scan always does. // while (TempAltPte.u.Long == StartAltPte->u.Long) { i += 1; if (i == SPLITS_PER_PAGE) { while (i != 0) { MI_WRITE_ALTPTE (StartAltPte, ZeroPte, 0x10); StartAltPte -= 1; i -= 1; } break; } StartAltPte += 1; } VirtualAddress = (PVOID)((PCHAR) VirtualAddress + PAGE_SIZE); } MiResetAccessBitForNativePtes (StartVirtual, EndVirtual, Process); // // Mark the native released pages as non-split so they get re-synced // at MmX86Fault() time. NOTE: StartVirtual should be aligned on // the native page size before executing this code. // if (BYTE_OFFSET (OriginalStartVa) != 0) { if (MiArePreceding4kPagesAllocated (OriginalStartVa) != FALSE) { StartVirtual = PAGE_ALIGN ((ULONG_PTR)StartVirtual + PAGE_SIZE); } } EndVirtual = (PVOID) ((ULONG_PTR)EndVirtual | (PAGE_SIZE - 1)); if (BYTE_OFFSET (OriginalEndVa) != (PAGE_SIZE - 1)) { if (MiAreFollowing4kPagesAllocated (OriginalEndVa) != FALSE) { EndVirtual = (PVOID) ((ULONG_PTR)EndVirtual - PAGE_SIZE); } } if (StartVirtual < EndVirtual) { // // Initialize the bitmap inline for speed. // BitMap.SizeOfBitMap = (ULONG)((ULONG_PTR)MmWorkingSetList->HighestUserAddress >> PTI_SHIFT); BitMap.Buffer = Wow64Process->AltPermBitmap; RtlClearBits (&BitMap, (ULONG) MI_VA_TO_VPN (StartVirtual), (ULONG) (MI_VA_TO_VPN (EndVirtual) - MI_VA_TO_VPN (StartVirtual) + 1)); } UNLOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); } VOID MiDecommitFor4kPage ( IN PVOID StartVirtual, IN PVOID EndVirtual, IN PEPROCESS Process ) /*++ Routine Description: This function decommits a region of pages within the virtual address space of a subject process. Arguments: StartVirtual - Supplies the start address of the region of pages to be decommitted. EndVirtual - Supplies the end address of the region of the pages to be decommitted. Process - Supplies a pointer to the process in which to decommit a a region of pages. Return Value: None. Environment: Address space mutex held at APC_LEVEL. --*/ { PMMPTE StartAltPte; PMMPTE EndAltPte; MMPTE TempAltPte; PWOW64_PROCESS Wow64Process; Wow64Process = Process->Wow64Process; ASSERT (StartVirtual <= EndVirtual); StartAltPte = MiGetAltPteAddress (StartVirtual); EndAltPte = MiGetAltPteAddress (EndVirtual); ASSERT ((ULONG) ADDRESS_AND_SIZE_TO_SPAN_PAGES (StartVirtual, (ULONG_PTR)EndVirtual - (ULONG_PTR)StartVirtual) != 0); LOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); while (StartAltPte <= EndAltPte) { TempAltPte.u.Long = StartAltPte->u.Long; TempAltPte.u.Alt.Commit = 0; TempAltPte.u.Alt.Accessed = 0; TempAltPte.u.Alt.FillZero = 1; // // Atomic PTE update. // MI_WRITE_ALTPTE (StartAltPte, TempAltPte, 0x11); StartAltPte += 1; } // // Update the native PTEs and flush the relevant native TB entries. // MiResetAccessBitForNativePtes (StartVirtual, EndVirtual, Process); UNLOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); } VOID MiDeleteFor4kPage ( IN PVOID VirtualAddress, IN PVOID EndVirtual, IN PEPROCESS Process ) /*++ Routine Description: This function deletes a region of pages within the virtual address space of the subject process. Arguments: VirtualAddress - Supplies the start address of the region of pages to be deleted. EndVirtual - Supplies the end address of the region of pages to be deleted. Process - Supplies a pointer to the process in which to delete the region of pages. Return Value: None. Environment: Kernel mode. Address creation mutex held at APC_LEVEL. --*/ { RTL_BITMAP BitMap; PMMPTE EndAltPte; PMMPTE StartAltPte; PWOW64_PROCESS Wow64Process; PFN_NUMBER NumberOfAltPtes; ULONG Vpn; ULONG VpnRange; ASSERT (VirtualAddress <= EndVirtual); StartAltPte = MiGetAltPteAddress (VirtualAddress); EndAltPte = MiGetAltPteAddress (EndVirtual); NumberOfAltPtes = EndAltPte - StartAltPte + 1; ASSERT (ADDRESS_AND_SIZE_TO_SPAN_PAGES (VirtualAddress, (ULONG_PTR)EndVirtual - (ULONG_PTR)VirtualAddress) != 0); Wow64Process = Process->Wow64Process; Vpn = (ULONG) MI_VA_TO_VPN (VirtualAddress); VpnRange = (ULONG) (MI_VA_TO_VPN (EndVirtual) - Vpn + 1); // // Initialize the bitmap inline for speed. // BitMap.SizeOfBitMap = (ULONG)((ULONG_PTR)MmWorkingSetList->HighestUserAddress >> PTI_SHIFT); BitMap.Buffer = Wow64Process->AltPermBitmap; LOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); do { MI_WRITE_ALTPTE (StartAltPte, ZeroPte, 0x12); NumberOfAltPtes -= 1; StartAltPte += 1; } while (NumberOfAltPtes != 0); RtlClearBits (&BitMap, Vpn, VpnRange); // // VirtualAddress and EndVirtual are already aligned to the native // PAGE_SIZE so no need to readjust them before removing the split markers. // MiResetAccessBitForNativePtes (VirtualAddress, EndVirtual, Process); UNLOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); } LOGICAL MiArePreceding4kPagesAllocated ( IN PVOID VirtualAddress ) /*++ Routine Description: This function checks to see if the specified virtual address contains any preceding 4k allocations within the native page. Arguments: VirtualAddress - Supplies the virtual address to check. Return Value: TRUE if the address has preceding 4k pages, FALSE if not. Environment: Kernel mode, address creation mutex held, APCs disabled. --*/ { PMMPTE AltPte; PMMPTE AltPteEnd; ASSERT (BYTE_OFFSET (VirtualAddress) != 0); AltPte = MiGetAltPteAddress (PAGE_ALIGN(VirtualAddress)); AltPteEnd = MiGetAltPteAddress (VirtualAddress); // // No need to hold the AltPte mutex as the address space mutex // is held which prevents allocation or deletion of the AltPte entries // inside the table. // while (AltPte != AltPteEnd) { if ((AltPte->u.Long == 0) || ((AltPte->u.Alt.NoAccess == 1) && (AltPte->u.Alt.Protection != MM_NOACCESS))) { // // The page's alternate PTE hasn't been allocated yet to the process // or it's marked no access. // NOTHING; } else { return TRUE; } AltPte += 1; } return FALSE; } LOGICAL MiAreFollowing4kPagesAllocated ( IN PVOID VirtualAddress ) /*++ Routine Description: This function checks to see if the specified virtual address contains any following 4k allocations within the native page. Arguments: VirtualAddress - Supplies the virtual address to check. Return Value: TRUE if the address has following 4k pages, FALSE if not. Environment: Kernel mode, address creation mutex held, APCs disabled. --*/ { PMMPTE AltPte; PMMPTE AltPteEnd; ASSERT (BYTE_OFFSET (VirtualAddress) != 0); AltPteEnd = MiGetAltPteAddress (PAGE_ALIGN ((ULONG_PTR)VirtualAddress + PAGE_SIZE)); AltPte = MiGetAltPteAddress (VirtualAddress) + 1; ASSERT (AltPte < AltPteEnd); // // No need to hold the AltPte mutex as the address space mutex // is held which prevents allocation or deletion of the AltPte entries // inside the table. // while (AltPte != AltPteEnd) { if ((AltPte->u.Long == 0) || ((AltPte->u.Alt.NoAccess == 1) && (AltPte->u.Alt.Protection != MM_NOACCESS))) { // // The page's alternate PTE hasn't been allocated yet to the process // or it's marked no access. // NOTHING; } else { return TRUE; } AltPte += 1; } return FALSE; } VOID MiResetAccessBitForNativePtes ( IN PVOID VirtualAddress, IN PVOID EndVirtual, IN PEPROCESS Process ) /*++ Routine Description: This function resets the access bit of the native PTEs which have corresponding initialized alternate PTEs. This results in the next access to these VAs incurring a TB miss. The miss will then be processed by the 4k TB miss handler (if the cache reserved bit is set in the native PTE) and either handled inline (if the alternate PTE allows it) or via a call to MmX86Fault. If the cache reserved bit is *NOT* set in the native PTE (ie: the native page does not contain split permissions), then the access will still go to KiPageFault and then to MmX86Fault and then to MmAccessFault for general processing to set the access bit. Arguments: VirtualAddress - Supplies the start address of the region of pages to be inspected. EndVirtual - Supplies the end address of the region of the pages to be inspected. Process - Supplies the pointer to the process. Return Value: None. Environment: Alternate table mutex held at APC_LEVEL. --*/ { ULONG NumberOfPtes; MMPTE PteContents; PMMPTE PointerPte; PMMPTE PointerPde; PMMPTE PointerPpe; LOGICAL FirstTime; ULONG Waited; PULONG Bitmap; PVOID Virtual[MM_MAXIMUM_FLUSH_COUNT]; NumberOfPtes = 0; Bitmap = Process->Wow64Process->AltPermBitmap; VirtualAddress = PAGE_ALIGN (VirtualAddress); PointerPte = MiGetPteAddress (VirtualAddress); FirstTime = TRUE; LOCK_WS_UNSAFE (Process); while (VirtualAddress <= EndVirtual) { if ((FirstTime == TRUE) || MiIsPteOnPdeBoundary (PointerPte)) { PointerPde = MiGetPteAddress (PointerPte); PointerPpe = MiGetPdeAddress (PointerPte); if (MiDoesPpeExistAndMakeValid (PointerPpe, Process, MM_NOIRQL, &Waited) == FALSE) { // // This page directory parent entry is empty, // go to the next one. // PointerPpe += 1; PointerPde = MiGetVirtualAddressMappedByPte (PointerPpe); PointerPte = MiGetVirtualAddressMappedByPte (PointerPde); VirtualAddress = MiGetVirtualAddressMappedByPte (PointerPte); continue; } if (MiDoesPdeExistAndMakeValid (PointerPde, Process, MM_NOIRQL, &Waited) == FALSE) { // // This page directory entry is empty, // go to the next one. // PointerPde += 1; PointerPte = MiGetVirtualAddressMappedByPte(PointerPde); VirtualAddress = MiGetVirtualAddressMappedByPte(PointerPte); continue; } FirstTime = FALSE; } PteContents = *PointerPte; if (PteContents.u.Hard.Valid != 0) { if ((PteContents.u.Hard.Accessed != 0) && (MI_CHECK_BIT (Bitmap, MI_VA_TO_VPN (VirtualAddress)))) { PteContents.u.Hard.Accessed = 0; MI_WRITE_VALID_PTE_NEW_PROTECTION (PointerPte, PteContents); } // // Flush this valid native TB entry. Note this is done even if no // changes were made to it above because our caller may not // have flushed the native PTE if the starting 4k address was // preceded by another valid 4k page within the same native page, // or if the ending 4k address was followed by another valid 4k // page within the same native page. // if (NumberOfPtes < MM_MAXIMUM_FLUSH_COUNT) { Virtual[NumberOfPtes] = VirtualAddress; NumberOfPtes += 1; } } PointerPte += 1; VirtualAddress = (PVOID)((ULONG_PTR)VirtualAddress + PAGE_SIZE); } UNLOCK_WS_UNSAFE (Process); if (NumberOfPtes == 0) { NOTHING; } else if (NumberOfPtes < MM_MAXIMUM_FLUSH_COUNT) { KeFlushMultipleTb (NumberOfPtes, &Virtual[0], FALSE); } else { KeFlushProcessTb (FALSE); } return; } VOID MiQueryRegionFor4kPage ( IN PVOID BaseAddress, IN PVOID EndAddress, IN OUT PSIZE_T RegionSize, IN OUT PULONG RegionState, IN OUT PULONG RegionProtect, IN PEPROCESS Process ) /*++ Routine Description: This function checks the size of the region which has the same memory state. Arguments: BaseAddress - Supplies the base address of the region of pages to be queried. EndAddress - Supplies the end of address of the region of pages to be queried. RegionSize - Supplies the original region size. Returns a region size for 4k pages if different. RegionState - Supplies the original region state. Returns a region state for 4k pages if different. RegionProtect - Supplies the original protection. Returns a protection for 4k pages if different. Process - Supplies a pointer to the process to be queried. Return Value: Returns the size of the region. Environment: Kernel mode. Address creation mutex held at APC_LEVEL. --*/ { PMMPTE AltPte; PMMPTE LastAltPte; MMPTE AltContents; PWOW64_PROCESS Wow64Process; SIZE_T RegionSize4k; // // If above the Wow64 max address, just return. // if ((BaseAddress >= MmWorkingSetList->HighestUserAddress) || (EndAddress >= MmWorkingSetList->HighestUserAddress)) { return; } AltPte = MiGetAltPteAddress (BaseAddress); LastAltPte = MiGetAltPteAddress (EndAddress); Wow64Process = Process->Wow64Process; LOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); if (MI_CHECK_BIT (Wow64Process->AltPermBitmap, MI_VA_TO_VPN(BaseAddress)) == 0) { UNLOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); return; } AltContents.u.Long = AltPte->u.Long; if (AltContents.u.Long == 0) { UNLOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); return; } *RegionProtect = MI_CONVERT_FROM_PTE_PROTECTION(AltContents.u.Alt.Protection); if (AltContents.u.Alt.Commit != 0) { *RegionState = MEM_COMMIT; } else { if ((AltPte->u.Long == 0) || ((AltPte->u.Alt.NoAccess == 1) && (AltPte->u.Alt.Protection != MM_NOACCESS))) { *RegionState = MEM_FREE; *RegionProtect = PAGE_NOACCESS; } else { *RegionState = MEM_RESERVE; *RegionProtect = 0; } } AltPte += 1; RegionSize4k = PAGE_4K; while (AltPte <= LastAltPte) { if ((AltPte->u.Alt.Protection != AltContents.u.Alt.Protection) || (AltPte->u.Alt.Commit != AltContents.u.Alt.Commit)) { // // The state for this address does not match, bail. // break; } RegionSize4k += PAGE_4K; AltPte += 1; } UNLOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); *RegionSize = RegionSize4k; } ULONG MiQueryProtectionFor4kPage ( IN PVOID BaseAddress, IN PEPROCESS Process ) /*++ Routine Description: This function queries the protection for a specified 4k page. Arguments: BaseAddress - Supplies a base address of the 4k page. Process - Supplies a pointer to the relevant process. Return Value: Returns the protection of the 4k page. Environment: Kernel mode. Address creation mutex held at APC_LEVEL. --*/ { ULONG Protection; PMMPTE PointerAltPte; PWOW64_PROCESS Wow64Process; Wow64Process = Process->Wow64Process; PointerAltPte = MiGetAltPteAddress (BaseAddress); Protection = 0; LOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); if (MI_CHECK_BIT(Wow64Process->AltPermBitmap, MI_VA_TO_VPN(BaseAddress)) != 0) { Protection = (ULONG)PointerAltPte->u.Alt.Protection; } UNLOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); return Protection; } // // Note 1 is added to the charge to account for the page table page. // #define MI_ALTERNATE_PAGE_TABLE_CHARGE(HighestUserAddress) \ ((((((ULONG_PTR)HighestUserAddress) >> PAGE_4K_SHIFT) * sizeof (MMPTE)) >> PAGE_SHIFT) + 1) NTSTATUS MiInitializeAlternateTable ( IN PEPROCESS Process, IN PVOID HighestUserAddress ) /*++ Routine Description: This function initializes the alternate table for the specified process. Arguments: Process - Supplies a pointer to the process to initialize the alternate table for. HighestUserAddress - Supplies the highest 32-bit user address for this process. Return Value: NTSTATUS. Environment: --*/ { PULONG AltTablePointer; PWOW64_PROCESS Wow64Process; SIZE_T AltPteCharge; SIZE_T NumberOfBytes; // // Charge commitment now for the alternate PTE table pages as they will // need to be dynamically created later at fault time. // // Add X64K to include alternate PTEs for the guard region. // HighestUserAddress = (PVOID)((PCHAR)HighestUserAddress + X64K); AltPteCharge = MI_ALTERNATE_PAGE_TABLE_CHARGE (HighestUserAddress); if (MiChargeCommitment (AltPteCharge, NULL) == FALSE) { return STATUS_COMMITMENT_LIMIT; } NumberOfBytes = ((ULONG_PTR)HighestUserAddress >> PTI_SHIFT) / 8; NumberOfBytes += MI_ALTPTE_TRACKING_BYTES; AltTablePointer = (PULONG) ExAllocatePoolWithTag (NonPagedPool, NumberOfBytes, 'AlmM'); if (AltTablePointer == NULL) { MiReturnCommitment (AltPteCharge); return STATUS_NO_MEMORY; } RtlZeroMemory (AltTablePointer, NumberOfBytes); Wow64Process = Process->Wow64Process; Wow64Process->AltPermBitmap = AltTablePointer; KeInitializeGuardedMutex (&Wow64Process->AlternateTableLock); MmWorkingSetList->HighestUserPte = MiGetPteAddress (HighestUserAddress); MmWorkingSetList->HighestAltPte = MiGetAltPteAddress (HighestUserAddress); return STATUS_SUCCESS; } VOID MiDuplicateAlternateTable ( IN PEPROCESS CurrentProcess, IN PEPROCESS ProcessToInitialize ) /*++ Routine Description: This function duplicates the alternate table bitmap and the alternate PTEs themselves for the specified process. Arguments: Process - Supplies a pointer to the process whose alternate information should be copied. ProcessToInitialize - Supplies a pointer to the target process who should receive the new alternate information. Return Value: None. Environment: Kernel mode, APCs disabled, working set and address space mutex and ForkInProgress flag held. --*/ { PVOID Source; KAPC_STATE ApcState; PMMPTE PointerPte; PMMPTE PointerAltPte; PMMPTE PointerPde; PVOID Va; ULONG i; ULONG j; ULONG Waited; // // It's not necessary to acquire the alternate table mutex since both the // address space and ForkInProgress resources are held on entry. // RtlCopyMemory (ProcessToInitialize->Wow64Process->AltPermBitmap, CurrentProcess->Wow64Process->AltPermBitmap, ((ULONG_PTR)MmWorkingSetList->HighestUserAddress >> PTI_SHIFT)/8); // // Since the PPE for the Alternate Table is shared with hyperspace, // we can assume it is always present without performing // MiDoesPpeExistAndMakeValid(). // PointerPde = MiGetPdeAddress (ALT4KB_PERMISSION_TABLE_START); PointerPte = MiGetPteAddress (ALT4KB_PERMISSION_TABLE_START); Va = ALT4KB_PERMISSION_TABLE_START; do { if (MiDoesPdeExistAndMakeValid (PointerPde, CurrentProcess, MM_NOIRQL, &Waited) == TRUE) { // // Duplicate any addresses that exist in the parent, bringing them // in from disk or materializing them as necessary. Note the // KSEG address is used for each parent address to avoid allocating // a system PTE for this mapping as this routine cannot fail (the // overall fork is too far along to tolerate a failure). // for (i = 0; i < PTE_PER_PAGE; i += 1) { if (PointerPte->u.Long != 0) { if (MiDoesPdeExistAndMakeValid (PointerPte, CurrentProcess, MM_NOIRQL, &Waited) == TRUE) { ASSERT (PointerPte->u.Hard.Valid == 1); Source = KSEG_ADDRESS (PointerPte->u.Hard.PageFrameNumber); KeStackAttachProcess (&ProcessToInitialize->Pcb, &ApcState); RtlCopyMemory (Va, Source, PAGE_SIZE); // // Eliminate any bits that should NOT be copied. // PointerAltPte = (PMMPTE) Va; for (j = 0; j < PTE_PER_PAGE; j += 1) { if (PointerAltPte->u.Alt.InPageInProgress == 1) { PointerAltPte->u.Alt.InPageInProgress = 0; } PointerAltPte += 1; } KeUnstackDetachProcess (&ApcState); } } Va = (PVOID)((PCHAR) Va + PAGE_SIZE); PointerPte += 1; } } PointerPde += 1; PointerPte = MiGetVirtualAddressMappedByPte (PointerPde); Va = MiGetVirtualAddressMappedByPte (PointerPte); } while (Va < ALT4KB_PERMISSION_TABLE_END); // // Initialize the child's 32-bit PEB to be the same as the parent's. // ProcessToInitialize->Wow64Process->Wow64 = CurrentProcess->Wow64Process->Wow64; return; } VOID MiDeleteAlternateTable ( IN PEPROCESS Process ) /*++ Routine Description: This function deletes the alternate table for the specified process. Arguments: Process - Supplies a pointer to the process to delete the alternate table for. Return Value: None. Environment: Kernel mode, APCs disabled, working set mutex held. --*/ { PVOID HighestUserAddress; PMMPTE PointerPte; PMMPTE PointerPde; PVOID Va; PVOID TempVa; ULONG i; ULONG Waited; MMPTE_FLUSH_LIST PteFlushList; PWOW64_PROCESS Wow64Process; KIRQL OldIrql; Wow64Process = Process->Wow64Process; if (Wow64Process->AltPermBitmap == NULL) { // // This is only NULL (and Wow64Process non-NULL) if a memory allocation // failed during process creation. // return; } // // Since the PPE for the Alternate Table is shared with hyperspace, // we can assume it is always present without performing // MiDoesPpeExistAndMakeValid(). // Va = ALT4KB_PERMISSION_TABLE_START; PointerPte = MiGetPteAddress (ALT4KB_PERMISSION_TABLE_START); PointerPde = MiGetPdeAddress (ALT4KB_PERMISSION_TABLE_START); PteFlushList.Count = 0; do { if (MiDoesPdeExistAndMakeValid (PointerPde, Process, MM_NOIRQL, &Waited) == TRUE) { // // Delete the PTE entries mapping the Alternate Table. // TempVa = Va; LOCK_PFN (OldIrql); for (i = 0; i < PTE_PER_PAGE; i += 1) { if (PointerPte->u.Long != 0) { if (IS_PTE_NOT_DEMAND_ZERO (*PointerPte)) { MiDeletePte (PointerPte, TempVa, TRUE, Process, NULL, &PteFlushList, OldIrql); } else { MI_WRITE_INVALID_PTE (PointerPte, ZeroPte); } } TempVa = (PVOID)((PCHAR)TempVa + PAGE_SIZE); PointerPte += 1; } // // Delete the PDE entry mapping the Alternate Table. // TempVa = MiGetVirtualAddressMappedByPte (PointerPde); MiDeletePte (PointerPde, TempVa, TRUE, Process, NULL, &PteFlushList, OldIrql); MiFlushPteList (&PteFlushList, FALSE); UNLOCK_PFN (OldIrql); } PointerPde += 1; PointerPte = MiGetVirtualAddressMappedByPte (PointerPde); Va = MiGetVirtualAddressMappedByPte (PointerPte); } while (Va < ALT4KB_PERMISSION_TABLE_END); HighestUserAddress = MmWorkingSetList->HighestUserAddress; ASSERT (HighestUserAddress != NULL); // // Add X64K to include alternate PTEs for the guard region. // HighestUserAddress = (PVOID)((PCHAR)HighestUserAddress + X64K); MiReturnCommitment (MI_ALTERNATE_PAGE_TABLE_CHARGE (HighestUserAddress)); ExFreePool (Wow64Process->AltPermBitmap); Wow64Process->AltPermBitmap = NULL; return; } VOID MiRemoveAliasedVadsApc ( IN PKAPC Apc, OUT PKNORMAL_ROUTINE *NormalRoutine, IN OUT PVOID NormalContext, IN OUT PVOID *SystemArgument1, IN OUT PVOID *SystemArgument2 ) { ULONG i; PALIAS_VAD_INFO2 AliasBase; PEPROCESS Process; PALIAS_VAD_INFO AliasInformation; UNREFERENCED_PARAMETER (Apc); UNREFERENCED_PARAMETER (NormalContext); UNREFERENCED_PARAMETER (SystemArgument2); Process = PsGetCurrentProcess (); AliasInformation = (PALIAS_VAD_INFO) *SystemArgument1; AliasBase = (PALIAS_VAD_INFO2)(AliasInformation + 1); LOCK_ADDRESS_SPACE (Process); for (i = 0; i < AliasInformation->NumberOfEntries; i += 1) { ASSERT (AliasBase->BaseAddress < _2gb); MiUnsecureVirtualMemory (AliasBase->SecureHandle, TRUE); MiUnmapViewOfSection (Process, (PVOID) (ULONG_PTR)AliasBase->BaseAddress, TRUE); AliasBase += 1; } UNLOCK_ADDRESS_SPACE (Process); ExFreePool (AliasInformation); // // Clear the normal routine so this routine doesn't get called again // for the same request. // *NormalRoutine = NULL; } VOID MiRemoveAliasedVads ( IN PEPROCESS Process, IN PMMVAD Vad ) /*++ Routine Description: This function removes all aliased VADs spawned earlier from the argument VAD. Arguments: Process - Supplies the EPROCESS pointer to the current process. Vad - Supplies a pointer to the VAD describing the range being removed. Return Value: None. Environment: Kernel mode, address creation and working set mutexes held, APCs disabled. --*/ { PALIAS_VAD_INFO AliasInformation; ASSERT (Process->Wow64Process != NULL); AliasInformation = ((PMMVAD_LONG)Vad)->AliasInformation; ASSERT (AliasInformation != NULL); if ((Process->Flags & PS_PROCESS_FLAGS_VM_DELETED) == 0) { // // This process is still alive so queue an APC to delete each aliased // VAD. This is because the deletion must also get rid of page table // commitment which requires that it search (and modify) VAD trees, // etc - but the address space mutex is already held and the caller // is not generally prepared for all this to change at this point. // KeInitializeApc (&AliasInformation->Apc, &PsGetCurrentThread()->Tcb, OriginalApcEnvironment, (PKKERNEL_ROUTINE) MiRemoveAliasedVadsApc, NULL, (PKNORMAL_ROUTINE) MiRemoveAliasedVadsApc, KernelMode, (PVOID) AliasInformation); KeInsertQueueApc (&AliasInformation->Apc, AliasInformation, NULL, 0); } else { // // This process is exiting so all the VADs are being rundown anyway. // Just free the pool and let normal rundown handle the aliases. // ExFreePool (AliasInformation); } } PVOID MiDuplicateAliasVadList ( IN PMMVAD Vad ) { SIZE_T AliasInfoSize; PALIAS_VAD_INFO AliasInfo; PALIAS_VAD_INFO NewAliasInfo; AliasInfo = ((PMMVAD_LONG)Vad)->AliasInformation; ASSERT (AliasInfo != NULL); AliasInfoSize = sizeof (ALIAS_VAD_INFO) + AliasInfo->MaximumEntries * sizeof (ALIAS_VAD_INFO2); NewAliasInfo = ExAllocatePoolWithTag (NonPagedPool, AliasInfoSize, 'AdaV'); if (NewAliasInfo != NULL) { RtlCopyMemory (NewAliasInfo, AliasInfo, AliasInfoSize); } return NewAliasInfo; } #define ALIAS_VAD_INCREMENT 4 NTSTATUS MiSetCopyPagesFor4kPage ( IN PEPROCESS Process, IN PMMVAD Vad, IN OUT PVOID StartingAddress, IN OUT PVOID EndingAddress, IN ULONG NewProtection, OUT PMMVAD *CallerNewVad ) /*++ Routine Description: This function creates another map for the existing mapped view space and gives it copy-on-write protection. This is called when SetProtectionOnSection() tries to change the protection from non-copy-on-write to copy-on-write. Since a large native page cannot be split to shared and copy-on-write 4kb pages, references to the copy-on-write page(s) need to be fixed to reference the new mapped view space and this is done through the smart TB handler and the alternate page table entries. Arguments: Process - Supplies the EPROCESS pointer to the current process. Vad - Supplies a pointer to the VAD describing the range to protect. StartingAddress - Supplies a pointer to the starting address to protect. EndingAddress - Supplies a pointer to the ending address to the protect. NewProtect - Supplies the new protection to set. CallerNewVad - Returns the new VAD the caller should use for this range. Return Value: NTSTATUS. Environment: Kernel mode, address creation mutex held, APCs disabled. --*/ { ULONG_PTR Vpn; PALIAS_VAD_INFO2 AliasBase; HANDLE Handle; PMMVAD VadParent; PMMVAD_LONG NewVad; SIZE_T AliasInfoSize; PALIAS_VAD_INFO AliasInfo; PALIAS_VAD_INFO NewAliasInfo; LARGE_INTEGER SectionOffset; SIZE_T CapturedViewSize; PVOID CapturedBase; PVOID Va; PVOID VaEnd; PVOID Alias; PMMPTE PointerPte; PMMPTE AltPte; MMPTE AltPteContents; LOGICAL AliasReferenced; SECTION Section; PCONTROL_AREA ControlArea; NTSTATUS status; PWOW64_PROCESS Wow64Process; ULONGLONG ProtectionMask; ULONGLONG ProtectionMaskNotCopy; ULONG NewProtectNotCopy; AliasReferenced = FALSE; StartingAddress = PAGE_ALIGN(StartingAddress); EndingAddress = (PVOID)((ULONG_PTR)PAGE_ALIGN(EndingAddress) + PAGE_SIZE - 1); SectionOffset.QuadPart = (ULONG_PTR)MI_64K_ALIGN((ULONG_PTR)StartingAddress - (ULONG_PTR)(Vad->StartingVpn << PAGE_SHIFT)); CapturedBase = NULL; Va = MI_VPN_TO_VA (Vad->StartingVpn); VaEnd = MI_VPN_TO_VA_ENDING (Vad->EndingVpn); CapturedViewSize = (ULONG_PTR)VaEnd - (ULONG_PTR)Va + 1L; ControlArea = Vad->ControlArea; RtlZeroMemory ((PVOID)&Section, sizeof(Section)); status = MiMapViewOfDataSection (ControlArea, Process, &CapturedBase, &SectionOffset, &CapturedViewSize, &Section, ViewShare, (ULONG)Vad->u.VadFlags.Protection, 0, 0, 0); if (!NT_SUCCESS (status)) { return status; } Handle = MiSecureVirtualMemory (CapturedBase, CapturedViewSize, PAGE_READONLY, TRUE); if (Handle == NULL) { MiUnmapViewOfSection (Process, CapturedBase, TRUE); return STATUS_INSUFFICIENT_RESOURCES; } // // If the original VAD is a short or regular VAD, it needs to be // reallocated as a large VAD. Note that a short VAD that was // previously converted to a long VAD here will still be marked // as private memory, thus to handle this case the NoChange bit // must also be tested. // if (((Vad->u.VadFlags.PrivateMemory) && (Vad->u.VadFlags.NoChange == 0)) || (Vad->u2.VadFlags2.LongVad == 0)) { if (Vad->u.VadFlags.PrivateMemory == 0) { ASSERT (Vad->u2.VadFlags2.OneSecured == 0); ASSERT (Vad->u2.VadFlags2.MultipleSecured == 0); } AliasInfoSize = sizeof (ALIAS_VAD_INFO) + ALIAS_VAD_INCREMENT * sizeof (ALIAS_VAD_INFO2); AliasInfo = ExAllocatePoolWithTag (NonPagedPool, AliasInfoSize, 'AdaV'); if (AliasInfo == NULL) { MiUnsecureVirtualMemory (Handle, TRUE); MiUnmapViewOfSection (Process, CapturedBase, TRUE); return STATUS_INSUFFICIENT_RESOURCES; } AliasInfo->NumberOfEntries = 0; AliasInfo->MaximumEntries = ALIAS_VAD_INCREMENT; NewVad = ExAllocatePoolWithTag (NonPagedPool, sizeof(MMVAD_LONG), 'ldaV'); if (NewVad == NULL) { ExFreePool (AliasInfo); MiUnsecureVirtualMemory (Handle, TRUE); MiUnmapViewOfSection (Process, CapturedBase, TRUE); return STATUS_INSUFFICIENT_RESOURCES; } RtlZeroMemory (NewVad, sizeof(MMVAD_LONG)); if (Vad->u.VadFlags.PrivateMemory) { RtlCopyMemory (NewVad, Vad, sizeof(MMVAD_SHORT)); } else { RtlCopyMemory (NewVad, Vad, sizeof(MMVAD)); } NewVad->u2.VadFlags2.LongVad = 1; NewVad->AliasInformation = AliasInfo; // // Replace the current VAD with this expanded VAD. // LOCK_WS_UNSAFE (Process); VadParent = (PMMVAD) SANITIZE_PARENT_NODE (Vad->u1.Parent); ASSERT (VadParent != NULL); if (VadParent != Vad) { if (VadParent->RightChild == Vad) { VadParent->RightChild = (PMMVAD) NewVad; } else { ASSERT (VadParent->LeftChild == Vad); VadParent->LeftChild = (PMMVAD) NewVad; } } else { Process->VadRoot.BalancedRoot.RightChild = (PMMADDRESS_NODE) NewVad; } if (Vad->LeftChild) { Vad->LeftChild->u1.Parent = (PMMVAD) MI_MAKE_PARENT (NewVad, Vad->LeftChild->u1.Balance); } if (Vad->RightChild) { Vad->RightChild->u1.Parent = (PMMVAD) MI_MAKE_PARENT (NewVad, Vad->RightChild->u1.Balance); } if (Process->VadRoot.NodeHint == Vad) { Process->VadRoot.NodeHint = (PMMVAD) NewVad; } if (Process->VadFreeHint == Vad) { Process->VadFreeHint = (PMMVAD) NewVad; } if ((Vad->u.VadFlags.PhysicalMapping == 1) || (Vad->u.VadFlags.WriteWatch == 1)) { MiPhysicalViewAdjuster (Process, Vad, (PMMVAD) NewVad); } UNLOCK_WS_UNSAFE (Process); ExFreePool (Vad); Vad = (PMMVAD) NewVad; } else { AliasInfo = (PALIAS_VAD_INFO) ((PMMVAD_LONG)Vad)->AliasInformation; if (AliasInfo == NULL) { AliasInfoSize = sizeof (ALIAS_VAD_INFO) + ALIAS_VAD_INCREMENT * sizeof (ALIAS_VAD_INFO2); } else if (AliasInfo->NumberOfEntries >= AliasInfo->MaximumEntries) { AliasInfoSize = sizeof (ALIAS_VAD_INFO) + (AliasInfo->MaximumEntries + ALIAS_VAD_INCREMENT) * sizeof (ALIAS_VAD_INFO2); } else { AliasInfoSize = 0; } if (AliasInfoSize != 0) { NewAliasInfo = ExAllocatePoolWithTag (NonPagedPool, AliasInfoSize, 'AdaV'); if (NewAliasInfo == NULL) { MiUnsecureVirtualMemory (Handle, TRUE); MiUnmapViewOfSection (Process, CapturedBase, TRUE); return STATUS_INSUFFICIENT_RESOURCES; } if (AliasInfo != NULL) { RtlCopyMemory (NewAliasInfo, AliasInfo, AliasInfoSize - ALIAS_VAD_INCREMENT * sizeof (ALIAS_VAD_INFO2)); NewAliasInfo->MaximumEntries += ALIAS_VAD_INCREMENT; ExFreePool (AliasInfo); } else { NewAliasInfo->NumberOfEntries = 0; NewAliasInfo->MaximumEntries = ALIAS_VAD_INCREMENT; } AliasInfo = NewAliasInfo; } } *CallerNewVad = Vad; Va = StartingAddress; VaEnd = EndingAddress; Alias = (PVOID)((ULONG_PTR)CapturedBase + ((ULONG_PTR)StartingAddress & (X64K - 1))); ProtectionMask = MiMakeProtectionAteMask (NewProtection); NewProtectNotCopy = NewProtection & ~MM_PROTECTION_COPY_MASK; ProtectionMaskNotCopy = MiMakeProtectionAteMask (NewProtectNotCopy); Wow64Process = Process->Wow64Process; AltPte = MiGetAltPteAddress (Va); LOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); while (Va <= VaEnd) { // // Check to see if the protection is registered in the alternate entry. // Vpn = (ULONG) MI_VA_TO_VPN (Va); if (MI_CHECK_BIT (Wow64Process->AltPermBitmap, Vpn) == 0) { MiSyncAltPte (Va); } PointerPte = MiGetPteAddress (Alias); AltPteContents.u.Long = AltPte->u.Long; // // If this address is NOT copy-on-write, AND it is not already // redirected through an indirect entry, then redirect it now to // the alias VAD which points at the original section. // if ((AltPteContents.u.Alt.CopyOnWrite == 0) && (AltPteContents.u.Alt.PteIndirect == 0)) { AltPteContents.u.Alt.PteOffset = (ULONG_PTR)PointerPte - PTE_UBASE; AltPteContents.u.Alt.PteIndirect = 1; MI_WRITE_ALTPTE (AltPte, AltPteContents, 0x13); AliasReferenced = TRUE; } Va = (PVOID)((ULONG_PTR)Va + PAGE_4K); Alias = (PVOID)((ULONG_PTR)Alias + PAGE_4K); AltPte += 1; } UNLOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); ASSERT (AliasInfo->NumberOfEntries < AliasInfo->MaximumEntries); if (AliasReferenced == TRUE) { // // The alias view of the shared section was referenced so chain it so // the alias view can be : // // a) easily duplicated if the process subsequently forks. // // AND // // b) deleted when/if the original VAD is deleted later. // AliasBase = (PALIAS_VAD_INFO2)(AliasInfo + 1); AliasBase += AliasInfo->NumberOfEntries; ASSERT (CapturedBase < (PVOID)(ULONG_PTR)_2gb); AliasBase->BaseAddress = (ULONG)(ULONG_PTR)CapturedBase; AliasBase->SecureHandle = Handle; AliasInfo->NumberOfEntries += 1; } else { // // The alias view of the shared section wasn't referenced, delete it. // MiUnsecureVirtualMemory (Handle, TRUE); MiUnmapViewOfSection (Process, CapturedBase, TRUE); } PS_SET_BITS (&Process->Flags, PS_PROCESS_FLAGS_WOW64_SPLIT_PAGES); return STATUS_SUCCESS; } VOID MiLockFor4kPage ( IN PVOID CapturedBase, IN SIZE_T CapturedRegionSize, IN PEPROCESS Process ) /*++ Routine Description: This function adds the page locked attribute to the alternate table entries. Arguments: CapturedBase - Supplies the base address to be locked. CapturedRegionSize - Supplies the size of the region to be locked. Process - Supplies a pointer to the process object. Return Value: None. Environment: Kernel mode, address creation mutex held. --*/ { PWOW64_PROCESS Wow64Process; PVOID EndingAddress; PMMPTE StartAltPte; PMMPTE EndAltPte; MMPTE AltPteContents; Wow64Process = Process->Wow64Process; EndingAddress = (PVOID)((ULONG_PTR)CapturedBase + CapturedRegionSize - 1); StartAltPte = MiGetAltPteAddress(CapturedBase); EndAltPte = MiGetAltPteAddress(EndingAddress); LOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); while (StartAltPte <= EndAltPte) { AltPteContents = *StartAltPte; AltPteContents.u.Alt.Lock = 1; MI_WRITE_ALTPTE (StartAltPte, AltPteContents, 0x14); StartAltPte += 1; } UNLOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); } NTSTATUS MiUnlockFor4kPage ( IN PVOID CapturedBase, IN SIZE_T CapturedRegionSize, IN PEPROCESS Process ) /*++ Routine Description: This function removes the page locked attribute from the alternate table entries. Arguments: CapturedBase - Supplies the base address to be unlocked. CapturedRegionSize - Supplies the size of the region to be unlocked. Process - Supplies a pointer to the process object. Return Value: NTSTATUS. Environment: Kernel mode, address creation and working set mutexes held. Note this routine releases and reacquires the working set mutex !!! --*/ { PMMPTE PointerAltPte; PMMPTE StartAltPte; PMMPTE EndAltPte; PWOW64_PROCESS Wow64Process; PVOID EndingAddress; NTSTATUS Status; MMPTE AltPteContents; UNLOCK_WS_UNSAFE (Process); Status = STATUS_SUCCESS; Wow64Process = Process->Wow64Process; EndingAddress = (PVOID)((ULONG_PTR)CapturedBase + CapturedRegionSize - 1); StartAltPte = MiGetAltPteAddress (CapturedBase); EndAltPte = MiGetAltPteAddress (EndingAddress); PointerAltPte = StartAltPte; LOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); do { if (PointerAltPte->u.Alt.Lock == 0) { Status = STATUS_NOT_LOCKED; goto StatusReturn; } PointerAltPte += 1; } while (PointerAltPte <= EndAltPte); PointerAltPte = StartAltPte; do { AltPteContents = *PointerAltPte; AltPteContents.u.Alt.Lock = 0; MI_WRITE_ALTPTE (PointerAltPte, AltPteContents, 0x15); PointerAltPte += 1; } while (PointerAltPte <= EndAltPte); StatusReturn: UNLOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); LOCK_WS_UNSAFE (Process); return Status; } LOGICAL MiShouldBeUnlockedFor4kPage ( IN PVOID VirtualAddress, IN PEPROCESS Process ) /*++ Routine Description: This function examines whether the page should be unlocked. Arguments: VirtualAddress - Supplies the virtual address to be examined. Process - Supplies a pointer to the process object. Return Value: None. Environment: Kernel mode, address creation and working set mutexes held. Note this routine releases and reacquires the working set mutex !!! --*/ { PMMPTE StartAltPte; PMMPTE EndAltPte; PWOW64_PROCESS Wow64Process; PVOID VirtualAligned; PVOID EndingAddress; LOGICAL PageUnlocked; UNLOCK_WS_UNSAFE (Process); PageUnlocked = TRUE; Wow64Process = Process->Wow64Process; VirtualAligned = PAGE_ALIGN(VirtualAddress); EndingAddress = (PVOID)((ULONG_PTR)VirtualAligned + PAGE_SIZE - 1); StartAltPte = MiGetAltPteAddress (VirtualAligned); EndAltPte = MiGetAltPteAddress (EndingAddress); LOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); while (StartAltPte <= EndAltPte) { if (StartAltPte->u.Alt.Lock != 0) { PageUnlocked = FALSE; } StartAltPte += 1; } UNLOCK_ALTERNATE_TABLE_UNSAFE (Wow64Process); LOCK_WS_UNSAFE (Process); return PageUnlocked; } ULONG MiMakeProtectForNativePage ( IN PVOID VirtualAddress, IN ULONG NewProtect, IN PEPROCESS Process ) /*++ Routine Description: This function makes a page protection mask for native pages. Arguments: VirtualAddress - Supplies the virtual address for the protection mask. NewProtect - Supplies the original protection. Process - Supplies a pointer to the process object. Return Value: None. Environment: Kernel mode. --*/ { PWOW64_PROCESS Wow64Process; Wow64Process = Process->Wow64Process; if (MI_CHECK_BIT(Wow64Process->AltPermBitmap, MI_VA_TO_VPN(VirtualAddress)) != 0) { if (NewProtect & PAGE_NOACCESS) { NewProtect &= ~PAGE_NOACCESS; NewProtect |= PAGE_EXECUTE_READWRITE; } if (NewProtect & PAGE_READONLY) { NewProtect &= ~PAGE_READONLY; NewProtect |= PAGE_EXECUTE_READWRITE; } if (NewProtect & PAGE_EXECUTE) { NewProtect &= ~PAGE_EXECUTE; NewProtect |= PAGE_EXECUTE_READWRITE; } if (NewProtect & PAGE_EXECUTE_READ) { NewProtect &= ~PAGE_EXECUTE_READ; NewProtect |= PAGE_EXECUTE_READWRITE; } // // Remove PAGE_GUARD as it is emulated by the Alternate Table. // if (NewProtect & PAGE_GUARD) { NewProtect &= ~PAGE_GUARD; } } return NewProtect; } VOID MiSetNativePteProtection ( PVOID VirtualAddress, ULONGLONG NewPteProtection, LOGICAL PageIsSplit, PEPROCESS CurrentProcess ) { MMPTE PteContents; MMPTE TempPte; PMMPTE PointerPte; PMMPTE PointerPde; PMMPTE PointerPpe; ULONG Waited; PointerPte = MiGetPteAddress (VirtualAddress); PointerPde = MiGetPdeAddress (VirtualAddress); PointerPpe = MiGetPpeAddress (VirtualAddress); // // Block APCs and acquire the working set lock. // LOCK_WS (CurrentProcess); // // Make the PPE and PDE exist and valid. // if (MiDoesPpeExistAndMakeValid (PointerPpe, CurrentProcess, MM_NOIRQL, &Waited) == FALSE) { UNLOCK_WS (CurrentProcess); return; } if (MiDoesPdeExistAndMakeValid (PointerPde, CurrentProcess, MM_NOIRQL, &Waited) == FALSE) { UNLOCK_WS (CurrentProcess); return; } // // Now it is safe to read PointerPte. // PteContents = *PointerPte; // // Check to see if the protection for the native page should be set // and if the access bit of the PTE should be set. // if (PteContents.u.Hard.Valid != 0) { TempPte = PteContents; // // Perform PTE protection mask corrections. // TempPte.u.Long |= NewPteProtection; if (PteContents.u.Hard.Accessed == 0) { TempPte.u.Hard.Accessed = 1; if (PageIsSplit == TRUE) { TempPte.u.Hard.Cache = MM_PTE_CACHE_RESERVED; } } MI_WRITE_VALID_PTE_NEW_PROTECTION (PointerPte, TempPte); } UNLOCK_WS (CurrentProcess); } #endif