diff --git a/ntoskrnl/config/i386/cmhardwr.c b/ntoskrnl/config/i386/cmhardwr.c index ec5532faff202..e4913ae81328f 100644 --- a/ntoskrnl/config/i386/cmhardwr.c +++ b/ntoskrnl/config/i386/cmhardwr.c @@ -364,7 +364,7 @@ CmpInitializeMachineDependentConfiguration(IN PLOADER_PARAMETER_BLOCK LoaderBloc if (!Prcb->CpuID) { /* Build 80x86-style string for older CPUs */ - sprintf(Buffer, + snprintf(Buffer, sizeof(Buffer), "80%u86-%c%x", Prcb->CpuType, (Prcb->CpuStep >> 8) + 'A', @@ -373,7 +373,7 @@ CmpInitializeMachineDependentConfiguration(IN PLOADER_PARAMETER_BLOCK LoaderBloc else { /* Build full ID string for newer CPUs */ - sprintf(Buffer, + snprintf(Buffer, sizeof(Buffer), CmpFullCpuID, "x86", Prcb->CpuType, @@ -398,7 +398,7 @@ CmpInitializeMachineDependentConfiguration(IN PLOADER_PARAMETER_BLOCK LoaderBloc } /* ID string has the same style for all 64-bit CPUs */ - sprintf(Buffer, + snprintf(Buffer, sizeof(Buffer), CmpFullCpuID, FamilyId, Prcb->CpuType, @@ -437,7 +437,11 @@ CmpInitializeMachineDependentConfiguration(IN PLOADER_PARAMETER_BLOCK LoaderBloc ConfigData.ComponentEntry.Identifier = Buffer; /* For 386 cpus, the CPU pp is the identifier */ - if (Prcb->CpuType == 3) strcpy(Buffer, "80387"); + if (Prcb->CpuType == 3) + { + strncpy(Buffer, "80387", sizeof(Buffer) - 1); + Buffer[sizeof(Buffer) - 1] = '\0'; + } /* Save the ID string length now that we've created it */ ConfigData.ComponentEntry.IdentifierLength = (ULONG)strlen(Buffer) + 1; diff --git a/ntoskrnl/ex/init.c b/ntoskrnl/ex/init.c index 3487efe3b8535..dbe2e1dc6baea 100644 --- a/ntoskrnl/ex/init.c +++ b/ntoskrnl/ex/init.c @@ -168,10 +168,12 @@ ExpCreateSystemRootLink(IN PLOADER_PARAMETER_BLOCK LoaderBlock) SePublicDefaultUnrestrictedSd); /* Build the ARC name */ - sprintf(Buffer, - "\\ArcName\\%s%s", + if (snprintf(Buffer, sizeof(Buffer), "\\ArcName\\%s%s", LoaderBlock->ArcBootDeviceName, - LoaderBlock->NtBootPathName); + LoaderBlock->NtBootPathName) >= (int)sizeof(Buffer)) + { + DPRINT1("ARC name path too long, truncated\n"); + } Buffer[strlen(Buffer) - 1] = ANSI_NULL; /* Convert it to Unicode */ @@ -1072,7 +1074,7 @@ ExpInitializeExecutive(IN ULONG Cpu, #endif /* Setup NT System Root Path */ - sprintf(Buffer, "C:%s", LoaderBlock->NtBootPathName); + snprintf(Buffer, sizeof(Buffer), "C:%s", LoaderBlock->NtBootPathName); /* Convert to ANSI_STRING and null-terminate it */ RtlInitString(&AnsiPath, Buffer); diff --git a/ntoskrnl/fstub/disksup.c b/ntoskrnl/fstub/disksup.c index 44b0e6453c9dc..28f5c5a8f5535 100644 --- a/ntoskrnl/fstub/disksup.c +++ b/ntoskrnl/fstub/disksup.c @@ -957,8 +957,13 @@ xHalIoAssignDriveLetters(IN PLOADER_PARAMETER_BLOCK LoaderBlock, /* For a remote boot, assign X drive letter */ NtSystemPath[0] = 'X'; NtSystemPath[1] = ':'; - /* And copy the end of the boot path */ - strcpy((PSTR)&NtSystemPath[2], Last); + /* And copy the end of the boot path - use strncpy with bounds checking + * NtSystemPath is expected to be at least 260 bytes (typical MAX_PATH) + * We've used 2 bytes for "X:", leaving 258 bytes. + * We copy at most 256 characters to leave room for null terminator. */ + strncpy((PSTR)&NtSystemPath[2], Last, 256); + /* Ensure null termination - _vsnprintf should have done this, but be explicit */ + NtSystemPath[259] = '\0'; /* If we had to remove the trailing separator, remove it here too */ if (Saved != NULL) diff --git a/ntoskrnl/fstub/fstubex.c b/ntoskrnl/fstub/fstubex.c index e4e5b4bfa1dcc..5918a95421b20 100644 --- a/ntoskrnl/fstub/fstubex.c +++ b/ntoskrnl/fstub/fstubex.c @@ -1889,7 +1889,7 @@ IoGetBootDiskInformation(IN OUT PBOOTDISK_INFORMATION BootDiskInformation, for (DiskNumber = 0; DiskNumber < DiskCount; DiskNumber++) { /* Create the device name */ - sprintf(Buffer, "\\Device\\Harddisk%lu\\Partition0", DiskNumber); + snprintf(Buffer, sizeof(Buffer), "\\Device\\Harddisk%lu\\Partition0", DiskNumber); RtlInitAnsiString(&DeviceStringA, Buffer); Status = RtlAnsiStringToUnicodeString(&DeviceStringW, &DeviceStringA, TRUE); if (!NT_SUCCESS(Status)) @@ -1977,14 +1977,17 @@ IoGetBootDiskInformation(IN OUT PBOOTDISK_INFORMATION BootDiskInformation, IopVerifyDiskSignature(DriveLayout, ArcDiskSignature, &Signature)) { /* Create ARC name */ - sprintf(ArcBuffer, "\\ArcName\\%s", ArcDiskSignature->ArcName); + if (snprintf(ArcBuffer, sizeof(ArcBuffer), "\\ArcName\\%s", ArcDiskSignature->ArcName) >= (int)sizeof(ArcBuffer)) + { + DPRINT1("ArcName path too long, truncated\n"); + } RtlInitAnsiString(&ArcNameStringA, ArcBuffer); /* Browse all partitions */ for (PartitionNumber = 1; PartitionNumber <= DriveLayout->PartitionCount; PartitionNumber++) { /* Create its device name */ - sprintf(Buffer, "\\Device\\Harddisk%lu\\Partition%lu", DiskNumber, PartitionNumber); + snprintf(Buffer, sizeof(Buffer), "\\Device\\Harddisk%lu\\Partition%lu", DiskNumber, PartitionNumber); RtlInitAnsiString(&DeviceStringA, Buffer); Status = RtlAnsiStringToUnicodeString(&DeviceStringW, &DeviceStringA, TRUE); if (!NT_SUCCESS(Status)) @@ -1999,7 +2002,10 @@ IoGetBootDiskInformation(IN OUT PBOOTDISK_INFORMATION BootDiskInformation, } /* Create partial ARC name */ - sprintf(ArcBuffer, "%spartition(%lu)", ArcDiskSignature->ArcName, PartitionNumber); + if (snprintf(ArcBuffer, sizeof(ArcBuffer), "%spartition(%lu)", ArcDiskSignature->ArcName, PartitionNumber) >= (int)sizeof(ArcBuffer)) + { + DPRINT1("ArcName partition path too long, truncated\n"); + } RtlInitAnsiString(&ArcNameStringA, ArcBuffer); /* If it's matching boot string */ diff --git a/ntoskrnl/io/iomgr/arcname.c b/ntoskrnl/io/iomgr/arcname.c index eeabf0e461a4e..796515c528740 100644 --- a/ntoskrnl/io/iomgr/arcname.c +++ b/ntoskrnl/io/iomgr/arcname.c @@ -52,14 +52,20 @@ IopCreateArcNames(IN PLOADER_PARAMETER_BLOCK LoaderBlock) &ArcDiskInfo->DiskSignatureListHead); /* Create the firmware system loader / HAL partition global name */ - sprintf(Buffer, "\\ArcName\\%s", LoaderBlock->ArcHalDeviceName); + if (snprintf(Buffer, sizeof(Buffer), "\\ArcName\\%s", LoaderBlock->ArcHalDeviceName) >= (int)sizeof(Buffer)) + { + DPRINT1("ArcHalDeviceName path too long, truncated\n"); + } RtlInitAnsiString(&ArcString, Buffer); Status = RtlAnsiStringToUnicodeString(&IoArcHalDeviceName, &ArcString, TRUE); if (!NT_SUCCESS(Status)) return Status; /* Create the OS boot partition global name */ - sprintf(Buffer, "\\ArcName\\%s", LoaderBlock->ArcBootDeviceName); + if (snprintf(Buffer, sizeof(Buffer), "\\ArcName\\%s", LoaderBlock->ArcBootDeviceName) >= (int)sizeof(Buffer)) + { + DPRINT1("ArcBootDeviceName path too long, truncated\n"); + } RtlInitAnsiString(&ArcString, Buffer); Status = RtlAnsiStringToUnicodeString(&IoArcBootDeviceName, &ArcString, TRUE); if (!NT_SUCCESS(Status)) @@ -100,7 +106,10 @@ IopCreateArcNames(IN PLOADER_PARAMETER_BLOCK LoaderBlock) } /* Get ARC booting device name (in net(0) something) */ - sprintf(Buffer, "\\ArcName\\%s", LoaderBlock->ArcBootDeviceName); + if (snprintf(Buffer, sizeof(Buffer), "\\ArcName\\%s", LoaderBlock->ArcBootDeviceName) >= (int)sizeof(Buffer)) + { + DPRINT1("ArcBootDeviceName path too long, truncated\n"); + } RtlInitAnsiString(&ArcString, Buffer); Status = RtlAnsiStringToUnicodeString(&BootDeviceName, &ArcString, TRUE); if (NT_SUCCESS(Status)) @@ -303,7 +312,7 @@ IopCreateArcNamesCd(IN PLOADER_PARAMETER_BLOCK LoaderBlock) } /* Finally, build proper device name */ - sprintf(Buffer, "\\Device\\CdRom%lu", DeviceNumber.DeviceNumber); + snprintf(Buffer, sizeof(Buffer), "\\Device\\CdRom%lu", DeviceNumber.DeviceNumber); RtlInitAnsiString(&DeviceStringA, Buffer); Status = RtlAnsiStringToUnicodeString(&DeviceStringW, &DeviceStringA, TRUE); if (!NT_SUCCESS(Status)) @@ -315,7 +324,7 @@ IopCreateArcNamesCd(IN PLOADER_PARAMETER_BLOCK LoaderBlock) else { /* Create device name for the cd */ - sprintf(Buffer, "\\Device\\CdRom%lu", EnabledDisks++); + snprintf(Buffer, sizeof(Buffer), "\\Device\\CdRom%lu", EnabledDisks++); RtlInitAnsiString(&DeviceStringA, Buffer); Status = RtlAnsiStringToUnicodeString(&DeviceStringW, &DeviceStringA, TRUE); if (!NT_SUCCESS(Status)) @@ -373,7 +382,10 @@ IopCreateArcNamesCd(IN PLOADER_PARAMETER_BLOCK LoaderBlock) if (CheckSum + ArcDiskSignature->CheckSum == 0) { /* Create ARC name */ - sprintf(ArcBuffer, "\\ArcName\\%s", LoaderBlock->ArcBootDeviceName); + if (snprintf(ArcBuffer, sizeof(ArcBuffer), "\\ArcName\\%s", LoaderBlock->ArcBootDeviceName) >= (int)sizeof(ArcBuffer)) + { + DPRINT1("ArcBootDeviceName path too long, truncated\n"); + } RtlInitAnsiString(&ArcNameStringA, ArcBuffer); Status = RtlAnsiStringToUnicodeString(&ArcNameStringW, &ArcNameStringA, TRUE); if (NT_SUCCESS(Status)) @@ -553,7 +565,7 @@ IopCreateArcNamesDisk(IN PLOADER_PARAMETER_BLOCK LoaderBlock, else { /* Create device name for the disk */ - sprintf(Buffer, "\\Device\\Harddisk%lu\\Partition0", DiskNumber); + snprintf(Buffer, sizeof(Buffer), "\\Device\\Harddisk%lu\\Partition0", DiskNumber); RtlInitAnsiString(&DeviceStringA, Buffer); Status = RtlAnsiStringToUnicodeString(&DeviceStringW, &DeviceStringA, TRUE); if (!NT_SUCCESS(Status)) @@ -712,7 +724,7 @@ IopCreateArcNamesDisk(IN PLOADER_PARAMETER_BLOCK LoaderBlock, (ArcDiskSignature->CheckSum + CheckSum == 0))) { /* Create device name */ - sprintf(Buffer, "\\Device\\Harddisk%lu\\Partition0", + snprintf(Buffer, sizeof(Buffer), "\\Device\\Harddisk%lu\\Partition0", (DeviceNumber.DeviceNumber != ULONG_MAX) ? DeviceNumber.DeviceNumber : DiskNumber); RtlInitAnsiString(&DeviceStringA, Buffer); Status = RtlAnsiStringToUnicodeString(&DeviceStringW, &DeviceStringA, TRUE); @@ -722,7 +734,10 @@ IopCreateArcNamesDisk(IN PLOADER_PARAMETER_BLOCK LoaderBlock, } /* Create ARC name */ - sprintf(ArcBuffer, "\\ArcName\\%s", ArcDiskSignature->ArcName); + if (snprintf(ArcBuffer, sizeof(ArcBuffer), "\\ArcName\\%s", ArcDiskSignature->ArcName) >= (int)sizeof(ArcBuffer)) + { + DPRINT1("ArcName path too long, truncated\n"); + } RtlInitAnsiString(&ArcNameStringA, ArcBuffer); Status = RtlAnsiStringToUnicodeString(&ArcNameStringW, &ArcNameStringA, TRUE); if (!NT_SUCCESS(Status)) @@ -742,7 +757,7 @@ IopCreateArcNamesDisk(IN PLOADER_PARAMETER_BLOCK LoaderBlock, for (i = 1; i <= DriveLayout->PartitionCount; i++) { /* Create device name */ - sprintf(Buffer, "\\Device\\Harddisk%lu\\Partition%lu", + snprintf(Buffer, sizeof(Buffer), "\\Device\\Harddisk%lu\\Partition%lu", (DeviceNumber.DeviceNumber != ULONG_MAX) ? DeviceNumber.DeviceNumber : DiskNumber, i); RtlInitAnsiString(&DeviceStringA, Buffer); Status = RtlAnsiStringToUnicodeString(&DeviceStringW, &DeviceStringA, TRUE); @@ -752,7 +767,10 @@ IopCreateArcNamesDisk(IN PLOADER_PARAMETER_BLOCK LoaderBlock, } /* Create partial ARC name */ - sprintf(ArcBuffer, "%spartition(%lu)", ArcDiskSignature->ArcName, i); + if (snprintf(ArcBuffer, sizeof(ArcBuffer), "%spartition(%lu)", ArcDiskSignature->ArcName, i) >= (int)sizeof(ArcBuffer)) + { + DPRINT1("ArcName partition path too long, truncated\n"); + } RtlInitAnsiString(&ArcNameStringA, ArcBuffer); /* Is that boot device? */ @@ -780,7 +798,10 @@ IopCreateArcNamesDisk(IN PLOADER_PARAMETER_BLOCK LoaderBlock, } /* Create complete ARC name */ - sprintf(ArcBuffer, "\\ArcName\\%spartition(%lu)", ArcDiskSignature->ArcName, i); + if (snprintf(ArcBuffer, sizeof(ArcBuffer), "\\ArcName\\%spartition(%lu)", ArcDiskSignature->ArcName, i) >= (int)sizeof(ArcBuffer)) + { + DPRINT1("ArcName complete path too long, truncated\n"); + } RtlInitAnsiString(&ArcNameStringA, ArcBuffer); Status = RtlAnsiStringToUnicodeString(&ArcNameStringW, &ArcNameStringA, TRUE); if (!NT_SUCCESS(Status)) @@ -848,7 +869,10 @@ IopReassignSystemRoot(IN PLOADER_PARAMETER_BLOCK LoaderBlock, HANDLE LinkHandle; /* Create the Unicode name for the current ARC boot device */ - sprintf(Buffer, "\\ArcName\\%s", LoaderBlock->ArcBootDeviceName); + if (snprintf(Buffer, sizeof(Buffer), "\\ArcName\\%s", LoaderBlock->ArcBootDeviceName) >= (int)sizeof(Buffer)) + { + DPRINT1("ArcBootDeviceName path too long, truncated\n"); + } RtlInitAnsiString(&TargetString, Buffer); Status = RtlAnsiStringToUnicodeString(&TargetName, &TargetString, TRUE); if (!NT_SUCCESS(Status)) return FALSE; @@ -913,7 +937,10 @@ IopReassignSystemRoot(IN PLOADER_PARAMETER_BLOCK LoaderBlock, ObCloseHandle(LinkHandle, KernelMode); /* Now create the new name for it */ - sprintf(Buffer, "%s%s", ArcString.Buffer, LoaderBlock->NtBootPathName); + if (snprintf(Buffer, sizeof(Buffer), "%s%s", ArcString.Buffer, LoaderBlock->NtBootPathName) >= (int)sizeof(Buffer)) + { + DPRINT1("Boot path too long, truncated\n"); + } /* Copy it into the passed parameter and null-terminate it */ RtlCopyString(NtBootPath, &ArcString); diff --git a/ntoskrnl/io/iomgr/iomdl.c b/ntoskrnl/io/iomgr/iomdl.c index 8b758d4cdf4f5..deada0f04dd89 100644 --- a/ntoskrnl/io/iomgr/iomdl.c +++ b/ntoskrnl/io/iomgr/iomdl.c @@ -105,6 +105,7 @@ IoBuildPartialMdl(IN PMDL SourceMdl, MDL_SOURCE_IS_NONPAGED_POOL | MDL_MAPPED_TO_SYSTEM_VA | MDL_IO_SPACE); + ULONG PageCount; /* Calculate the offset */ Offset = (ULONG)((ULONG_PTR)VirtualAddress - @@ -121,7 +122,7 @@ IoBuildPartialMdl(IN PMDL SourceMdl, TargetMdl->ByteOffset = BYTE_OFFSET(VirtualAddress); /* Recalculate the length in pages */ - Length = ADDRESS_AND_SIZE_TO_SPAN_PAGES(VirtualAddress, Length); + PageCount = ADDRESS_AND_SIZE_TO_SPAN_PAGES(VirtualAddress, Length); /* Set the MDL Flags */ TargetMdl->MdlFlags &= (MDL_ALLOCATED_FIXED_SIZE | MDL_ALLOCATED_MUST_SUCCEED); @@ -135,7 +136,12 @@ IoBuildPartialMdl(IN PMDL SourceMdl, Offset = (ULONG)(((ULONG_PTR)TargetMdl->StartVa - (ULONG_PTR)SourceMdl->StartVa) >> PAGE_SHIFT); SourcePages += Offset; - RtlCopyMemory(TargetPages, SourcePages, Length * sizeof(PFN_NUMBER)); + + /* Ensure the target MDL was allocated with enough space for the PFN array + * The MDL should have been allocated via IoAllocateMdl with the correct page count */ + ASSERT(PageCount <= (TargetMdl->Size - sizeof(MDL)) / sizeof(PFN_NUMBER)); + + RtlCopyMemory(TargetPages, SourcePages, PageCount * sizeof(PFN_NUMBER)); } /* diff --git a/ntoskrnl/io/iomgr/iomgr.c b/ntoskrnl/io/iomgr/iomgr.c index 249d93b6cae92..5a0659158b6f7 100644 --- a/ntoskrnl/io/iomgr/iomgr.c +++ b/ntoskrnl/io/iomgr/iomgr.c @@ -405,7 +405,10 @@ IopMarkBootPartition(IN PLOADER_PARAMETER_BLOCK LoaderBlock) PFILE_OBJECT FileObject; /* Build the ARC device name */ - sprintf(Buffer, "\\ArcName\\%s", LoaderBlock->ArcBootDeviceName); + if (snprintf(Buffer, sizeof(Buffer), "\\ArcName\\%s", LoaderBlock->ArcBootDeviceName) >= (int)sizeof(Buffer)) + { + DPRINT1("ArcBootDeviceName path too long, truncated\n"); + } RtlInitAnsiString(&DeviceString, Buffer); Status = RtlAnsiStringToUnicodeString(&DeviceName, &DeviceString, TRUE); if (!NT_SUCCESS(Status)) return FALSE; diff --git a/ntoskrnl/kd64/kdprint.c b/ntoskrnl/kd64/kdprint.c index 0063e55045833..b6308be95c5d7 100644 --- a/ntoskrnl/kd64/kdprint.c +++ b/ntoskrnl/kd64/kdprint.c @@ -531,17 +531,29 @@ KdpDprintf( { STRING String; USHORT Length; + int Ret; va_list ap; CHAR Buffer[512]; /* Format the string */ va_start(ap, Format); - Length = (USHORT)_vsnprintf(Buffer, - sizeof(Buffer), - Format, - ap); + Ret = _vsnprintf(Buffer, + sizeof(Buffer), + Format, + ap); va_end(ap); + /* Check for overflow: _vsnprintf returns -1 if output was truncated. + * _vsnprintf null-terminates the buffer when the size parameter includes space for it. */ + if (Ret < 0) + { + Length = sizeof(Buffer) - 1; + } + else + { + Length = (USHORT)Ret; + } + /* Set it up */ String.Buffer = Buffer; String.Length = String.MaximumLength = Length; diff --git a/ntoskrnl/kdbg/i386/i386-dis.c b/ntoskrnl/kdbg/i386/i386-dis.c index 559a3ac167827..0862978172b30 100644 --- a/ntoskrnl/kdbg/i386/i386-dis.c +++ b/ntoskrnl/kdbg/i386/i386-dis.c @@ -3129,8 +3129,21 @@ putop (const char *template, int sizeflag) static void oappend (const char *s) { - strcpy (obufp, s); - obufp += strlen (s); + size_t slen = strlen(s); + size_t remaining = sizeof(obuf) - (obufp - obuf) - 1; + + /* Only copy what fits in the buffer */ + if (slen > remaining) + slen = remaining; + + if (slen > 0) + { + memcpy(obufp, s, slen); + obufp += slen; + } + + /* Ensure null termination */ + *obufp = '\0'; } static void diff --git a/ntoskrnl/kdbg/kdb_cli.c b/ntoskrnl/kdbg/kdb_cli.c index fa3df8773a955..b1f57c31ddd24 100644 --- a/ntoskrnl/kdbg/kdb_cli.c +++ b/ntoskrnl/kdbg/kdb_cli.c @@ -3163,6 +3163,7 @@ KdbpPrint( { static CHAR Buffer[4096]; ULONG Length; + int Ret; va_list ap; /* Check if the user has aborted output of the current command */ @@ -3171,10 +3172,20 @@ KdbpPrint( /* Build the string */ va_start(ap, Format); - Length = _vsnprintf(Buffer, sizeof(Buffer) - 1, Format, ap); - Buffer[Length] = '\0'; + Ret = _vsnprintf(Buffer, sizeof(Buffer) - 1, Format, ap); va_end(ap); + /* Check for overflow: _vsnprintf returns -1 if output was truncated. + * _vsnprintf null-terminates the buffer when the size parameter includes space for it. */ + if (Ret < 0) + { + Length = sizeof(Buffer) - 1; + } + else + { + Length = (ULONG)Ret; + } + /* Actually print it */ KdbpPagerInternal(Buffer, Length, FALSE); } diff --git a/ntoskrnl/ke/arm/kiinit.c b/ntoskrnl/ke/arm/kiinit.c index 34413f17a5755..89fb365432726 100644 --- a/ntoskrnl/ke/arm/kiinit.c +++ b/ntoskrnl/ke/arm/kiinit.c @@ -431,12 +431,12 @@ ULONG DbgPrintEarly(const char *fmt, ...) { va_list args; - unsigned int i; + int Ret; char Buffer[1024]; PCHAR String = Buffer; va_start(args, fmt); - i = vsprintf(Buffer, fmt, args); + Ret = vsnprintf(Buffer, sizeof(Buffer), fmt, args); va_end(args); /* Output the message */ diff --git a/ntoskrnl/mm/pagefile.c b/ntoskrnl/mm/pagefile.c index ae15771cad282..17cf5b1ddba62 100644 --- a/ntoskrnl/mm/pagefile.c +++ b/ntoskrnl/mm/pagefile.c @@ -110,7 +110,14 @@ VOID NTAPI MmBuildMdlFromPages(PMDL Mdl, PPFN_NUMBER Pages) { - memcpy(Mdl + 1, Pages, sizeof(PFN_NUMBER) * (PAGE_ROUND_UP(Mdl->ByteOffset+Mdl->ByteCount)/PAGE_SIZE)); + SIZE_T PageCount = PAGE_ROUND_UP(Mdl->ByteOffset + Mdl->ByteCount) / PAGE_SIZE; + SIZE_T CopySize = sizeof(PFN_NUMBER) * PageCount; + + /* Ensure the MDL was allocated with enough space for the PFN array + * The MDL should have been allocated via IoAllocateMdl with the correct page count */ + ASSERT(PageCount <= (Mdl->Size - sizeof(MDL)) / sizeof(PFN_NUMBER)); + + memcpy(Mdl + 1, Pages, CopySize); } diff --git a/ntoskrnl/ps/psmgr.c b/ntoskrnl/ps/psmgr.c index 0d80257bd46cd..96e3fcf02e4bd 100644 --- a/ntoskrnl/ps/psmgr.c +++ b/ntoskrnl/ps/psmgr.c @@ -484,8 +484,10 @@ PspInitPhase0(IN PLOADER_PARAMETER_BLOCK LoaderBlock) NULL); /* Copy the process names */ - strcpy(PsIdleProcess->ImageFileName, "Idle"); - strcpy(PsInitialSystemProcess->ImageFileName, "System"); + strncpy(PsIdleProcess->ImageFileName, "Idle", sizeof(PsIdleProcess->ImageFileName) - 1); + PsIdleProcess->ImageFileName[sizeof(PsIdleProcess->ImageFileName) - 1] = '\0'; + strncpy(PsInitialSystemProcess->ImageFileName, "System", sizeof(PsInitialSystemProcess->ImageFileName) - 1); + PsInitialSystemProcess->ImageFileName[sizeof(PsInitialSystemProcess->ImageFileName) - 1] = '\0'; /* Allocate a structure for the audit name */ PsInitialSystemProcess->SeAuditProcessCreationInfo.ImageFileName = diff --git a/ntoskrnl/ps/query.c b/ntoskrnl/ps/query.c index b2e6288ffe08e..e9a86dc117e35 100644 --- a/ntoskrnl/ps/query.c +++ b/ntoskrnl/ps/query.c @@ -56,7 +56,7 @@ PCSTR PspDumpProcessInfoClassName( _In_ PROCESSINFOCLASS ProcessInformationClass) { - static CHAR UnknownClassName[11]; + static CHAR UnknownClassName[16]; #define DBG_PROCESS_INFO_CLASS(InfoClass) [InfoClass] = #InfoClass static const PCSTR ProcessInfoClasses[] = @@ -118,7 +118,7 @@ PspDumpProcessInfoClassName( return ProcessInfoClasses[ProcessInformationClass]; } - sprintf(UnknownClassName, "%lu", ProcessInformationClass); + snprintf(UnknownClassName, sizeof(UnknownClassName), "%lu", ProcessInformationClass); return UnknownClassName; } @@ -127,7 +127,7 @@ PCSTR PspDumpThreadInfoClassName( _In_ THREADINFOCLASS ThreadInformationClass) { - static CHAR UnknownClassName[11]; + static CHAR UnknownClassName[16]; #define DBG_THREAD_INFO_CLASS(InfoClass) [InfoClass] = #InfoClass static const PCSTR ThreadInfoClasses[] = @@ -196,7 +196,7 @@ PspDumpThreadInfoClassName( return ThreadInfoClasses[ThreadInformationClass]; } - sprintf(UnknownClassName, "%lu", ThreadInformationClass); + snprintf(UnknownClassName, sizeof(UnknownClassName), "%lu", ThreadInformationClass); return UnknownClassName; } #endif // #if DBG