Fix memory corruption vulnerabilities in ntoskrnl from unsafe string operations

ntoskrnl/config/i386/cmhardwr.c

@@ -364,7 +364,7 @@ CmpInitializeMachineDependentConfiguration(IN PLOADER_PARAMETER_BLOCK LoaderBloc
             if (!Prcb->CpuID)
             {
                 /* Build 80x86-style string for older CPUs */
-                sprintf(Buffer,
+                snprintf(Buffer, sizeof(Buffer),
                         "80%u86-%c%x",
                         Prcb->CpuType,
                         (Prcb->CpuStep >> 8) + 'A',
@@ -373,7 +373,7 @@ CmpInitializeMachineDependentConfiguration(IN PLOADER_PARAMETER_BLOCK LoaderBloc
             else
             {
                 /* Build full ID string for newer CPUs */
-                sprintf(Buffer,
+                snprintf(Buffer, sizeof(Buffer),
                         CmpFullCpuID,
                         "x86",
                         Prcb->CpuType,
@@ -398,7 +398,7 @@ CmpInitializeMachineDependentConfiguration(IN PLOADER_PARAMETER_BLOCK LoaderBloc
             }
 
             /* ID string has the same style for all 64-bit CPUs */
-            sprintf(Buffer,
+            snprintf(Buffer, sizeof(Buffer),
                     CmpFullCpuID,
                     FamilyId,
                     Prcb->CpuType,
@@ -437,7 +437,11 @@ CmpInitializeMachineDependentConfiguration(IN PLOADER_PARAMETER_BLOCK LoaderBloc
                 ConfigData.ComponentEntry.Identifier = Buffer;
 
                 /* For 386 cpus, the CPU pp is the identifier */
-                if (Prcb->CpuType == 3) strcpy(Buffer, "80387");
+                if (Prcb->CpuType == 3)
+                {
+                    strncpy(Buffer, "80387", sizeof(Buffer) - 1);
+                    Buffer[sizeof(Buffer) - 1] = '\0';
+                }
 
                 /* Save the ID string length now that we've created it */
                 ConfigData.ComponentEntry.IdentifierLength = (ULONG)strlen(Buffer) + 1;

ntoskrnl/ex/init.c

@@ -168,10 +168,12 @@ ExpCreateSystemRootLink(IN PLOADER_PARAMETER_BLOCK LoaderBlock)
                                SePublicDefaultUnrestrictedSd);
 
     /* Build the ARC name */
-    sprintf(Buffer,
-            "\\ArcName\\%s%s",
+    if (snprintf(Buffer, sizeof(Buffer), "\\ArcName\\%s%s",
             LoaderBlock->ArcBootDeviceName,
-            LoaderBlock->NtBootPathName);
+            LoaderBlock->NtBootPathName) >= (int)sizeof(Buffer))
+    {
+        DPRINT1("ARC name path too long, truncated\n");
+    }
     Buffer[strlen(Buffer) - 1] = ANSI_NULL;
 
     /* Convert it to Unicode */
@@ -1072,7 +1074,7 @@ ExpInitializeExecutive(IN ULONG Cpu,
 #endif
 
     /* Setup NT System Root Path */
-    sprintf(Buffer, "C:%s", LoaderBlock->NtBootPathName);
+    snprintf(Buffer, sizeof(Buffer), "C:%s", LoaderBlock->NtBootPathName);
 
     /* Convert to ANSI_STRING and null-terminate it */
     RtlInitString(&AnsiPath, Buffer);

ntoskrnl/fstub/disksup.c

@@ -957,8 +957,13 @@ xHalIoAssignDriveLetters(IN PLOADER_PARAMETER_BLOCK LoaderBlock,
         /* For a remote boot, assign X drive letter */
         NtSystemPath[0] = 'X';
         NtSystemPath[1] = ':';
-        /* And copy the end of the boot path */
-        strcpy((PSTR)&NtSystemPath[2], Last);
+        /* And copy the end of the boot path - use strncpy with bounds checking
+         * NtSystemPath is expected to be at least 260 bytes (typical MAX_PATH)
+         * We've used 2 bytes for "X:", leaving 258 bytes.
+         * We copy at most 256 characters to leave room for null terminator. */
+        strncpy((PSTR)&NtSystemPath[2], Last, 256);
+        /* Ensure null termination - _vsnprintf should have done this, but be explicit */
+        NtSystemPath[259] = '\0';
 
         /* If we had to remove the trailing separator, remove it here too */
         if (Saved != NULL)

ntoskrnl/fstub/fstubex.c

@@ -1889,7 +1889,7 @@ IoGetBootDiskInformation(IN OUT PBOOTDISK_INFORMATION BootDiskInformation,
     for (DiskNumber = 0; DiskNumber < DiskCount; DiskNumber++)
     {
         /* Create the device name */
-        sprintf(Buffer, "\\Device\\Harddisk%lu\\Partition0", DiskNumber);
+        snprintf(Buffer, sizeof(Buffer), "\\Device\\Harddisk%lu\\Partition0", DiskNumber);
         RtlInitAnsiString(&DeviceStringA, Buffer);
         Status = RtlAnsiStringToUnicodeString(&DeviceStringW, &DeviceStringA, TRUE);
         if (!NT_SUCCESS(Status))
@@ -1977,14 +1977,17 @@ IoGetBootDiskInformation(IN OUT PBOOTDISK_INFORMATION BootDiskInformation,
                 IopVerifyDiskSignature(DriveLayout, ArcDiskSignature, &Signature))
             {
                 /* Create ARC name */
-                sprintf(ArcBuffer, "\\ArcName\\%s", ArcDiskSignature->ArcName);
+                if (snprintf(ArcBuffer, sizeof(ArcBuffer), "\\ArcName\\%s", ArcDiskSignature->ArcName) >= (int)sizeof(ArcBuffer))
+                {
+                    DPRINT1("ArcName path too long, truncated\n");
+                }
                 RtlInitAnsiString(&ArcNameStringA, ArcBuffer);
 
                 /* Browse all partitions */
                 for (PartitionNumber = 1; PartitionNumber <= DriveLayout->PartitionCount; PartitionNumber++)
                 {
                     /* Create its device name */
-                    sprintf(Buffer, "\\Device\\Harddisk%lu\\Partition%lu", DiskNumber, PartitionNumber);
+                    snprintf(Buffer, sizeof(Buffer), "\\Device\\Harddisk%lu\\Partition%lu", DiskNumber, PartitionNumber);
                     RtlInitAnsiString(&DeviceStringA, Buffer);
                     Status = RtlAnsiStringToUnicodeString(&DeviceStringW, &DeviceStringA, TRUE);
                     if (!NT_SUCCESS(Status))
@@ -1999,7 +2002,10 @@ IoGetBootDiskInformation(IN OUT PBOOTDISK_INFORMATION BootDiskInformation,
                     }
 
                     /* Create partial ARC name */
-                    sprintf(ArcBuffer, "%spartition(%lu)", ArcDiskSignature->ArcName, PartitionNumber);
+                    if (snprintf(ArcBuffer, sizeof(ArcBuffer), "%spartition(%lu)", ArcDiskSignature->ArcName, PartitionNumber) >= (int)sizeof(ArcBuffer))
+                    {
+                        DPRINT1("ArcName partition path too long, truncated\n");
+                    }
                     RtlInitAnsiString(&ArcNameStringA, ArcBuffer);
 
                     /* If it's matching boot string */

ntoskrnl/io/iomgr/arcname.c

@@ -52,14 +52,20 @@ IopCreateArcNames(IN PLOADER_PARAMETER_BLOCK LoaderBlock)
                  &ArcDiskInfo->DiskSignatureListHead);
 
     /* Create the firmware system loader / HAL partition global name */
-    sprintf(Buffer, "\\ArcName\\%s", LoaderBlock->ArcHalDeviceName);
+    if (snprintf(Buffer, sizeof(Buffer), "\\ArcName\\%s", LoaderBlock->ArcHalDeviceName) >= (int)sizeof(Buffer))
+    {
+        DPRINT1("ArcHalDeviceName path too long, truncated\n");
+    }
     RtlInitAnsiString(&ArcString, Buffer);
     Status = RtlAnsiStringToUnicodeString(&IoArcHalDeviceName, &ArcString, TRUE);
     if (!NT_SUCCESS(Status))
         return Status;
 
     /* Create the OS boot partition global name */
-    sprintf(Buffer, "\\ArcName\\%s", LoaderBlock->ArcBootDeviceName);
+    if (snprintf(Buffer, sizeof(Buffer), "\\ArcName\\%s", LoaderBlock->ArcBootDeviceName) >= (int)sizeof(Buffer))
+    {
+        DPRINT1("ArcBootDeviceName path too long, truncated\n");
+    }
     RtlInitAnsiString(&ArcString, Buffer);
     Status = RtlAnsiStringToUnicodeString(&IoArcBootDeviceName, &ArcString, TRUE);
     if (!NT_SUCCESS(Status))
@@ -100,7 +106,10 @@ IopCreateArcNames(IN PLOADER_PARAMETER_BLOCK LoaderBlock)
         }
 
         /* Get ARC booting device name (in net(0) something) */
-        sprintf(Buffer, "\\ArcName\\%s", LoaderBlock->ArcBootDeviceName);
+        if (snprintf(Buffer, sizeof(Buffer), "\\ArcName\\%s", LoaderBlock->ArcBootDeviceName) >= (int)sizeof(Buffer))
+        {
+            DPRINT1("ArcBootDeviceName path too long, truncated\n");
+        }
         RtlInitAnsiString(&ArcString, Buffer);
         Status = RtlAnsiStringToUnicodeString(&BootDeviceName, &ArcString, TRUE);
         if (NT_SUCCESS(Status))
@@ -303,7 +312,7 @@ IopCreateArcNamesCd(IN PLOADER_PARAMETER_BLOCK LoaderBlock)
             }
 
             /* Finally, build proper device name */
-            sprintf(Buffer, "\\Device\\CdRom%lu", DeviceNumber.DeviceNumber);
+            snprintf(Buffer, sizeof(Buffer), "\\Device\\CdRom%lu", DeviceNumber.DeviceNumber);
             RtlInitAnsiString(&DeviceStringA, Buffer);
             Status = RtlAnsiStringToUnicodeString(&DeviceStringW, &DeviceStringA, TRUE);
             if (!NT_SUCCESS(Status))
@@ -315,7 +324,7 @@ IopCreateArcNamesCd(IN PLOADER_PARAMETER_BLOCK LoaderBlock)
         else
         {
             /* Create device name for the cd */
-            sprintf(Buffer, "\\Device\\CdRom%lu", EnabledDisks++);
+            snprintf(Buffer, sizeof(Buffer), "\\Device\\CdRom%lu", EnabledDisks++);
             RtlInitAnsiString(&DeviceStringA, Buffer);
             Status = RtlAnsiStringToUnicodeString(&DeviceStringW, &DeviceStringA, TRUE);
             if (!NT_SUCCESS(Status))
@@ -373,7 +382,10 @@ IopCreateArcNamesCd(IN PLOADER_PARAMETER_BLOCK LoaderBlock)
         if (CheckSum + ArcDiskSignature->CheckSum == 0)
         {
             /* Create ARC name */
-            sprintf(ArcBuffer, "\\ArcName\\%s", LoaderBlock->ArcBootDeviceName);
+            if (snprintf(ArcBuffer, sizeof(ArcBuffer), "\\ArcName\\%s", LoaderBlock->ArcBootDeviceName) >= (int)sizeof(ArcBuffer))
+            {
+                DPRINT1("ArcBootDeviceName path too long, truncated\n");
+            }
             RtlInitAnsiString(&ArcNameStringA, ArcBuffer);
             Status = RtlAnsiStringToUnicodeString(&ArcNameStringW, &ArcNameStringA, TRUE);
             if (NT_SUCCESS(Status))
@@ -553,7 +565,7 @@ IopCreateArcNamesDisk(IN PLOADER_PARAMETER_BLOCK LoaderBlock,
         else
         {
             /* Create device name for the disk */
-            sprintf(Buffer, "\\Device\\Harddisk%lu\\Partition0", DiskNumber);
+            snprintf(Buffer, sizeof(Buffer), "\\Device\\Harddisk%lu\\Partition0", DiskNumber);
             RtlInitAnsiString(&DeviceStringA, Buffer);
             Status = RtlAnsiStringToUnicodeString(&DeviceStringW, &DeviceStringA, TRUE);
             if (!NT_SUCCESS(Status))
@@ -712,7 +724,7 @@ IopCreateArcNamesDisk(IN PLOADER_PARAMETER_BLOCK LoaderBlock,
                  (ArcDiskSignature->CheckSum + CheckSum == 0)))
             {
                 /* Create device name */
-                sprintf(Buffer, "\\Device\\Harddisk%lu\\Partition0",
+                snprintf(Buffer, sizeof(Buffer), "\\Device\\Harddisk%lu\\Partition0",
                         (DeviceNumber.DeviceNumber != ULONG_MAX) ? DeviceNumber.DeviceNumber : DiskNumber);
                 RtlInitAnsiString(&DeviceStringA, Buffer);
                 Status = RtlAnsiStringToUnicodeString(&DeviceStringW, &DeviceStringA, TRUE);
@@ -722,7 +734,10 @@ IopCreateArcNamesDisk(IN PLOADER_PARAMETER_BLOCK LoaderBlock,
                 }
 
                 /* Create ARC name */
-                sprintf(ArcBuffer, "\\ArcName\\%s", ArcDiskSignature->ArcName);
+                if (snprintf(ArcBuffer, sizeof(ArcBuffer), "\\ArcName\\%s", ArcDiskSignature->ArcName) >= (int)sizeof(ArcBuffer))
+                {
+                    DPRINT1("ArcName path too long, truncated\n");
+                }
                 RtlInitAnsiString(&ArcNameStringA, ArcBuffer);
                 Status = RtlAnsiStringToUnicodeString(&ArcNameStringW, &ArcNameStringA, TRUE);
                 if (!NT_SUCCESS(Status))
@@ -742,7 +757,7 @@ IopCreateArcNamesDisk(IN PLOADER_PARAMETER_BLOCK LoaderBlock,
                 for (i = 1; i <= DriveLayout->PartitionCount; i++)
                 {
                     /* Create device name */
-                    sprintf(Buffer, "\\Device\\Harddisk%lu\\Partition%lu",
+                    snprintf(Buffer, sizeof(Buffer), "\\Device\\Harddisk%lu\\Partition%lu",
                             (DeviceNumber.DeviceNumber != ULONG_MAX) ? DeviceNumber.DeviceNumber : DiskNumber, i);
                     RtlInitAnsiString(&DeviceStringA, Buffer);
                     Status = RtlAnsiStringToUnicodeString(&DeviceStringW, &DeviceStringA, TRUE);
@@ -752,7 +767,10 @@ IopCreateArcNamesDisk(IN PLOADER_PARAMETER_BLOCK LoaderBlock,
                     }
 
                     /* Create partial ARC name */
-                    sprintf(ArcBuffer, "%spartition(%lu)", ArcDiskSignature->ArcName, i);
+                    if (snprintf(ArcBuffer, sizeof(ArcBuffer), "%spartition(%lu)", ArcDiskSignature->ArcName, i) >= (int)sizeof(ArcBuffer))
+                    {
+                        DPRINT1("ArcName partition path too long, truncated\n");
+                    }
                     RtlInitAnsiString(&ArcNameStringA, ArcBuffer);
 
                     /* Is that boot device? */
@@ -780,7 +798,10 @@ IopCreateArcNamesDisk(IN PLOADER_PARAMETER_BLOCK LoaderBlock,
                     }
 
                     /* Create complete ARC name */
-                    sprintf(ArcBuffer, "\\ArcName\\%spartition(%lu)", ArcDiskSignature->ArcName, i);
+                    if (snprintf(ArcBuffer, sizeof(ArcBuffer), "\\ArcName\\%spartition(%lu)", ArcDiskSignature->ArcName, i) >= (int)sizeof(ArcBuffer))
+                    {
+                        DPRINT1("ArcName complete path too long, truncated\n");
+                    }
                     RtlInitAnsiString(&ArcNameStringA, ArcBuffer);
                     Status = RtlAnsiStringToUnicodeString(&ArcNameStringW, &ArcNameStringA, TRUE);
                     if (!NT_SUCCESS(Status))
@@ -848,7 +869,10 @@ IopReassignSystemRoot(IN PLOADER_PARAMETER_BLOCK LoaderBlock,
     HANDLE LinkHandle;
 
     /* Create the Unicode name for the current ARC boot device */
-    sprintf(Buffer, "\\ArcName\\%s", LoaderBlock->ArcBootDeviceName);
+    if (snprintf(Buffer, sizeof(Buffer), "\\ArcName\\%s", LoaderBlock->ArcBootDeviceName) >= (int)sizeof(Buffer))
+    {
+        DPRINT1("ArcBootDeviceName path too long, truncated\n");
+    }
     RtlInitAnsiString(&TargetString, Buffer);
     Status = RtlAnsiStringToUnicodeString(&TargetName, &TargetString, TRUE);
     if (!NT_SUCCESS(Status)) return FALSE;
@@ -913,7 +937,10 @@ IopReassignSystemRoot(IN PLOADER_PARAMETER_BLOCK LoaderBlock,
     ObCloseHandle(LinkHandle, KernelMode);
 
     /* Now create the new name for it */
-    sprintf(Buffer, "%s%s", ArcString.Buffer, LoaderBlock->NtBootPathName);
+    if (snprintf(Buffer, sizeof(Buffer), "%s%s", ArcString.Buffer, LoaderBlock->NtBootPathName) >= (int)sizeof(Buffer))
+    {
+        DPRINT1("Boot path too long, truncated\n");
+    }
 
     /* Copy it into the passed parameter and null-terminate it */
     RtlCopyString(NtBootPath, &ArcString);

ntoskrnl/io/iomgr/iomdl.c

@@ -105,6 +105,7 @@ IoBuildPartialMdl(IN PMDL SourceMdl,
                        MDL_SOURCE_IS_NONPAGED_POOL |
                        MDL_MAPPED_TO_SYSTEM_VA |
                        MDL_IO_SPACE);
+    ULONG PageCount;
 
     /* Calculate the offset */
     Offset = (ULONG)((ULONG_PTR)VirtualAddress -
@@ -121,7 +122,7 @@ IoBuildPartialMdl(IN PMDL SourceMdl,
     TargetMdl->ByteOffset = BYTE_OFFSET(VirtualAddress);
 
     /* Recalculate the length in pages */
-    Length = ADDRESS_AND_SIZE_TO_SPAN_PAGES(VirtualAddress, Length);
+    PageCount = ADDRESS_AND_SIZE_TO_SPAN_PAGES(VirtualAddress, Length);
 
     /* Set the MDL Flags */
     TargetMdl->MdlFlags &= (MDL_ALLOCATED_FIXED_SIZE | MDL_ALLOCATED_MUST_SUCCEED);
@@ -135,7 +136,12 @@ IoBuildPartialMdl(IN PMDL SourceMdl,
     Offset = (ULONG)(((ULONG_PTR)TargetMdl->StartVa -
                       (ULONG_PTR)SourceMdl->StartVa) >> PAGE_SHIFT);
     SourcePages += Offset;
-    RtlCopyMemory(TargetPages, SourcePages, Length * sizeof(PFN_NUMBER));
+
+    /* Ensure the target MDL was allocated with enough space for the PFN array
+     * The MDL should have been allocated via IoAllocateMdl with the correct page count */
+    ASSERT(PageCount <= (TargetMdl->Size - sizeof(MDL)) / sizeof(PFN_NUMBER));
+
+    RtlCopyMemory(TargetPages, SourcePages, PageCount * sizeof(PFN_NUMBER));
 }
 
 /*

ntoskrnl/io/iomgr/iomgr.c

@@ -405,7 +405,10 @@ IopMarkBootPartition(IN PLOADER_PARAMETER_BLOCK LoaderBlock)
     PFILE_OBJECT FileObject;
 
     /* Build the ARC device name */
-    sprintf(Buffer, "\\ArcName\\%s", LoaderBlock->ArcBootDeviceName);
+    if (snprintf(Buffer, sizeof(Buffer), "\\ArcName\\%s", LoaderBlock->ArcBootDeviceName) >= (int)sizeof(Buffer))
+    {
+        DPRINT1("ArcBootDeviceName path too long, truncated\n");
+    }
     RtlInitAnsiString(&DeviceString, Buffer);
     Status = RtlAnsiStringToUnicodeString(&DeviceName, &DeviceString, TRUE);
     if (!NT_SUCCESS(Status)) return FALSE;

ntoskrnl/kd64/kdprint.c

@@ -531,17 +531,29 @@ KdpDprintf(
 {
     STRING String;
     USHORT Length;
+    int Ret;
     va_list ap;
     CHAR Buffer[512];
 
     /* Format the string */
     va_start(ap, Format);
-    Length = (USHORT)_vsnprintf(Buffer,
-                                sizeof(Buffer),
-                                Format,
-                                ap);
+    Ret = _vsnprintf(Buffer,
+                     sizeof(Buffer),
+                     Format,
+                     ap);
     va_end(ap);
 
+    /* Check for overflow: _vsnprintf returns -1 if output was truncated.
+     * _vsnprintf null-terminates the buffer when the size parameter includes space for it. */
+    if (Ret < 0)
+    {
+        Length = sizeof(Buffer) - 1;
+    }
+    else
+    {
+        Length = (USHORT)Ret;
+    }
+
     /* Set it up */
     String.Buffer = Buffer;
     String.Length = String.MaximumLength = Length;

ntoskrnl/kdbg/i386/i386-dis.c

@@ -3129,8 +3129,21 @@ putop (const char *template, int sizeflag)
 static void
 oappend (const char *s)
 {
-  strcpy (obufp, s);
-  obufp += strlen (s);
+  size_t slen = strlen(s);
+  size_t remaining = sizeof(obuf) - (obufp - obuf) - 1;
+
+  /* Only copy what fits in the buffer */
+  if (slen > remaining)
+    slen = remaining;
+
+  if (slen > 0)
+  {
+    memcpy(obufp, s, slen);
+    obufp += slen;
+  }
+
+  /* Ensure null termination */
+  *obufp = '\0';
 }
 
 static void