Remove absolute registry path in filter driver for 26H1 HLK#40
Conversation
Signed-off-by: chehan <chehan@qti.qualcomm.com>
5656hcx
changed the title
| { | ||
| UNICODE_STRING ucSetEntryName; | ||
| ntStatus = ZwSetValueKey | ||
| ( |
There was a problem hiding this comment.
ZwSetValueKey is called with size FriendlyName->Length + sizeof(WCHAR), reading one WCHAR past the end of the declared string data. UNICODE_STRING.Length never includes a null terminator, so this is only safe when FriendlyName->MaximumLength >= FriendlyName->Length + sizeof(WCHAR). The validation at the top checks Length==0 but not MaximumLength. A caller passing a UNICODE_STRING whose buffer is exactly Length bytes with no trailing null triggers an out-of-bounds read. Add a guard before ZwSetValueKey: if (FriendlyName->MaximumLength < FriendlyName->Length + sizeof(WCHAR)) { ZwClose(hHwKey); return STATUS_INVALID_PARAMETER; }
| DbgPrint("<%s> QCFilterSetFriendlyName: ZwQueryKey size query failed 0x%x\n", | ||
| pDevExt->PortName, ntStatus); | ||
| ZwClose(hDevParamsKey); | ||
| return STATUS_UNSUCCESSFUL; |
There was a problem hiding this comment.
When the first ZwQueryKey size-query call returns an unexpected status (neither STATUS_BUFFER_TOO_SMALL nor STATUS_BUFFER_OVERFLOW), the original ntStatus is discarded and the generic STATUS_UNSUCCESSFUL is returned. This makes it impossible to distinguish STATUS_ACCESS_DENIED from STATUS_INVALID_HANDLE in diagnostics. Maybe return ntStatus directly instead of STATUS_UNSUCCESSFUL to preserve the original error code?
| // Step 3: Strip the "\Device Parameters" suffix from the full reg path | ||
| // | ||
| hwKeyPath.Buffer = pKeyNameInfo->Name; | ||
| hwKeyPath.Length = (USHORT)pKeyNameInfo->NameLength; |
There was a problem hiding this comment.
KEY_NAME_INFORMATION.NameLength to USHORT, potential overflow? I know it won't be common but still.
2 participants
Summary
Windows 26H1 HLK test fails with:
Fix
qcfilter.cImplement
QCFilterSetFriendlyName: writesFriendlyName(REG_SZ) to the device hardware key (HKLM\SYSTEM\CurrentControlSet\Enum\...\<instance>) using only no hard-coded absolute registry paths:Device ParametersviaIoOpenDeviceRegistryKey(PDO, PLUGPLAY_REGKEY_DEVICE)ZwQueryKey(KeyNameInformation)and stripping the\Device Parameterssuffix.ZwOpenKey(KEY_SET_VALUE).ZwSetValueKey(REG_SZ), including the null terminator (Length + sizeof(WCHAR)).Fix null-pointer issue in
QCFilterCreateFriendlyName: add&& pSwInstance != NULLguard before passingpSwInstancetoRtlStringCbCatW, preventing a kernel crash when the driver key path does not contain a\separator.Testing