Changeset 5224 for trunk/src/win32k/dev32

Timestamp:

Feb 21, 2001, 8:47:59 AM (25 years ago)

Author:

bird

Message:

CallGate changes.

Location:

trunk/src/win32k/dev32

Files:

• d32CallGate.asm (modified) (14 diffs)
• d32Win32kIOCtl.c (modified) (5 diffs)
• d32globals.c (modified) (2 diffs)
• d32init.c (modified) (14 diffs)

trunk/src/win32k/dev32/d32CallGate.asm

@@ -1 @@
-; $Id: d32CallGate.asm,v 1.1 2001-02-20 05:00:13 bird Exp $
+; $Id: d32CallGate.asm,v 1.2 2001-02-21 07:44:57 bird Exp $
 ;
 ; 32-bit CallGate used to communitcate fast between Ring-3 and Ring-0.
@@ -11 +11 @@
     .386p
 
+;
+;   Defined Constants And Macros
+;
+    INCL_ERRORS EQU 1
+
 
 ;
 ;   Header Files
 ;
+    include bseerr.inc
     include devsegdf.inc
     include devhlp.inc
+    include win32k.inc
 
 
@@ -22 +29 @@
 ; Exported symbols
 ;
+    public CallGateGDT
+
     public InitCallGate
-
-
-;
-; extrns
-;
-    extrn _Device_Help:dword
+    public Win32kAPIRouter
+
+
+;
+; External symbols
+;
+    extrn  _Device_Help:dword
+    extrn  pulTKSSBase32:dword
+
     extrn  KMEnterKmodeSEF:near
     extrn  KMExitKmodeSEF8:near
-    extrn  Win32kAPIRouter:near
+    extrn  _TKFuBuff@16:near
+
+    extrn  k32AllocMemEx:near
+    extrn  k32QueryOTEs:near
+    extrn  k32QueryOptionsStatus:near
+    extrn  k32SetOptions:near
+    extrn  k32ProcessReadWrite:near
+    ;extrn  k32HandleSystemEvent:near
+    extrn  k32QuerySystemMemInfo:near
+    extrn  k32QueryCallGate:near
 
 
@@ -44 +65 @@
 GDTR_limit      dw ?                    ; The limit field of the GDTR.
 GDTR_base       dd ?                    ; The base field of the GDTR. (linear flat address)
+
+
+;
+; Structure containing the K32 API parameter packet size.
+;
+; Used for parameter packet validation, and for copying the parameter
+; packet from user address space into system address space (the stack).
+;
+acbK32Params:
+    dd 0                                ; Not used - ie. invalid
+    dd SIZE   K32ALLOCMEMEX             ; K32_ALLOCMEMEX          0x01
+    dd SIZE   K32QUERYOTES              ; K32_QUERYOTES           0x02
+    dd SIZE   K32QUERYOPTIONSSTATUS     ; K32_QUERYOPTIONSSTATUS  0x03
+    dd SIZE   K32SETOPTIONS             ; K32_SETOPTIONS          0x04
+    dd SIZE   K32PROCESSREADWRITE       ; K32_PROCESSREADWRITE    0x05
+    dd SIZE   K32HANDLESYSTEMEVENT      ; K32_HANDLESYSTEMEVENT   0x06
+    dd SIZE   K32QUERYSYSTEMMEMINFO     ; K32_QUERYSYSTEMMEMINFO  0x07
+    dd SIZE   K32QUERYCALLGATE          ; K32_QUERYCALLGATE       0x08
+
+;
+; Structure containing the offsets of K32 API worker routines.
+;
+; Used for calling the workers indirectly.
+;
+apfnK32APIs:
+    dd  FLAT:k32APIStub                 ; Not used - ie. invalid
+    dd  FLAT:k32AllocMemEx              ; K32_ALLOCMEMEX          0x01
+    dd  FLAT:k32QueryOTEs               ; K32_QUERYOTES           0x02
+    dd  FLAT:k32QueryOptionsStatus      ; K32_QUERYOPTIONSSTATUS  0x03
+    dd  FLAT:k32SetOptions              ; K32_SETOPTIONS          0x04
+    dd  FLAT:k32ProcessReadWrite        ; K32_PROCESSREADWRITE    0x05
+    ;dd  FLAT:k32HandleSystemEvent       ; K32_HANDLESYSTEMEVENT   0x06
+    dd  FLAT:k32APIStub
+    dd  FLAT:k32QuerySystemMemInfo      ; K32_QUERYSYSTEMMEMINFO  0x07
+    dd  FLAT:k32QueryCallGate           ; K32_QUERYCALLGATE       0x08
 DATA32 ends
-
-
 
 
@@ -66 +120 @@
     push    ebp
     mov     ebp, esp
-    sub     esp, 10h
     push    edi
     push    esi
@@ -75 +128 @@
     ;
     ; Allocate GDT selector for the call gate.
-    ; (seems like this call also allocates 68kb of virtual memory which i don't need.)
+    ; (URG! This call also allocates 68kb of virtual memory which i don't need!)
     ;
     mov     di, seg DATA16:CallGateGDT
@@ -93 +146 @@
     ;
 ICG_allocok:
-    pop     ds
-    push    ds                          ; restore ds (make sure it's flat)
     ASSUME  ds:FLAT
     sgdt    GDTR_limit                  ; Get the GDTR content.
@@ -100 +151 @@
     mov     ebx, GDTR_base
     movzx   ecx, CallGateGDT
-    and     cx, 0fff8h                  ; clear the dpl bits and descriptor type bit.
+    and     cx, 0fff8h                  ; clear the dpl bits and descriptor type bit. (paranoia!)
     cmp     cx, ax                      ; check limit. (paranoia!!!)
     jl      ICG_limitok
@@ -138 +189 @@
 
 ICG_end:
+    pop     es
     pop     ds
-    pop     es
     pop     ebx
     pop     esi
@@ -159 +210 @@
 ; @author   knut st. osmundsen (knut.stange.osmundsen@mynd.no)
 ; @remark
-;   stack frame:
-;       ---top of stack---
+;   stack frame - before KMEnterKmodeSEF:
+;       --bottom of stack---
 ;       calling ss                                                1ch
 ;       calling esp                                               18h
@@ -170 +221 @@
 ;       flags               (pushf)                                4h
 ;       parameter size      (push 8h)                              0h
-;       ---I start repushing parameters here.
-;
+;
+;  After the call to KMEnterKmodeSEF:
+;       --bottom of stack---
+;       calling ss                                                50
+;       calling esp                                               4c
+;       pParameter          (parameter 1)                         48
+;       ulFunctionCode      (parameter 0)                         44
+;       sef_cs                                                    40
+;       sef_eip                                                   3c
+;       sef_eflag                                                 38
+;       sef_cbargs                                                34
+;       sef_retaddr                                               30
+;       sef_ds                                                    2c
+;       sef_es                                                    28
+;       sef_fs                                                    24
+;       sef_gs                                                    20
+;       sef_eax                                                   1c
+;       sef_ecx                                                   18
+;       sef_edx                                                   14
+;       sef_ebx                                                   10
+;       sef_padesp                                                 c
+;       sef_ebp                                                    8
+;       sef_esi                                                    4h
+;       sef_edi                                                    0h
 ;
 Win32kCallGate proc near
-    pushf                               ; Push all flags
+    ASSUME  ds:nothing, ss:nothing
+    pushfd                              ; Push all flags (eflags)
     push    8h                          ; Size of parameters.
 
@@ -180 +254 @@
                                         ; kernel entry housekeeping.
 
-    mov     edx, [esp + 14h]            ; pParameter (parameter 1)
-    mov     eax, [esp + 10h]            ; ulFunctionCode (parameter 2)
+    mov     edx, [esp + 48h]            ; pParameter (parameter 1)
+    mov     eax, [esp + 44h]            ; ulFunctionCode (parameter 2)
     sub     esp, 8h                     ; (Even when using _Oplink we have to reserve space for parameters.)
     call    Win32kAPIRouter             ; This is my Ring-0 api. (d32Win32kIOCtl.c)
@@ -191 +265 @@
 
 
+;;
+; Internal function router which calls the correct function.
+; Called from IOCtl worker in d32Win32kIOCtl.c and callgate.
+; @cproto   APIRET _Optlink Win32kAPIRouter(ULONG ulFunction, PVOID pvParam);
+; @returns  function return code.
+;           0xdeadbeef if invalid function number.
+; @param    eax - ulFunction    Function number to call.
+; @param    edx - pvParam       Parameter packet for that function.
+; @uses     eax, edx, ecx
+; @sketch   Validate function number
+;           Fetch the parameter pacted from user mode and place it on the stack.
+;           Validate the size field of the parameter packet.
+;           Remove the packet header from the stack => we have a callframe for the api.
+;           Call the API worker.
+;           Return.
+; @status   Completely implemented.
+; @author   knut st. osmundsen (knut.stange.osmundsen@mynd.no)
+Win32kAPIRouter proc near
+    ASSUME  ds:FLAT, es:nothing, ss:nothing
+    ;
+    ; Validate function number.
+    ;
+    cmp     eax, 0
+    jne     APIR_notnull                ; This code should be faster (though it may look stupid to
+                                        ; jump around like this). IIRC branch prediction allways
+                                        ; takes a branch. And btw there are 4 NOPs after this jump!
+    jmp     APIR_InvalidFunction
+
+APIR_notnull:
+    cmp     eax, K32_LASTIOCTLFUNCTION
+    jle     APIR_ValidFunction
+APIR_InvalidFunction:
+    mov     eax, 0deadbeefh
+    ret
+
+    ;
+    ; We have a valid function number now.
+    ; Copy the parameter struct on to the stack.
+    ;
+APIR_ValidFunction:
+    push    ebp                         ; Make stack frame
+    mov     ebp, esp
+    mov     [ebp+8], eax                ; Save eax on the stack (reserved by caller according to _Optlink)
+    mov     ecx, acbK32Params[eax*4]    ; ecx <- size of parameter packet.
+    sub     esp, ecx                    ; Reserve stack space for the parameter packet.
+    mov     eax, [pulTKSSBase32]
+    mov     eax, [eax]
+    add     eax, esp                    ; Calculate the FLAT address of esp.
+    push    ecx                         ; Save the size.
+    ; TKFuBuff(pv, pvParam, acbParams[ulFunction], TK_FUSU_NONFATAL);
+    push    0                           ; TK_FUSU_NOFATAL
+    push    ecx                         ; Size of parameter packet
+    push    edx                         ; Pointer to user memory to fetch
+    push    eax                         ; Pointer to target memory.
+    call    _TKFuBuff@16                ; __stdcall (cleanup done by the called function)
+    pop     ecx                         ; Restore size
+    test    eax, eax
+    jz      APIR_FetchOK
+    jmp     APIR_end
+
+    ;
+    ; Parameter packet is now read onto the stack. esp is pointing to it.
+    ; Check the size of the struct as the caller sees it.
+    ;
+APIR_FetchOK:
+    cmp     ecx, [esp]                  ; (esp now point at the parameter struct)
+    je      APIR_sizeok
+    mov     eax, ERROR_BAD_ARGUMENTS    ; return code.
+    jmp     APIR_end
+
+    ;
+    ; The size is correct.
+    ; Call the worker and return.
+    ;
+APIR_sizeok:
+    add     esp, SIZE K32HDR            ; Skip the parameter header.
+    mov     eax, [ebp + 8]              ; Restore function number.
+    mov     eax, apfnK32APIs[eax*4]     ; eax <- address of the K32 API worker.
+    call    eax                         ; Call the worker.
+                                        ; No cleanup needed as leave takes care of that
+                                        ; We're ready for returning.
+APIR_end:
+    leave
+    ret
+Win32kAPIRouter endp
+
+
+;;
+; This is a stub function which does nothing but returning an error code.
+; @return       ERROR_NOT_SUPPORTED
+k32APIStub proc near
+    mov     eax, ERROR_NOT_SUPPORTED
+    ret
+k32APIStub endp
+
 CODE32 ends
 
@@ -198 +367 @@
 
 CODE16 segment
-    assume cs:CODE16, ds:nothing, ss:nothing, es:nothing
+    assume cs:CODE16, ds:FLAT
 
 ;

trunk/src/win32k/dev32/d32Win32kIOCtl.c

@@ -1 @@
-/* $Id: d32Win32kIOCtl.c,v 1.6 2001-02-20 05:02:40 bird Exp $
+/* $Id: d32Win32kIOCtl.c,v 1.7 2001-02-21 07:44:57 bird Exp $
  *
  * Win32k driver IOCtl handler function.
@@ -38 +38 @@
 *   Internal Functions                                                         *
 *******************************************************************************/
-APIRET _Optlink Win32kAPIRouter(ULONG ulFunction, PVOID pvParam);  /* called from d32CallGate.asm too. */
-
+APIRET _Optlink Win32kAPIRouter(ULONG ulFunction, PVOID pvParam);  /* implemented in d32CallGate.asm. */
 
 
@@ -51 +50 @@
 {
     /* validate parameter pointer */
-    if (pRpIOCtl == NULL || pRpIOCtl->ParmPacket == NULL || pRpIOCtl->Function == 0 || pRpIOCtl->Function > K32_LASTIOCTLFUNCTION)
+    if (pRpIOCtl == NULL || pRpIOCtl->ParmPacket == NULL
+        || pRpIOCtl->Function == 0 || pRpIOCtl->Function > K32_LASTIOCTLFUNCTION)
         return STATUS_DONE | STERR | ERROR_I24_INVALID_PARAMETER;
 
@@ -60 +60 @@
             APIRET rc = Win32kAPIRouter(pRpIOCtl->Function, pRpIOCtl->ParmPacket);
             if (    rc != 0xdeadbeefUL
-                &&  TKSuULongNF(pRpIOCtl->ParmPacket, SSToDS(&rc)) == NO_ERROR)
+                &&  TKSuULongNF(&((PK32HDR)pRpIOCtl->ParmPacket)->rc, SSToDS(&rc)) == NO_ERROR)
                 return STATUS_DONE;     /* Successfull return */
             break;
@@ -68 +68 @@
     return STATUS_DONE | STERR | ERROR_I24_INVALID_PARAMETER;
 }
-
-
-/**
- * Internal function router which calls the correct function.
- * Called from IOCtl worker and callgate in d32CallGate.asm.
- * @returns function return code.
- *          0xdeadbeef if invalid function number.
- * @param   ulFunction  Function number to call.
- * @param   pvParam     Parameter package for that function.
- * @sketch
- * @status  partially implemented.
- * @author  knut st. osmundsen (knut.stange.osmundsen@mynd.no)
- * @remark  This could be reimplemented in assembly.
- *          Make generic parameter layout to limit amount of memory copied back.
- */
-APIRET _Optlink Win32kAPIRouter(ULONG ulFunction, PVOID pvParam)
-{
-    static ULONG acbParams[] =
-    {
-        0,                              /* Not used - ie. invalid */
-        sizeof(K32ALLOCMEMEX),          /* K32_ALLOCMEMEX          0x01 */
-        sizeof(K32QUERYOTES),           /* K32_QUERYOTES           0x02 */
-        sizeof(K32QUERYOPTIONSSTATUS),  /* K32_QUERYOPTIONSSTATUS  0x03 */
-        sizeof(K32SETOPTIONS),          /* K32_SETOPTIONS          0x04 */
-        sizeof(K32PROCESSREADWRITE),    /* K32_PROCESSREADWRITE    0x05 */
-        sizeof(K32HANDLESYSTEMEVENT),   /* K32_HANDLESYSTEMEVENT   0x06 */
-        sizeof(K32QUERYSYSTEMMEMINFO)   /* K32_QUERYSYSTEMMEMINFO  0x07 */
-    };
-    APIRET  rc;
-    char    achBuffer[MAX_PARAMSIZE];
-    PVOID   pv = SSToDS(&achBuffer[0]);
-
-    /*
-     * Validate the function number.
-     * Fetch parameters from user buffer onto our Ring-0 stack.
-     */
-    if (ulFunction == 0 || ulFunction > sizeof(acbParams) / sizeof(acbParams[0]))
-        return 0xdeadbeaf;
-    rc = TKFuBuff(pv, pvParam, acbParams[ulFunction], TK_FUSU_NONFATAL);
-    if (rc)
-    {
-        kprintf(("Win32kAPIRouter: Failed to fetch user parameters rc=%d.\n", rc));
-        return rc;                      /* This can't happen when called from by IOCtl (I hope). */
-    }
-
-
-    /*
-     * Call the actual function.
-     */
-    switch (ulFunction)
-    {
-        case K32_ALLOCMEMEX:
-        {
-            PK32ALLOCMEMEX pParm = (PK32ALLOCMEMEX)pv;
-            return k32AllocMemEx(pParm->ppv, pParm->cb, pParm->flFlags, pParm->ulCS, pParm->ulEIP);
-        }
-
-        case K32_QUERYOTES:
-        {
-            PK32QUERYOTES pParm = (PK32QUERYOTES)pv;
-            return k32QueryOTEs((HMTE)pParm->hMTE, pParm->pQOte, pParm->cbQOte);
-        }
-
-        case K32_QUERYOPTIONSSTATUS:
-        {
-            PK32QUERYOPTIONSSTATUS pParm = (PK32QUERYOPTIONSSTATUS)pv;
-            return k32QueryOptionsStatus(pParm->pOptions, pParm->pStatus);
-        }
-
-        case K32_SETOPTIONS:
-        {
-            PK32SETOPTIONS pParm = (PK32SETOPTIONS)pv;
-            return k32SetOptions(pParm->pOptions);
-        }
-
-        case K32_PROCESSREADWRITE:
-        {
-            PK32PROCESSREADWRITE pParm = (PK32PROCESSREADWRITE)pv;
-            return k32ProcessReadWrite(pParm->pid, pParm->cb, pParm->pvSource, pParm->pvTarget, pParm->fRead);
-        }
-
-        case K32_HANDLESYSTEMEVENT:
-        {
-            //PK32HANDLESYSTEMEVENT pParm = (PK32HANDLESYSTEMEVENT)pv;
-            //return k32HandleSystemEvent(pParm->ulEvent, pParm->hev, pParm->fHandle);
-            return ERROR_NOT_SUPPORTED;
-        }
-
-        case K32_QUERYSYSTEMMEMINFO:
-        {
-            PK32QUERYSYSTEMMEMINFO pParm = (PK32QUERYSYSTEMMEMINFO)pv;
-            return k32QuerySystemMemInfo(pParm->pMemInfo);
-        }
-    }
-
-
-    /*
-     * This will never happen.
-     */
-    kprintf(("Win32kAPIRouter: Internal processing error\n"));
-    Int3();
-
-    return 0xdeadbeaf;
-}

trunk/src/win32k/dev32/d32globals.c

@@ -1 @@
-/* $Id: d32globals.c,v 1.5 2000-02-25 18:15:03 bird Exp $
+/* $Id: d32globals.c,v 1.6 2001-02-21 07:44:57 bird Exp $
  *
  * d32globals - global data (32-bit)
@@ -22 +22 @@
 *   Global Variables                                                           *
 *******************************************************************************/
+/*
+ * This is the pointer to the TK(TasK)SS(Stack Segment) FLAT Base address variable.
+ * It is used by the SSToDS macro to convert stack based addresses to FLAT ds
+ * based addressed.
+ */
 PULONG          pulTKSSBase32;
 

trunk/src/win32k/dev32/d32init.c

@@ -1 @@
-/* $Id: d32init.c,v 1.36 2001-02-20 04:58:33 bird Exp $
+/* $Id: d32init.c,v 1.37 2001-02-21 07:44:57 bird Exp $
  *
  * d32init.c - 32-bits init routines.
@@ -175 +175 @@
             case 'E':/* Elf or EXe */
                 pszTmp2 = strpbrk(pszTmp, ":=/- ");
-                if (pszTmp[1] != 'x' && pszTmp != 'X')
+                if (pszTmp[1] != 'x' && pszTmp[1] != 'X')
                 {
                     options.fElf = !(pszTmp2 != NULL
@@ -414 +414 @@
     #endif
 
+    /* callgate */
+    if ((rc = InitCallGate()) != NO_ERROR)
+    {
+        kprintf(("R0Init32: InitCallGate failed with rc=%d\n", rc));
+        return (USHORT)rc;
+    }
+
 
     /*
@@ -436 +443 @@
         kprintf(("data segment lock failed with with rc=%d\n", rc));
 
-    /* 16-bit data segment - is this really necessary? */
+    /* 16-bit data segment - is this really necessary? - no!!! */
+    #if 0 /* This should not be necessary!!! it's allocated from the kernel resident heap if I am not much mistaken. */
     memset(SSToDS(&lockhandle), 0, sizeof(lockhandle));
     rc = D32Hlp_VMLock2(&DATA16START,
@@ -444 +452 @@
     if (rc != NO_ERROR)
         kprintf(("16-bit data segment lock failed with with rc=%d\n", rc));
+    #endif
 
     return NO_ERROR;
@@ -592 +601 @@
                                 if ((*psz >= 'A' && *psz <= 'E') || (*psz >= 'a' && *psz <= 'e'))
                                 {
-                                    pKrnlInfo->fKernel = (*psz - (*psz >= 'a' ? 'a'-1 : 'A'-1)) << KF_REV_SHIFT;
+                                    pKrnlInfo->fKernel = (USHORT)((*psz - (*psz >= 'a' ? 'a'-1 : 'A'-1)) << KF_REV_SHIFT);
                                     psz++;
                                 }
@@ -904 +913 @@
                 /* fixed five byte instructions */
                 case 0xe8:              /* call imm32 */
-                    pach =+ 4;
-                    cb =+ 4;
+                    pach += 4;
+                    cb += 4;
                     break;
 
@@ -1273 +1282 @@
     int     cbmax;
     char *  pchCTEntry;                 /* Pointer to current calltab entry. */
+    ULONG   flWP;                       /* CR0 WP flag restore value. */
 
     /*
@@ -1327 +1337 @@
      */
     pchCTEntry = &callTab[0];
+    flWP = x86DisableWriteProtect();
     for (i = 0; i < NBR_OF_KRNLIMPORTS; i++)
     {
@@ -1366 +1377 @@
                     kprintf(("ImportTabInit: FATAL verify failed for procedure no.%d when rehooking it!\n", i));
                     Int3(); /* ipe - later! */
+                    x86RestoreWriteProtect(flWP);
                     return ERROR_D32_IPE | (i << ERROR_D32_PROC_SHIFT) | ERROR_D32_PROC_FLAG;
                 }
@@ -1412 +1424 @@
                     kprintf(("ImportTabInit: FATAL verify failed for procedure no.%d when rehooking it!\n", i));
                     Int3(); /* ipe - later! */
+                    x86RestoreWriteProtect(flWP);
                     return ERROR_D32_IPE | (i << ERROR_D32_PROC_SHIFT) | ERROR_D32_PROC_FLAG;
                 }
@@ -1444 +1457 @@
                     kprintf(("ImportTabInit: FATAL verify failed for procedure no.%d when importing it!\n", i));
                     Int3(); /* ipe - later! */
+                    x86RestoreWriteProtect(flWP);
                     return ERROR_D32_IPE | (i << ERROR_D32_PROC_SHIFT) | ERROR_D32_PROC_FLAG;
                 }
@@ -1480 +1494 @@
                     kprintf(("ImportTabInit: FATAL verify failed for procedure no.%d when importing it!\n", i));
                     Int3(); /* ipe - later! */
+                    x86RestoreWriteProtect(flWP);
                     return ERROR_D32_IPE | (i << ERROR_D32_PROC_SHIFT) | ERROR_D32_PROC_FLAG;
                 }
@@ -1517 +1532 @@
                 kprintf(("ImportTabInit: unsupported type. (procedure no.%d, cb=%d)\n", i, cb));
                 Int3(); /* ipe - later! */
+                x86RestoreWriteProtect(flWP);
                 return ERROR_D32_IPE | (i << ERROR_D32_PROC_SHIFT) | ERROR_D32_PROC_FLAG;
         } /* switch - type */
     }   /* for */
+
+    x86RestoreWriteProtect(flWP);
 
     return NO_ERROR;