Review resource management in ReauthenticateUserWindows
Categories
(Core :: Security: PSM, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox80 | --- | fixed |
People
(Reporter: away, Assigned: rmf)
References
(Regression)
Details
(Keywords: regression, Whiteboard: [psm-backlog])
Attachments
(1 file)
|
(deleted),
text/x-phabricator-request
|
Details |
I noticed some issues in ReauthenticateUserWindows:
The doc for LsaConnectUntrusted says "The handle should be closed using the LsaDeregisterLogonProcess function." which we do, but then the ScopedHANDLE additionally calls CloseHandle which seems like one too many closings. lsa should probably get its own separate RAII struct that calls LsaDeregisterLogonProcess. (Also this would ensure that LsaDeregisterLogonProcess gets called even if we take one of the early returns)
Second, this pattern around LsaLogonUser is fragile:
HANDLE token;
NTSTATUS sts = LsaLogonUser(...);
ScopedHANDLE scopedToken(token);
if (sts ...) {
Generally the contract with Windows APIs is that you can rely on them to populate output parameters as long as the API succeeds.
If the API fails, token may be left uninitialized, and the RAII helper's CloseHandle could do bad things. Either the ScopedHandle should be established after checking the return value, or token should be initialized to a safe value before the API call.
|
||
Comment 1•5 years ago
|
||
The priority flag is not set for this bug.
:keeler, could you have a look please?
For more information, please visit auto_nag documentation.
|
Assignee | |
Comment 2•4 years ago
|
||
|
||
Updated•4 years ago
|
|
||
Comment 4•4 years ago
|
||
| bugherder | ||
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
Description
•