Commit Graph

20 Commits

Author SHA1 Message Date
Simon Rozman
dccf2085cb driver: cleanup project file
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-12 10:38:21 +02:00
Simon Rozman
d41ac04565 driver: remove excessive media connection reporting on adapter init
The initial adapter state (including media connection) is provided by
the NDIS_MINIPORT_ADAPTER_GENERAL_ATTRIBUTES.
Additional NdisMIndicateStatusEx() call seems excessive.

Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-12 10:38:21 +02:00
Jason A. Donenfeld
005af4a9c7 api: use SuggestedInstanceId instead of NetSetupAnticipatedInstanceId
All was well with NetSetupAnticipatedInstanceId, until a bug crept into
recent Windows builds that caused old GUIDs not to be properly removed,
resulting in subsequent adapter creations to fail, because NetSetup
AnticipatedInstanceId considers it fatal when the target GUID
already exists, even if in diminished form.

The initial solution was to detect cruft, and then steal a
TrustedInstaller token and sleuth around the registry cleaning things
up. The horror!

Uncomfortable with this, I reopened IDA and had a look around with fresh
eyes, three years after the original discovery of NetSetupAnticipated
InstanceId. There, I found some interesting behavior in
NetSetupSvcDeviceManager::InstallNetworkInterfaces, which amounts to
something like:

    if (IsSet("RetiredNetCfgInstanceId") {
      if (IsSet("NetSetupAnticipatedInstanceId")
        DeleteAdapter(GetValue("RetiredNetCfgInstanceId"));
      else
        Set("NetSetupAnticipatedInstanceId", GetValue("RetiredNetCfgInstanceId"));
      Delete("RetiredNetCfgInstanceId");
    }
    CreateAdapter = TRUE;
    if (IsSet("NetSetupAnticipatedInstanceId")) {
      Guid = GetValue("NetSetupAnticipatedInstanceId");
      if (AdapterAlreadyExists(Guid))
        CreateAdapter = FALSE;
      else
        SetGuidOfNewAdapter(Guid);
      Delete("NetSetupAnticipatedInstanceId");
    } else if (IsSet("SuggestedInstanceId")) {
      Guid = GetValue("SuggestedInstanceId");
      if (!AdapterAlreadyExists(Guid))
        SetGuidOfNewAdapter(Guid);
      Delete("SuggestedInstanceId");
    }

Thus, one appealing strategy would be to set both NetSetupAnticipated
InstanceId and RetiredInstanceId to the same value, and let the service
handle deleting the old one for us before creating the new one.
However, the cleanup of the old adapter winds up being quasi-
asynchronous, and thus we still wind up in the CreateAdapter = FALSE
case.

So, the remaining strategy is to simply use SuggestedInstanceId instead.
This has the behavior that if there's an adapter already in use, it'll
use a new random GUID. The result is that adapter creation won't fail.

That's not great, but the docs have always made it clear that
"requested" is a best-effort sort of thing. Plus, hopefully the creation
of the new adapter will help nudge the bug a bit and cleanup the old
cruft. In some ways, transitioning from our old strategy of "cudgel the
registry until we get the GUID we want" to "ask politely and accept no
for an answer" is a disappointing regression in functionality. But it
also means we don't need to keep crazy token stealing code around, or
fish around in the registry dangerously. This probably also increases
the likelihood that an adapter will be created during edge cases, which
means fewer errors for users, which could be a good thing. On the
downside, we have the perpetual tensions caused by a system that now
"fails open" instead of "fails closed". But so it goes in Windows land.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-07-09 17:08:28 +02:00
Jason A. Donenfeld
d33732ab4b driver: hard code security descriptor bytes
This is compatible with old Windows. Generated by:

  #include <stdio.h>
  #include <windows.h>
  #include <sddl.h>

  int main(int argc, char *argv[])
  {
      PSECURITY_DESCRIPTOR sd;
      ULONG sd_len;

      if (!ConvertStringSecurityDescriptorToSecurityDescriptorA("O:SYD:P(A;;FA;;;SY)(A;;FA;;;BA)S:(ML;;NWNRNX;;;HI)", SDDL_REVISION_1, &sd, &sd_len))
          return 1;
      for (ULONG i = 0; i < sd_len; ++i)
          printf("0x%02x%s%s", ((unsigned char *)sd)[i], i == sd_len - 1 ? "" : ",", i == sd_len -1 || i % 8 == 7 ? "\n": " ");
      return 0;
  }

This can be easily checked from kernel space with this ugly snippet:

  UNICODE_STRING Func;
  RtlInitUnicodeString(&Func, L"SeConvertSecurityDescriptorToStringSecurityDescriptor");
  WCHAR *Str = NULL;
  ((NTSTATUS(NTAPI *)(PSECURITY_DESCRIPTOR, DWORD, DWORD, WCHAR **, DWORD *))MmGetSystemRoutineAddress(&Func))(
      TunDispatchSecurityDescriptor, 1, 0x14, &Str, NULL);
  DbgPrint("Did it work? %ls\n", Str);

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-06-25 16:18:03 +02:00
Jason A. Donenfeld
6154c73032 driver: build security descriptor from sddl
This is a bit easier to read.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-06-25 14:10:50 +02:00
Jason A. Donenfeld
b3bf490434 driver: allow admins but require high integrity label
Might be more reasonable.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-06-25 14:09:16 +02:00
Jason A. Donenfeld
59bf6be8b6 driver: specify pnplockdown in inf
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-06-25 13:51:58 +02:00
Jason A. Donenfeld
273cbe2d14 driver: format
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-06-25 13:51:57 +02:00
Jason A. Donenfeld
6cf9ac71c3 driver: do not assume aligned addresses when allocating MDLs
IoAllocateMdl allocates a different size structure depending on the
bottom in-page bits of the address. By passing null, it assumes that the
address is aligned within the page, which it might not be. Fix this by
passing the eventual virtual address to the allocation function so that
the right amount is always allocated.

Reported-by: Oleksandr Muzychuk <oleksandr.muzychuk@apriorit.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-05-10 19:02:49 +02:00
Simon Rozman
f19945b3c6 driver: move init-only functions into INIT segment
Reference: https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/writing-a-driverentry-routine
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-05-10 11:24:44 +02:00
Simon Rozman
71e1ab6940 driver: fix memory leak on pre-Windows 7
Should NDIS version check fail the DriverEntry() bailed out without
releasing the TunDispatchSecurityDescriptor.

Signed-off-by: Simon Rozman <simon@rozman.si>
2021-05-10 11:24:44 +02:00
Simon Rozman
b28a721d9e driver: cleanup unused DBG define
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-05-10 11:24:44 +02:00
Simon Rozman
2f1d1ab827 Fix © in resources
The \xa9 is © on Windows-125x code pages. When Wintun was compiled on a
Windows computer using UTF-8 as default code page (for "non-Unicode"
programs), the Copyright notice in resources was wrong.

Signed-off-by: Simon Rozman <simon@rozman.si>
2021-03-19 12:04:23 +01:00
Simon Rozman
a6fa9c1b67 project: add support for intermediate versioning
While the Wintun driver is typically released only at <major>.<minor>
milestones, the wintun.dll did see some intermediate releases.

To make MSI logic correctly decide to upgrade local wintun.dll file, the
version inscribed in wintun.dll file resources should increment in those
intermediate releases. MSI ignores file timestamps. One could use
REINSTALLMODE=emus Installer property to force copying wintun.dll when
its version doesn't change. But REINSTALLMODE applies to all files in
the MSI session and would be an additional requirement when authoring
MSI packages with wintun.dll.

Bumping only the final ZIP filename version is not sufficient.

Therefore, a <major>.<minor> or <major>.<minor>.<build> versioning is
introduced. Furthermore, we no longer distinguish between WintunVersion
and WintunVersionStr. All our releases used strictly numeric
<major>.<minor> notation, making WintunVersion and WintunVersionStr
always the same.

When the driver didn't change, just bump the version in wintun.proj and
run `msbuild wintun.proj /t:Zip` to rebuild the wintun.dll and make the
new ZIP file.

Signed-off-by: Simon Rozman <simon@rozman.si>
2021-03-19 11:52:11 +01:00
Jason A. Donenfeld
2628412d71 global: bump copyright
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-01-30 16:45:26 +01:00
Jason A. Donenfeld
b2374dadb6 driver: use IoAllocateMdl without being too clever
Windows 7 doesn't like our trick of sticking MDLs into the NBL context
area. So we do things more traditionally, by allocating an MDL with
IoAllocateMdl and freeing it with IoFreeMdl. This means that we have to
keep track of the MDL between allocation and free time, and we don't
have any more miniport reserved pointers left in the NBL. So instead we
walk the MdlChain field of the first NB, and free the one that has an
address living inside of the non-partial MDL.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-12-15 21:13:06 +01:00
Jason A. Donenfeld
1269f86c76 driver: use partial MDL for slicing ring, rather than NB's DataOffset
Providing the DataOffset member of the NBL allocation function or
setting that member in the NB header indicates to NDIS not only that the
data starts at that offset, but that there's that amount of space
*available for it to use as it wants* before that offset. This meant
that NDIS was allowed to scribble data before the packet.

This was bounded by the size of the ring, so there was never any risk of
memory corruption, and since the ring is shared by userspace as well as
the rest of the kernel, we've always taken care of reading from it
closely, checking all values, and erroring out on corruption of the
ring. So, if NDIS wrote before the first packet, this would wind up
corrupting the RingTail and Alertable fields of the ring. The receiver
thread would then notice this, error out, and set the RingHead to
MAXULONG on its way out the door, so that userspace can detect it. And
indeed wintun.dll then started returning EOF from its write function.

Mostly this was not an issue, because we're not expecting for data to be
pushed on the head of a packet on ingress. But WSL2's Hyper-V driver is
actually pushing an ethernet header onto the front of the packet before
passing it off to Linux. Practically speaking, this manifested itself in
the RingTail and Alertable fields having Linux's MAC address! And then
the adapter would be EOF'd. This was reported as happening after WSL2
sends the *first* packet, but not others, which makes sense, because it
has to be at the beginning in order to corrupt those fields.

This fixes the problem by simply using a new MDL for the span we want,
instead of using the misunderstood DataOffset field. In order to not
need to keep track of memory allocations, we allocate the MDL as part of
the NBL's context area. And in order to avoid additional mappings, we
use IoBuildPartialMdl, which returns an MDL_PARTIAL, which does not have
an additional mapping that needs to be freed or unmapped.

After making this change, WSL2 no longer appears to halt the adapter,
and all works well.

Fixes: be8d2cb ("Avoid allocating second MDL")
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-12-13 18:31:44 +01:00
Stefan Rinkes
dd33757718 driver: use localtime in inf2cat
Otherwise the build fails at odd hours of the day.

Signed-off-by: Stefan Rinkes <stefan.rinkes@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-12-02 15:03:48 +01:00
Jason A. Donenfeld
87ef399d1c driver: do not allow compiler to reload PacketSize
In theory, the compiler could reload PacketSize after the bounds check
but before it's passed to NdisAllocateNetBufferAndNetBufferList. In
practice, it's not actually doing that, but better safe than sorry.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-11-09 22:23:26 +01:00
Simon Rozman
a00c8ca685 driver: move to subfolder
Signed-off-by: Simon Rozman <simon@rozman.si>
2020-11-06 07:29:47 +01:00