[KERNEL32] Fix use-after-free in GetStartupInfoA (reactos#8282)

maramadany · web-flow · commit 4f61d2ea04da · 2025-08-11T17:17:29.000-06:00
- Set StartupInfo to point to the global BaseAnsiStartupInfo only after the local data has been freed.
diff --git a/dll/win32/kernel32/client/proc.c b/dll/win32/kernel32/client/proc.c
@@ -1397,8 +1397,7 @@ GetStartupInfoA(IN LPSTARTUPINFOA lpStartupInfo)
                             break;
                         }
 
-                        /* Someone beat us to it, use their data instead */
-                        StartupInfo = BaseAnsiStartupInfo;
+                        /* Someone beat us to it, we will use their data instead */
                         Status = STATUS_SUCCESS;
 
                         /* We're going to free our own stuff, but not raise */
@@ -1409,6 +1408,9 @@ GetStartupInfoA(IN LPSTARTUPINFOA lpStartupInfo)
                 RtlFreeAnsiString(&ShellString);
             }
             RtlFreeHeap(RtlGetProcessHeap(), 0, StartupInfo);
+
+            /* Get the cached information again: either still NULL or set by another thread */
+            StartupInfo = BaseAnsiStartupInfo;
         }
         else
         {
@@ -1417,7 +1419,7 @@ GetStartupInfoA(IN LPSTARTUPINFOA lpStartupInfo)
         }
 
         /* Raise an error unless we got here due to the race condition */
-        if (!NT_SUCCESS(Status)) RtlRaiseStatus(Status);
+        if (!StartupInfo) RtlRaiseStatus(Status);
     }
 
     /* Now copy from the cached ANSI version */

Original file line number	Diff line number	Diff line change
`@@ -1397,8 +1397,7 @@ GetStartupInfoA(IN LPSTARTUPINFOA lpStartupInfo)`
`1397`	`1397`	`break;`
`1398`	`1398`	`}`
`1399`	`1399`
`1400`		`- /* Someone beat us to it, use their data instead */`
`1401`		`- StartupInfo = BaseAnsiStartupInfo;`
	`1400`	`+ /* Someone beat us to it, we will use their data instead */`
`1402`	`1401`	`Status = STATUS_SUCCESS;`
`1403`	`1402`
`1404`	`1403`	`/* We're going to free our own stuff, but not raise */`
`@@ -1409,6 +1408,9 @@ GetStartupInfoA(IN LPSTARTUPINFOA lpStartupInfo)`
`1409`	`1408`	`RtlFreeAnsiString(&ShellString);`
`1410`	`1409`	`}`
`1411`	`1410`	`RtlFreeHeap(RtlGetProcessHeap(), 0, StartupInfo);`
	`1411`	`+`
	`1412`	`+ /* Get the cached information again: either still NULL or set by another thread */`
	`1413`	`+ StartupInfo = BaseAnsiStartupInfo;`
`1412`	`1414`	`}`
`1413`	`1415`	`else`
`1414`	`1416`	`{`
`@@ -1417,7 +1419,7 @@ GetStartupInfoA(IN LPSTARTUPINFOA lpStartupInfo)`
`1417`	`1419`	`}`
`1418`	`1420`
`1419`	`1421`	`/* Raise an error unless we got here due to the race condition */`
`1420`		`- if (!NT_SUCCESS(Status)) RtlRaiseStatus(Status);`
	`1422`	`+ if (!StartupInfo) RtlRaiseStatus(Status);`
`1421`	`1423`	`}`
`1422`	`1424`
`1423`	`1425`	`/* Now copy from the cached ANSI version */`