Fix free list prev pointer when allocating new block #32
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When FindTrampolineInRange() can't locate a suitable trampoline in the existing free list, TrampolineAlloc() calls BlockAlloc() to create a new pool of trampolines. BlockAlloc() links the last node of the new free list to the beginning of the existing free list. But it did NOT link the head of the existing free list back to the tail of the new list via the pPrevTrampoline pointer. If that old head node was ever used for a trampoline, ListRemove() was unable to update its predecessor to properly remove it from the free list. That node would get pulled for use again if a hook needed another trampoline in its address range. Changing the hook address could misdirect the previous function(s) that used the same trampoline.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When FindTrampolineInRange() can't locate a suitable trampoline in the existing
free list, TrampolineAlloc() calls BlockAlloc() to create a new pool of
trampolines. BlockAlloc() links the last node of the new free list to the
beginning of the existing free list. But it did NOT link the head of the
existing free list back to the tail of the new list via the pPrevTrampoline
pointer.
If that old head node was ever used for a trampoline, ListRemove() was unable
to update its predecessor to properly remove it from the free list. That node
would get pulled for use again if a hook needed another trampoline in its
address range. Changing the hook address could misdirect the previous
function(s) that used the same trampoline.