From a51dc812521e643b6b515406b4bf3f0cb459934d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Benjamin=20H=C3=B6glinger-Stelzer?= <nefarius@dhmx.at>
Date: Tue, 12 May 2020 16:04:33 +0200
Subject: [PATCH] Implemented process ownership check in SubmitReport

---
 client                     |  2 +-
 sys/Ds4Pdo.cpp             |  2 +-
 sys/Ds4Pdo.hpp             |  2 +-
 sys/EmulationTargetPDO.cpp | 19 +++++++++++++------
 sys/EmulationTargetPDO.hpp |  4 +++-
 sys/XusbPdo.cpp            |  2 +-
 sys/XusbPdo.hpp            |  2 +-
 7 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/client b/client
index 5b2cb84..4657364 160000
--- a/client
+++ b/client
@@ -1 +1 @@
-Subproject commit 5b2cb84dbb55ae5602d21b8a10e4703b32f072db
+Subproject commit 465736429b8fe2b9d236b01ef0404f9bceb31106
diff --git a/sys/Ds4Pdo.cpp b/sys/Ds4Pdo.cpp
index 07edea7..b82e770 100644
--- a/sys/Ds4Pdo.cpp
+++ b/sys/Ds4Pdo.cpp
@@ -1093,7 +1093,7 @@ NTSTATUS ViGEm::Bus::Targets::EmulationTargetDS4::UsbControlTransfer(PURB Urb)
 	return status;
 }
 
-NTSTATUS ViGEm::Bus::Targets::EmulationTargetDS4::SubmitReport(PVOID NewReport)
+NTSTATUS ViGEm::Bus::Targets::EmulationTargetDS4::SubmitReportImpl(PVOID NewReport)
 {
 	NTSTATUS    status;
 	WDFREQUEST  usbRequest;
diff --git a/sys/Ds4Pdo.hpp b/sys/Ds4Pdo.hpp
index 7286758..918f7a2 100644
--- a/sys/Ds4Pdo.hpp
+++ b/sys/Ds4Pdo.hpp
@@ -71,7 +71,7 @@ namespace ViGEm::Bus::Targets
 		NTSTATUS UsbGetStringDescriptorType(PURB Urb) override;
 		NTSTATUS UsbBulkOrInterruptTransfer(_URB_BULK_OR_INTERRUPT_TRANSFER* pTransfer, WDFREQUEST Request) override;
 		NTSTATUS UsbControlTransfer(PURB Urb) override;
-		NTSTATUS SubmitReport(PVOID NewReport) override;
+		NTSTATUS SubmitReportImpl(PVOID NewReport) override;
 	private:
 		static PCWSTR _deviceDescription;
 
diff --git a/sys/EmulationTargetPDO.cpp b/sys/EmulationTargetPDO.cpp
index 06d9b22..59855d8 100644
--- a/sys/EmulationTargetPDO.cpp
+++ b/sys/EmulationTargetPDO.cpp
@@ -53,7 +53,7 @@ NTSTATUS ViGEm::Bus::Core::EmulationTargetPDO::PdoCreateDevice(WDFDEVICE ParentD
 	PEMULATION_TARGET_PDO_CONTEXT pPdoContext;
 
 	TraceEvents(TRACE_LEVEL_INFORMATION, TRACE_BUSPDO, "%!FUNC! Entry");
-	
+
 	DECLARE_CONST_UNICODE_STRING(deviceLocation, L"Virtual Gamepad Emulation Bus");
 	DECLARE_UNICODE_STRING_SIZE(buffer, MAX_INSTANCE_ID_LEN);
 	// reserve space for device id
@@ -172,7 +172,7 @@ NTSTATUS ViGEm::Bus::Core::EmulationTargetPDO::PdoCreateDevice(WDFDEVICE ParentD
 		WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&pdoAttributes, EMULATION_TARGET_PDO_CONTEXT);
 
 		pdoAttributes.EvtCleanupCallback = EvtDeviceContextCleanup;
-		
+
 		status = WdfDeviceCreate(&DeviceInit, &pdoAttributes, &this->_PdoDevice);
 		if (!NT_SUCCESS(status))
 		{
@@ -341,14 +341,14 @@ VOID ViGEm::Bus::Core::EmulationTargetPDO::EvtDeviceContextCleanup(
 )
 {
 	TraceEvents(TRACE_LEVEL_VERBOSE, TRACE_BUSPDO, "%!FUNC! Entry");
-	
+
 	const auto ctx = EmulationTargetPdoGetContext(Device);
 
 	//
 	// PDO device object getting disposed, free context object 
 	// 
 	delete ctx->Target;
-	
+
 	TraceEvents(TRACE_LEVEL_VERBOSE, TRACE_BUSPDO, "%!FUNC! Exit");
 }
 
@@ -362,6 +362,13 @@ ULONG ViGEm::Bus::Core::EmulationTargetPDO::GetSerial() const
 	return this->_SerialNo;
 }
 
+NTSTATUS ViGEm::Bus::Core::EmulationTargetPDO::SubmitReport(PVOID NewReport)
+{
+	return (this->IsOwnerProcess())
+		       ? this->SubmitReportImpl(NewReport)
+		       : STATUS_ACCESS_DENIED;
+}
+
 NTSTATUS ViGEm::Bus::Core::EmulationTargetPDO::EnqueueNotification(WDFREQUEST Request) const
 {
 	return (this->IsOwnerProcess())
@@ -524,7 +531,7 @@ bool ViGEm::Bus::Core::EmulationTargetPDO::GetPdoBySerial(
 		return false;
 
 	*Object = EmulationTargetPdoGetContext(pdoDevice)->Target;
-	
+
 	return true;
 }
 
@@ -535,7 +542,7 @@ NTSTATUS ViGEm::Bus::Core::EmulationTargetPDO::EvtDevicePrepareHardware(
 )
 {
 	TraceEvents(TRACE_LEVEL_INFORMATION, TRACE_BUSPDO, "%!FUNC! Entry");
-	
+
 	UNREFERENCED_PARAMETER(ResourcesRaw);
 	UNREFERENCED_PARAMETER(ResourcesTranslated);
 
diff --git a/sys/EmulationTargetPDO.hpp b/sys/EmulationTargetPDO.hpp
index e77357c..70670b0 100644
--- a/sys/EmulationTargetPDO.hpp
+++ b/sys/EmulationTargetPDO.hpp
@@ -97,7 +97,7 @@ namespace ViGEm::Bus::Core
 
 		virtual NTSTATUS UsbControlTransfer(PURB Urb) = 0;
 
-		virtual NTSTATUS SubmitReport(PVOID NewReport) = 0;
+		NTSTATUS SubmitReport(PVOID NewReport);
 
 		NTSTATUS EnqueueNotification(WDFREQUEST Request) const;
 
@@ -145,6 +145,8 @@ namespace ViGEm::Bus::Core
 
 		virtual void AbortPipe() = 0;
 
+		virtual NTSTATUS SubmitReportImpl(PVOID NewReport) = 0;
+		
 		//
 		// Unique serial number of the device on the bus
 		// 
diff --git a/sys/XusbPdo.cpp b/sys/XusbPdo.cpp
index 3695413..921c97b 100644
--- a/sys/XusbPdo.cpp
+++ b/sys/XusbPdo.cpp
@@ -991,7 +991,7 @@ NTSTATUS ViGEm::Bus::Targets::EmulationTargetXUSB::UsbControlTransfer(PURB Urb)
 	return status;
 }
 
-NTSTATUS ViGEm::Bus::Targets::EmulationTargetXUSB::SubmitReport(PVOID NewReport)
+NTSTATUS ViGEm::Bus::Targets::EmulationTargetXUSB::SubmitReportImpl(PVOID NewReport)
 {
 	TraceDbg(TRACE_BUSENUM, "%!FUNC! Entry");
 	
diff --git a/sys/XusbPdo.hpp b/sys/XusbPdo.hpp
index 03d22b8..d67d961 100644
--- a/sys/XusbPdo.hpp
+++ b/sys/XusbPdo.hpp
@@ -79,7 +79,7 @@ namespace ViGEm::Bus::Targets
 		NTSTATUS UsbGetStringDescriptorType(PURB Urb) override;
 		NTSTATUS UsbBulkOrInterruptTransfer(_URB_BULK_OR_INTERRUPT_TRANSFER* pTransfer, WDFREQUEST Request) override;
 		NTSTATUS UsbControlTransfer(PURB Urb) override;
-		NTSTATUS SubmitReport(PVOID NewReport) override;
+		NTSTATUS SubmitReportImpl(PVOID NewReport) override;
 	private:
 		static PCWSTR _deviceDescription;