Only one element in the array field "privileges" of TOKEN_PRIVILEGES is reachable

[kappilini]

Which crate is this about?

windows

Crate version

"0.44.0"

Summary

The TOKEN_PRIVILEGES struct has an array field with size 1.

pub struct TOKEN_PRIVILEGES {
    pub PrivilegeCount: u32,
    pub Privileges: [LUID_AND_ATTRIBUTES;1]
}

For the C API the windows documentation says that one must allocate sufficient memory for the structure to take into account additional elements. But this is not possible in Rust. An array of size one remains with size one because it is constant.
So it is not possible to get more elements from the array than one even if the array contains more elements.

Toolchain version/configuration

No response

Reproducible example

use windows::core::{
    PCWSTR,
    PCSTR,
    PSTR
};

use windows::Win32::{
    Security::{ 
        GetTokenInformation, 
        TokenPrivileges, 
        Authorization::{
            LUID_AND_ATTRIBUTES,
            LookupPrivilegeNameA
        }
    },
    
    Foundation::{
        HANDLE,
        LUID
    },
    
    System::{
        Threading::{
            OpenProcessToken,
            GetCurrentProcess
        }
    }
};

fn show_privileges() {
    unsafe {
        let current_process = GetCurrentProcess();

        let mut token = HANDLE::default();

        OpenProcessToken(current_process, TOKEN_QUERY, &mut token as *mut HANDLE);

        let mut token_privileges : *mut TOKEN_PRIVILEGES = std::ptr::null_mut();
        let mut token_privileges_len = 0u32;

        // Call it first with 0 to get the buffer length
        GetTokenInformation(
             token, 
             TokenPrivileges, 
             None, 
             0, 
             &mut token_privileges_len as *mut u32
        );

        // Allocate memory for the buffer
        let mut token_privileges_vec = vec![0u8; token_privileges_len as usize];
        token_privileges = token_privileges_vec.as_mut_ptr() as *mut TOKEN_PRIVILEGES;

        GetTokenInformation(
             token, 
             TokenPrivileges, 
             Some(token_privileges as *mut std::ffi::c_void), 
             token_privileges_len,
             &mut token_privileges_len as *mut u32
        );

        let mut privilege_name_len = 0u32;

        LookupPrivilegeNameA(
             PCSTR::null(),
             &(*token_privileges).Privileges[0].Luid,
             PSTR::null(), 
             &mut privilege_name_len as *mut u32
        );

        // Allocate memory for the privilege name
        let mut privileges_str = String::with_capacity(privilege_name_len as usize);
        let privileges_name = PSTR::from_raw(privileges_str.as_mut_ptr());

        LookupPrivilegeNameA(
            PCSTR::null(), 
            &(*token_privileges).Privileges[0].Luid, 
            privileges_name, 
            &mut privilege_name_len as *mut u32
        );

        println!("{}", privileges_name.to_string().unwrap())
    };

    Ok(())
}

Crate manifest

[dependencies.windows]
version = "0.44.0"
features = [
    "Win32_Foundation",
    "Win32_Security",
    "Win32_Security_Authorization",
    "Win32_System_Threading"
]

Expected behavior

If the PrivilegeCount of TOKEN_PRIVILEGES is greater than one, it should be possible to get the element on the index greater than 0 from the privileges field and the privileges field should have enough memory for all elements which are counted by PrivilegeCount.

Actual behavior

If the PrivilegeCount of TOKEN_PRIVILEGES is greater than one, it is not possible to get the element with the index greater than 0 from the array field privileges because it is an constant array with size one.

Additional comments

"privileges" shoud be a vec or a pointer to a vec or somthing else with dynamic memory allocation at runtime.

[tim-weis]

There isn't much the windows crate can do here. The contract of GetTokenInformation requires that you pass a single pointer to a buffer that will receive the requested data. Consequently, the Rust transformation of TOKEN_PRIVILEGES cannot represent the Privileges field as anything other than an array¹; a Vec or even just a slice would violate the binary contract.

That, however, doesn't mean that you weren't able to access the entire range of token privileges returned. You can do that by either using C-style pointer arithmetic, or by turning the pointer and size into a slice, e.g.

GetTokenInformation(/*...*/);

// Retrieve pointer and element count
let array_ptr = ptr::addr_of!((*token_privileges).Privileges[0]);
let item_count = (*token_privileges).PrivilegeCount as usize;

// Construct a slice over the valid range
let privileges = std::slice::from_raw_parts(array_ptr, item_count);
dbg!(privileges);

---

Do keep in mind that the entire fn show_privileges() is unsafe. That's the kind of Rust that's hard to get right. I don't know whether Rust makes any alignment guarantees when allocating a Vec<u8>, so as *mut TOKEN_PRIVILEGES may or may not be well defined. Though a String is always required to hold valid UTF-8, an invariant that the call to LookupPrivilegeNameA above doesn't maintain.

Footnotes

1. See Why do some structures end with an array of size 1? ↩

[kennykerr]

Here's a complete example:

[dependencies.windows]
version = "0.46.0"
features = [
    "Win32_Foundation",
    "Win32_Security",
    "Win32_System_Threading",
    "Win32_System_Memory",
]

use windows::{
    core::*, Win32::Foundation::*, Win32::Security::*, Win32::System::Memory::*,
    Win32::System::Threading::*,
};

fn main() -> Result<()> {
    unsafe {
        let mut token = HANDLE::default();
        OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &mut token);

        let mut bytes_required = 0;
        GetTokenInformation(token, TokenPrivileges, None, 0, &mut bytes_required);

        let buffer = LocalAlloc(LPTR, bytes_required as _)?;

        GetTokenInformation(
            token,
            TokenPrivileges,
            Some(buffer.0 as *mut _),
            bytes_required,
            &mut bytes_required,
        );

        let header = &*(buffer.0 as *const TOKEN_PRIVILEGES);

        let privileges =
            std::slice::from_raw_parts(header.Privileges.as_ptr(), header.PrivilegeCount as _);

        for privilege in privileges {
            let mut name_len = 0;
            LookupPrivilegeNameW(None, &privilege.Luid, PWSTR::null(), &mut name_len);

            let mut name = vec![0u16; (name_len + 1) as usize];
            let name = PWSTR(name.as_mut_ptr());
            LookupPrivilegeNameW(None, &privilege.Luid, name, &mut name_len).ok()?;

            println!("{}", name.display())
        }

        _ = LocalFree(buffer);
        Ok(())
    }
}

[kappilini]

Thank you for your help. It works how expected :)

[WHots]

Some(buffer.0 as *mut _), | -------^ | | | help: bufferis a raw pointer; try dereferencing it:(*buffer).0``

Getting this error, even deref doesn't work, just gens new random errors.