fix device item leak and possible UAF

Author: jxy-s

SystemInformer/devprv.c

@@ -3450,6 +3450,7 @@ PPH_DEVICE_ITEM NTAPI PhpAddDeviceItem(
 
     item = PhCreateObjectZero(sizeof(PH_DEVICE_ITEM), PhDeviceItemType);
 
+    item->Tree = Tree;
     item->DeviceInfo = PhReferenceObject(Tree->DeviceInfo);
     RtlCopyMemory(&item->DeviceInfoData.DeviceData, DeviceInfoData, sizeof(SP_DEVINFO_DATA));
     RtlCopyMemory(&item->ClassGuid, &DeviceInfoData->ClassGuid, sizeof(GUID));
@@ -3540,6 +3541,7 @@ PPH_DEVICE_ITEM NTAPI PhpAddDeviceInterfaceItem(
 
     item = PhCreateObjectZero(sizeof(PH_DEVICE_ITEM), PhDeviceItemType);
 
+    item->Tree = Tree;
     item->DeviceInfo = PhReferenceObject(Tree->DeviceInfo);
     item->DeviceInfoData.Interface = TRUE;
     RtlCopyMemory(&item->DeviceInfoData.InterfaceData, DeviceInterfaceData, sizeof(SP_DEVICE_INTERFACE_DATA));

SystemInformer/include/devprv.h

@@ -308,6 +308,7 @@ typedef struct _PH_DEVINFO_DATA
 
 typedef struct _PH_DEVICE_ITEM
 {
+    struct _PH_DEVICE_TREE* Tree;
     struct _PH_DEVICE_ITEM* Parent;
     struct _PH_DEVICE_ITEM* Sibling;
     struct _PH_DEVICE_ITEM* Child;

plugins/HardwareDevices/deviceprops.c

@@ -973,6 +973,8 @@ NTSTATUS DevicePropertiesThreadStart(
         PhDereferenceObject(propContext);
     }
 
+    PhDereferenceObject(context->DeviceItem->Tree);
+    PhDereferenceObject(context->DeviceItem);
     PhFree(context);
 
     return STATUS_SUCCESS;
@@ -989,6 +991,8 @@ BOOLEAN DeviceShowProperties(
 
     context->ParentWindowHandle = ParentWindowHandle;
     context->DeviceItem = PhReferenceObject(DeviceItem);
+    // Since we might use the relationships of the device item, we must reference the tree too.
+    PhReferenceObject(context->DeviceItem->Tree);
 
     PhCreateThread2(DevicePropertiesThreadStart, context);
     return TRUE;