Public/winfsp
1
0
Fork 0
mirror of https://github.com/winfsp/winfsp.git synced 2025-07-03 09:22:57 -05:00
Code Issues Packages Projects Releases Wiki Activity

sys: FspFsvolReadNonCached: trim ReadLength

Browse Source 
During CreateProcess/CreateSection Windows locks the image file (using AcquireFileForNtCreateSection),
gets the image file size and then reads the image file. Unfortunately if the file system (erroneously) reads
past the file size, Windows can bugcheck. This allows a faulty or malicious file system to crash Windows.

This commit adds a check in WinFsp to mitigate this problem.
This commit is contained in:
Bill Zissimopoulos
2020-04-10 19:24:43 -07:00
parent 9d69ae7503
commit 42fd57904a
3 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/sys/callbacks.c
View File

@ -78,6 +78,7 @@ VOID FspAcquireFileForNtCreateSection(
{
/* Callers:
* CcWriteBehind
* MmCreateSection and friends
*/
FSP_ENTER_VOID(PAGED_CODE());
@ -85,6 +86,8 @@ VOID FspAcquireFileForNtCreateSection(
FSP_FILE_NODE *FileNode = FileObject->FsContext;
FspFileNodeAcquireExclusive(FileNode, Full);
ASSERT(FALSE == FileNode->Tls.CreateSection);
FileNode->Tls.CreateSection = TRUE;
FSP_LEAVE_VOID("FileObject=%p", FileObject);
}
@ -94,12 +97,14 @@ VOID FspReleaseFileForNtCreateSection(
{
/* Callers:
* CcWriteBehind
* MmCreateSection and friends
*/
FSP_ENTER_VOID(PAGED_CODE());
FSP_FILE_NODE *FileNode = FileObject->FsContext;
FileNode->Tls.CreateSection = FALSE;
FspFileNodeRelease(FileNode, Full);
FSP_LEAVE_VOID("FileObject=%p", FileObject);