sys: FspVolumeNotify: fix integer overflow vulnerability

This vulnerability was reported by: - Tay Kiat Loong (GitHub: @owl4444) - uhg (GitHub: @UltimateHG)
doc: add KeibiDrop to known file systems
2026-06-15 09:06:03 -05:00 · 2026-06-13 16:41:35 +03:00 · 2026-06-13 15:01:36 +03:00 · 2026-06-13 14:59:27 +03:00 · 2026-05-31 21:34:09 +03:00 · 2026-05-18 12:22:22 +03:00
6 changed files with 41 additions and 2 deletions
@@ -4,6 +4,7 @@ This document contains a list of known open-source file systems and file system
 == File Systems
 - https://github.com/dharmatech/9p-winfsp[9p-winfsp] - Experimental native Windows client for mounting Plan 9 9P exports.
 - https://github.com/wesley1975/blobfs-win[blobfs-win] - The native porting of the blobfs on the windows platform, blobfs can help you mount the Azure Blob storage as the local disk driver, no matter it is a Linux system or a Windows system.
 - https://github.com/buildbarn/bb-remote-execution[buildbarn] - A bazel-compatible remote execution service that uses WinFSP to provide a virtual directory for performing builds
 - https://github.com/cryptomator/cryptomator[Cryptomator] - Multi-platform transparent client-side encryption of your files in the cloud
@@ -13,6 +14,7 @@ This document contains a list of known open-source file systems and file system
 - https://github.com/sganis/golddrive[golddrive] - Windows ssh network drive
 - https://github.com/winfsp/hubfs[hubfs] - File system for GitHub
 - https://github.com/juicedata/juicefs[JuiceFS] - a distributed POSIX file system built on top of Redis and S3
 - https://github.com/KeibiSoft/KeibiDrop[KeibiDrop] - End-to-end encrypted peer-to-peer filesystem with on-demand file streaming
 - https://github.com/FrKaram/KS2.Drive[KS2.Drive] - Mount a webDAV/AOS server as a local drive
 - https://github.com/winfsp/nfs-win[nfs-win] - NFS for Windows
 - https://github.com/winfsp/objfs[objfs] - Object Storage File System
@@ -147,6 +147,8 @@ FSP_FSCTL_STATIC_ASSERT(FSP_FSCTL_VOLUME_NAME_SIZEMAX <= 260 * sizeof(WCHAR),
 #define FSP_FSCTL_DEVICECONTROL_SIZEMAX (4 * 1024)  /* must be < FSP_FSCTL_TRANSACT_{REQ,RSP}_SIZEMAX */
 #define FSP_FSCTL_NOTIFY_INFO_SIZEMAX   (0x7fffffffU)
 /* marshalling */
 #pragma warning(push)
 #pragma warning(disable:4200 4201)      /* zero-sized array in struct/union; nameless struct/union */
@@ -1389,6 +1389,9 @@ NTSTATUS FspVolumeNotify(
    if (0 == InputBufferLength)
        return FspVolumeNotifyLock(FsvolDeviceObject);
    if (FSP_FSCTL_NOTIFY_INFO_SIZEMAX < InputBufferLength)
        return STATUS_INVALID_PARAMETER;
    if (!FspDeviceReference(FsvolDeviceObject))
        return STATUS_CANCELLED;
@@ -191,7 +191,7 @@ Ptfs::~Ptfs()
 NTSTATUS Ptfs::SetPath(PWSTR Path)
 {
-    WCHAR FullPath[MAX_PATH];
+    WCHAR FullPath[FULLPATH_SIZE];
    ULONG Length;
    HANDLE Handle;
    FILETIME CreationTime;
@@ -626,7 +626,7 @@ static VOID PtfsDelete(PTFS *Ptfs);
 static NTSTATUS PtfsCreate(PWSTR Path, PWSTR VolumePrefix, PWSTR MountPoint, UINT32 DebugFlags,
    PTFS **PPtfs)
 {
-    WCHAR FullPath[MAX_PATH];
+    WCHAR FullPath[FULLPATH_SIZE];
    ULONG Length;
    HANDLE Handle;
    FILETIME CreationTime;
@@ -27,6 +27,37 @@
 #include "winfsp-tests.h"
 static
 void notify_invalid_dotest(ULONG Flags)
 {
    void *memfs = memfs_start(Flags);
    FSP_FILE_SYSTEM *FileSystem = MemfsFileSystem(memfs);
    NTSTATUS Result;
    Result = FspFsctlNotify(FileSystem->VolumeHandle, 0, 1);
    ASSERT(STATUS_ACCESS_VIOLATION == Result);
    Result = FspFsctlNotify(FileSystem->VolumeHandle, 0, FSP_FSCTL_NOTIFY_INFO_SIZEMAX);
    ASSERT(STATUS_ACCESS_VIOLATION == Result || STATUS_INSUFFICIENT_RESOURCES == Result);
    Result = FspFsctlNotify(FileSystem->VolumeHandle, 0, FSP_FSCTL_NOTIFY_INFO_SIZEMAX + 1);
    ASSERT(STATUS_INVALID_PARAMETER == Result);
    Result = FspFsctlNotify(FileSystem->VolumeHandle, 0, 0xffffffffU);
    ASSERT(STATUS_INVALID_PARAMETER == Result);
    memfs_stop(memfs);
 }
 static
 void notify_invalid_test(void)
 {
    if (WinFspDiskTests)
        notify_invalid_dotest(MemfsDisk);
    if (WinFspNetTests)
        notify_invalid_dotest(MemfsNet);
 }
 static
 void notify_abandon_dotest(ULONG Flags)
 {
@@ -479,6 +510,7 @@ void notify_tests(void)
    if (OptExternal || OptNotify)
        return;
    TEST(notify_invalid_test);
    TEST(notify_abandon_test);
    TEST(notify_abandon_rename_test);
 /* OBSOLETE: it is now possible to have multiple outstanding NotifyBegin() calls. */
Author	SHA1	Message	Date
Bill Zissimopoulos	bd8b54c469	sys: FspVolumeNotify: fix integer overflow vulnerability This vulnerability was reported by: - Tay Kiat Loong (GitHub: @owl4444) - uhg (GitHub: @UltimateHG)	2026-06-13 16:41:35 +03:00
Bill Zissimopoulos	bdab233e92	doc: add KeibiDrop to known file systems	2026-06-13 15:01:36 +03:00
Bill Zissimopoulos	1ad7d9935f	doc: add KeibiDrop to known file systems	2026-06-13 14:59:27 +03:00
Bill Zissimopoulos	ff9e38c82d	doc: add 9p-winfsp to known file systems	2026-05-31 21:34:09 +03:00
Bill Zissimopoulos	608e16761e	tst: passthrough, passthrough-cpp: fix #662	2026-05-18 12:22:22 +03:00