mirror of
https://github.com/winfsp/winfsp.git
synced 2026-03-06 15:49:21 -06:00
ae40f0edb1
The WinFsp "transact" protocol is used by user mode file systems to interface with the FSD. This protocol works via the DeviceIoControl API and uses the FSP_IOCTL_TRANSACT control code. The FSP_IOCTL_TRANSACT code is marked as METHOD_BUFFERED. When the DeviceIoControl call is forwarded as an IRP, the METHOD_BUFFERED flag instructs the kernel to copy user mode buffers to kernel mode buffers (and vice-versa). However when the DeviceIoControl call is forwarded via the FastIO mechanism the METHOD_BUFFERED flag is ignored. This means that when WinFsp added support for DeviceIoControl FastIO, the FSD started accessing user mode buffers directly. This means that a malicious file system could attempt exploits like changing or freeing a buffer while the FSD is reading it. Tay Kiat Loong developed a POC exploit which demonstrated this vulnerability. This commit fixes the problem by patching FspFastIoDeviceControl to add the missing METHOD_BUFFERED handling.