Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: microsoft/WSL
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 2.7.9
Choose a base ref
...
head repository: microsoft/WSL
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 2.7.10
Choose a head ref
  • 1 commit
  • 2 files changed
  • 3 contributors

Commits on Jun 25, 2026

  1. Fix disk-attach restore TOCTOU by impersonating the mounting user on …

    …VHD restore (#40782) (#40907)
    
    * Fix disk-attach restore TOCTOU by impersonating the mounting user on VHD restore
    
    A standard user's live ' wsl --mount --vhd' is already safe from a junction/symlink
    swap: the VM access grant runs while impersonating the user, and the SYSTEM-side
    AddVhd only succeeds on a file the VM was granted access to, so a swap yields
    ACCESS_DENIED rather than disclosure.
    
    The actual gap was disk restore: when the VM is recreated, _LoadDiskMount re-attached
    persisted VHDs as SYSTEM (no token), re-resolving a user-controllable path and
    reopening the TOCTOU. Because the disk-mount state is stored under the user's SID in a
    volatile (per-boot) key, the disk being restored was mounted by this same user in this
    same boot, so we can simply pass the user token and let the existing impersonated grant
    close the window. Pass-through devices stay SYSTEM (elevation-gated; \\.\PhysicalDriveN
    has no reparse surface).
    
    This replaces the earlier handle-pinning/reparse-rejection approach, which also
    regressed legitimate symlinked VHDs. Add tests covering a symlinked VHD mounting and
    surviving a VM idle-timeout restore.
    
    
    
    * Address PR feedback: re-query block device after VM timeout and require symlink creation in mount tests
    
    
    
    ---------
    
    
    
    (cherry picked from commit f0f4b10)
    
    Co-authored-by: Ben Hillis <benhill@ntdev.microsoft.com>
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    3 people authored Jun 25, 2026
    Configuration menu
    Copy the full SHA
    d35043c View commit details
    Browse the repository at this point in the history
Loading