Pass the mounting user's token on VHD restore (2.7 backport)#40907
Merged
Conversation
…VHD restore (#40782) * Fix disk-attach restore TOCTOU by impersonating the mounting user on VHD restore A standard user's live ' wsl --mount --vhd' is already safe from a junction/symlink swap: the VM access grant runs while impersonating the user, and the SYSTEM-side AddVhd only succeeds on a file the VM was granted access to, so a swap yields ACCESS_DENIED rather than disclosure. The actual gap was disk restore: when the VM is recreated, _LoadDiskMount re-attached persisted VHDs as SYSTEM (no token), re-resolving a user-controllable path and reopening the TOCTOU. Because the disk-mount state is stored under the user's SID in a volatile (per-boot) key, the disk being restored was mounted by this same user in this same boot, so we can simply pass the user token and let the existing impersonated grant close the window. Pass-through devices stay SYSTEM (elevation-gated; \\.\PhysicalDriveN has no reparse surface). This replaces the earlier handle-pinning/reparse-rejection approach, which also regressed legitimate symlinked VHDs. Add tests covering a symlinked VHD mounting and surviving a VM idle-timeout restore. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address PR feedback: re-query block device after VM timeout and require symlink creation in mount tests Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Ben Hillis <benhill@ntdev.microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> (cherry picked from commit f0f4b10)
Contributor
There was a problem hiding this comment.
Pull request overview
This PR backports a security fix to the release/2.7 branch to close a restore-time TOCTOU window when re-attaching persisted VHD mounts after the utility VM is recreated. It ensures VHD restore uses the mounting user’s token (matching the live wsl --mount --vhd path) so path resolution and VM access grants occur under the user’s identity, while keeping pass-through disk restore as SYSTEM.
Changes:
- Pass the mounting user’s token during VHD restore in
LxssUserSessionImpl::_LoadDiskMount, but keep pass-through restores tokenless (SYSTEM). - Add regression tests validating that symlinked VHD mounts succeed and survive VM idle-timeout restore.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| test/windows/MountTests.cpp | Adds e2e tests for symlinked VHD mount + restore-after-VM-timeout behavior. |
| src/windows/service/exe/LxssUserSession.cpp | Passes the user token when restoring VHD mounts to avoid SYSTEM re-resolving user-controlled paths. |
OneBlue
approved these changes
Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #40782 to
release/2.7.Summary
On VHD disk restore (
_LoadDiskMount, when the utility VM is recreated), the persisted VHD was re-attached as SYSTEM with no user token, re-resolving a user-controllable path. This passes the mounting user's token for VHD restore so the access grant and path resolution run under the user's identity, matching the livewsl --mount --vhdbehavior. Pass-through (raw block device) restore stays SYSTEM (elevation-gated, no reparse surface).Clean cherry-pick of f0f4b10 with no conflicts;
WslCoreVm::AttachDiskalready takes the user-token parameter on this branch.