Skip to content

Pass the mounting user's token on VHD restore (2.7 backport)#40907

Merged
benhillis merged 1 commit into
release/2.7from
backport/2.7/attachdisk-toctou
Jun 25, 2026
Merged

Pass the mounting user's token on VHD restore (2.7 backport)#40907
benhillis merged 1 commit into
release/2.7from
backport/2.7/attachdisk-toctou

Conversation

@benhillis

Copy link
Copy Markdown
Member

Backport of #40782 to release/2.7.

Summary

On VHD disk restore (_LoadDiskMount, when the utility VM is recreated), the persisted VHD was re-attached as SYSTEM with no user token, re-resolving a user-controllable path. This passes the mounting user's token for VHD restore so the access grant and path resolution run under the user's identity, matching the live wsl --mount --vhd behavior. Pass-through (raw block device) restore stays SYSTEM (elevation-gated, no reparse surface).

Clean cherry-pick of f0f4b10 with no conflicts; WslCoreVm::AttachDisk already takes the user-token parameter on this branch.

…VHD restore (#40782)

* Fix disk-attach restore TOCTOU by impersonating the mounting user on VHD restore

A standard user's live ' wsl --mount --vhd' is already safe from a junction/symlink
swap: the VM access grant runs while impersonating the user, and the SYSTEM-side
AddVhd only succeeds on a file the VM was granted access to, so a swap yields
ACCESS_DENIED rather than disclosure.

The actual gap was disk restore: when the VM is recreated, _LoadDiskMount re-attached
persisted VHDs as SYSTEM (no token), re-resolving a user-controllable path and
reopening the TOCTOU. Because the disk-mount state is stored under the user's SID in a
volatile (per-boot) key, the disk being restored was mounted by this same user in this
same boot, so we can simply pass the user token and let the existing impersonated grant
close the window. Pass-through devices stay SYSTEM (elevation-gated; \\.\PhysicalDriveN
has no reparse surface).

This replaces the earlier handle-pinning/reparse-rejection approach, which also
regressed legitimate symlinked VHDs. Add tests covering a symlinked VHD mounting and
surviving a VM idle-timeout restore.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address PR feedback: re-query block device after VM timeout and require symlink creation in mount tests

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Ben Hillis <benhill@ntdev.microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
(cherry picked from commit f0f4b10)
Copilot AI review requested due to automatic review settings June 25, 2026 17:09
@benhillis benhillis requested a review from a team as a code owner June 25, 2026 17:09

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR backports a security fix to the release/2.7 branch to close a restore-time TOCTOU window when re-attaching persisted VHD mounts after the utility VM is recreated. It ensures VHD restore uses the mounting user’s token (matching the live wsl --mount --vhd path) so path resolution and VM access grants occur under the user’s identity, while keeping pass-through disk restore as SYSTEM.

Changes:

  • Pass the mounting user’s token during VHD restore in LxssUserSessionImpl::_LoadDiskMount, but keep pass-through restores tokenless (SYSTEM).
  • Add regression tests validating that symlinked VHD mounts succeed and survive VM idle-timeout restore.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
test/windows/MountTests.cpp Adds e2e tests for symlinked VHD mount + restore-after-VM-timeout behavior.
src/windows/service/exe/LxssUserSession.cpp Passes the user token when restoring VHD mounts to avoid SYSTEM re-resolving user-controlled paths.
@benhillis benhillis enabled auto-merge (squash) June 25, 2026 17:15
@benhillis benhillis merged commit d35043c into release/2.7 Jun 25, 2026
8 checks passed
@benhillis benhillis deleted the backport/2.7/attachdisk-toctou branch June 25, 2026 18:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants