Invalid flag combination causes BSOD in Fastfat.sys (Win7, Win8, Win8.1)

I found a bug in Fastfat.sys, which allows a usermode application being able to cause BSOD. I have reproduced the bug in Windows 7, Windows 8 and Windows 8.1.

Steps to reproduce:

  1. Open any file on a FAT32-formatted volume. Desired access or mode (sync/async) does not really matter, as long as the file can be open.
  2. Send FSCTL_REQUEST_OPLOCK. In the input buffer, set REQUEST_OPLOCK_INPUT_BUFFER::Flags to 0. This is an invalid value.

FastFat only expects REQUEST_OPLOCK_INPUT_BUFFER::Flags to contain either REQUEST_OPLOCK_INPUT_FLAG_REQUEST or REQUEST_OPLOCK_INPUT_FLAG_ACK. If neither of these two flags is set, FatOplockRequest() calls FatBugCheck(FsControlCode, 0, 0);

This bug is also obvious in Fastfat sources from the WDK:
Windows Driver Kit version 7.1.0
src\filesys\fastfat\Win7\fsctrl.c (lines 2894 - 2929)
look for “REQUEST_OPLOCK_INPUT_FLAG_ACK”

NTFS and ExFat don’t have this problem - STATUS_INVALID_PARAMETER is returned.

L.

u found a DOS vulnerability? then submit it to microsoft!

Some time ago i found a bug in NTFS. If you try to open “C:$mft<any>chars>” path, you’ll hang access to C drive completely. The matter is NTFS
discribes files on volume in $mft file. When you open such filename, NTFS
acquires $mft file resources but didn’t release it. When NTFS gets first
write access, the resource acquiring hangs for ever.

I also submitted this to Microsoft. They didn’t hear me.

2014-09-16 5:25 GMT+04:00 <xyz.sun.ok>:

> u found a DOS vulnerability? then submit it to microsoft!
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></xyz.sun.ok>

> u found a DOS vulnerability? then submit it to microsoft!

This is as close to “submit it to microsoft” as I can get. I don’t have any direct contact to Fastfat people. Moreover, the impact is quite low, you need a file on Fastfat-formatted partition.

Some time ago i found a bug in NTFS. If you try to open “C:$mft<any chars>” path

Lol, nice catch :slight_smile: Yeah it is still there. Reproducible with FileTest.exe or simply by typing “copy C:$mft\abcd C:\file.bin” on command line.

I tested the bug just now, it did cause BSOD on my win7 vmware, but no BSOD on my winxp(as FSCTL_REQUEST_OPLOCK is only valid on win7 and later). lol, but i don’t think the impact is low, malicious softwares can case BSOD on any win7 machines with an usb flash disk(usb flash disk always uses fastfat file system)

Thanks for pointing this out.

Christian Allred [MSFT]
This posting is provided “AS IS” with no warranties, and confers no rights.

Mr. Zezula and Mr. Mikhailov,

Thanks to you both for raising these. In future, you’re welcome to post issues like this here, or you can file the bug by opening a case with WDK Product Support. It’s probably more expeditious to report the issue here… but reporting it via support is the “official channel.”

Mr. Allred,

I assume that means “I’ve a bug for each of these two issues”, right?

I just want to be sure somebody here shouldn’t be pursuing this further. I hate it when stuff like this falls through the cracks.

Peter
OSR
@OSRDrivers

Yes, I have bugs for both the oplock and $Mft issues.

Christian Allred [MSFT]
This posting is provided “AS IS” with no warranties, and confers no rights.