From c13ccc92f66d9fd537ffdd4c0324af5b9c2723e1 Mon Sep 17 00:00:00 2001 From: Pierre Schweitzer Date: Wed, 15 Aug 2018 16:38:56 +0200 Subject: [PATCH] [BTRFS] Leak the root stream file object on mount. For whatever (unknown) reason yet, this stream file object seems to be deleted when still in use while installing ReactOS on BtrFS partition, leading to use after free. So, quick and dirty hack: leak it to prevent deletion. CORE-13769 --- drivers/filesystems/btrfs/btrfs.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/filesystems/btrfs/btrfs.c b/drivers/filesystems/btrfs/btrfs.c index 27a1572db8c..c4960cd4215 100644 --- a/drivers/filesystems/btrfs/btrfs.c +++ b/drivers/filesystems/btrfs/btrfs.c @@ -4453,7 +4453,21 @@ static NTSTATUS mount_vol(_In_ PDEVICE_OBJECT DeviceObject, _In_ PIRP Irp) { goto exit; } + /* HACK: stream file object seems to get deleted at some point + * leading to use after free when installing ReactOS on + * BtrFS. + * Workaround: leak a handle to the fileobject + * XXX: Could be improved by storing it somewhere and releasing it + * on dismount. Or even by referencing again the file object. + */ +#ifndef __REACTOS__ Vcb->root_file = IoCreateStreamFileObject(NULL, DeviceToMount); +#else + { + HANDLE Dummy; + Vcb->root_file = IoCreateStreamFileObjectEx(NULL, DeviceToMount, &Dummy); + } +#endif Vcb->root_file->FsContext = root_fcb; Vcb->root_file->SectionObjectPointer = &root_fcb->nonpaged->segment_object; Vcb->root_file->Vpb = DeviceObject->Vpb;