From 9f5f029544eb9384c106a6ccc6f2531c902125bb Mon Sep 17 00:00:00 2001
From: Tu Dinh <ngoc-tu.dinh@vates.tech>
Date: Wed, 5 Mar 2025 09:43:36 +0000
Subject: Restrict default access to Xencons PDO

Without assigning an explicit SDDL via IoCreateDeviceSecure, any user
can open the Xencons PDO via its default security descriptor.

This is part of XSA-468 / CVE-2025-27462.

Fixes: 28a08191188f ("Add boilerplate Pdo")
Signed-off-by: Tu Dinh <ngoc-tu.dinh@vates.tech>
Reviewed-By: Owen Smith <owen.smith@cloud.com>

diff --git a/src/xencons/console.c b/src/xencons/console.c
index 939d8c850e82..72421ce2a38d 100644
--- a/src/xencons/console.c
+++ b/src/xencons/console.c
@@ -36,6 +36,7 @@
 #include <wdmguid.h>
 #include <ntstrsafe.h>
 #include <stdlib.h>
+#include <wdmsec.h>
 
 #include <xencons_device.h>
 
@@ -287,6 +288,10 @@ __ConsoleDeviceControl(
     OutputBufferLength = StackLocation->Parameters.DeviceIoControl.OutputBufferLength;
     Buffer = Irp->AssociatedIrp.SystemBuffer;
 
+    status = WdmlibIoValidateDeviceIoControlAccess(Irp, FILE_READ_ACCESS);
+    if (status != STATUS_SUCCESS)
+        return status;
+
     switch (IoControlCode) {
     case IOCTL_XENCONS_GET_INSTANCE:
         Value = "0";
diff --git a/src/xencons/pdo.c b/src/xencons/pdo.c
index 68cccdefe3f7..8726f7da2e88 100644
--- a/src/xencons/pdo.c
+++ b/src/xencons/pdo.c
@@ -36,6 +36,7 @@
 #include <wdmguid.h>
 #include <ntstrsafe.h>
 #include <stdlib.h>
+#include <wdmsec.h>
 
 #include <suspend_interface.h>
 #include <xencons_device.h>
@@ -1915,13 +1916,15 @@ PdoCreate(
     NTSTATUS            status;
 
 #pragma prefast(suppress:28197) // Possibly leaking memory 'PhysicalDeviceObject'
-    status = IoCreateDevice(DriverGetDriverObject(),
-                            sizeof(XENCONS_DX),
-                            NULL,
-                            FILE_DEVICE_UNKNOWN,
-                            FILE_DEVICE_SECURE_OPEN | FILE_AUTOGENERATED_DEVICE_NAME,
-                            FALSE,
-                            &PhysicalDeviceObject);
+    status = IoCreateDeviceSecure(DriverGetDriverObject(),
+                                  sizeof(XENCONS_DX),
+                                  NULL,
+                                  FILE_DEVICE_UNKNOWN,
+                                  FILE_DEVICE_SECURE_OPEN | FILE_AUTOGENERATED_DEVICE_NAME,
+                                  FALSE,
+                                  &SDDL_DEVOBJ_SYS_ALL_ADM_ALL,
+                                  &GUID_XENCONS_DEVICE_CLASS,
+                                  &PhysicalDeviceObject);
     if (!NT_SUCCESS(status))
         goto fail1;
 
diff --git a/src/xencons/pdo.h b/src/xencons/pdo.h
index c53f361f2db6..52d78a57c1d1 100644
--- a/src/xencons/pdo.h
+++ b/src/xencons/pdo.h
@@ -37,6 +37,10 @@
 
 #include "driver.h"
 
+// {50006123-0940-4C78-A54B-A43DC83164EF}
+DEFINE_GUID(GUID_XENCONS_DEVICE_CLASS,
+    0x50006123, 0x940, 0x4c78, 0xa5, 0x4b, 0xa4, 0x3d, 0xc8, 0x31, 0x64, 0xef);
+
 extern VOID
 PdoSetDevicePnpState(
     IN  PXENCONS_PDO        Pdo,