From 62e4dc40394964926f9133ae675efa0350af1e66 Mon Sep 17 00:00:00 2001
From: Tu Dinh <ngoc-tu.dinh@vates.tech>
Date: Wed, 5 Mar 2025 09:43:54 +0000
Subject: Restrict default access to Xeniface device

Without assigning an explicit SDDL via xeniface.inf, any user can open
the Xeniface FDO via its default security descriptor.

Additionally, validate user read+write access to the Xeniface FDO before
allowing IOCTLs to this interface.

This is part of XSA-468 / CVE-2025-27463.

Fixes: c649edc84f85 ("Initial commit of fully open xeniface code")
Signed-off-by: Tu Dinh <ngoc-tu.dinh@vates.tech>
Reviewed-By: Owen Smith <owen.smith@cloud.com>

diff --git a/src/xeniface.inf b/src/xeniface.inf
index fe5ea755e8f7..b5433920e987 100644
--- a/src/xeniface.inf
+++ b/src/xeniface.inf
@@ -72,6 +72,12 @@ xenagent_@MAJOR_VERSION@_@MINOR_VERSION@_@MICRO_VERSION@_@BUILD_NUMBER@.dll,xena
 CopyFiles=XenIface_CopyFiles
 CopyFiles=XenAgent_CopyFiles
 
+[XenIface_Inst.HW]
+AddReg=XenIface_Inst.HW.AddReg
+
+[XenIface_Inst.HW.AddReg]
+HKR,,Security,,"D:P(A;;GA;;;SY)(A;;GA;;;BA)"  ; SDDL_DEVOBJ_SYS_ALL_ADM_ALL
+
 [Xeniface_Inst.Services]
 AddService = xeniface, 0x0002, XenIface_Service
 AddService = xenagent, 0x0800, XenAgent_Service,XenAgent_EventLog
diff --git a/src/xeniface/ioctls.c b/src/xeniface/ioctls.c
index 6282e77aba44..076750a65369 100644
--- a/src/xeniface/ioctls.c
+++ b/src/xeniface/ioctls.c
@@ -33,6 +33,7 @@
 
 #include <ntifs.h>
 #include <procgrp.h>
+#include <wdmsec.h>
 #include "driver.h"
 #include "ioctls.h"
 #include "xeniface_ioctls.h"
@@ -253,6 +254,10 @@ XenIfaceIoctl(
     if (Fdo->InterfacesAcquired == FALSE)
         goto done;
 
+    status = WdmlibIoValidateDeviceIoControlAccess(Irp, FILE_READ_ACCESS | FILE_WRITE_ACCESS);
+    if (status != STATUS_SUCCESS)
+        goto done;
+
     switch (ControlCode) {
         // store
     case IOCTL_XENIFACE_STORE_READ:
diff --git a/vs2019/xeniface/xeniface.vcxproj b/vs2019/xeniface/xeniface.vcxproj
index 1c5c15b4f9fe..9f8f766197e1 100644
--- a/vs2019/xeniface/xeniface.vcxproj
+++ b/vs2019/xeniface/xeniface.vcxproj
@@ -31,7 +31,7 @@
       <AdditionalIncludeDirectories>..\..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
     </ResourceCompile>
     <Link>
-      <AdditionalDependencies>$(DDK_LIB_PATH)\ntstrsafe.lib;$(DDK_LIB_PATH)\procgrp.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>$(DDK_LIB_PATH)\ntstrsafe.lib;$(DDK_LIB_PATH)\procgrp.lib;$(DDK_LIB_PATH)\wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <AdditionalOptions>/INTEGRITYCHECK %(AdditionalOptions)</AdditionalOptions>
       <LinkTimeCodeGeneration>UseLinkTimeCodeGeneration</LinkTimeCodeGeneration>
       <CETCompat>true</CETCompat>
diff --git a/vs2022/xeniface/xeniface.vcxproj b/vs2022/xeniface/xeniface.vcxproj
index 776e68e826a8..269ae3fd5f4a 100644
--- a/vs2022/xeniface/xeniface.vcxproj
+++ b/vs2022/xeniface/xeniface.vcxproj
@@ -31,7 +31,7 @@
       <AdditionalIncludeDirectories>..\..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
     </ResourceCompile>
     <Link>
-      <AdditionalDependencies>$(DDK_LIB_PATH)\ntstrsafe.lib;$(DDK_LIB_PATH)\procgrp.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>$(DDK_LIB_PATH)\ntstrsafe.lib;$(DDK_LIB_PATH)\procgrp.lib;$(DDK_LIB_PATH)\wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <AdditionalOptions>/INTEGRITYCHECK %(AdditionalOptions)</AdditionalOptions>
       <LinkTimeCodeGeneration>UseLinkTimeCodeGeneration</LinkTimeCodeGeneration>
       <CETCompat>true</CETCompat>