Update filesystem library to use GetTempPath2 on Windows 11 #2302
Conversation
talagrand
force-pushed
the
GetTempPath2
branch
from
233e1cb to
3390188
Compare
This comment was marked as resolved.
This comment was marked as resolved.
StephanTLavavej
added
the
affects redist
This comment was marked as resolved.
This comment was marked as resolved.
As a security measure, Windows 11 introduces a new temporary directory API, GetTempPath2. When the calling process is running as SYSTEM, a separate temporary directory will be returned inaccessible to non-SYSTEM processes. For non-SYSTEM processes the behavior will be the same as before. This can help mitigate against attacks such as this one: https://medium.com/csis-techblog/cve-2020-1088-yet-another-arbitrary-delete-eop-a00b97d8c3e2 This PR updates the filesystem library to call into this new API when available. Note that there is a small possible compatibility impact if software relies on temporary files to communicate between SYSTEM and non-SYSTEM processes and one uses GetTempPath (prior to this change) and the other GetTempPath2. In many cases, such patterns may be vulnerable to the very attacks the new API was introduced to harden against. The standard itself requires only that this API should return "an unspecified directory path suitable for temporary files," though GetTempPath is mentioned as an example implementation. How tested: Sample program printing out the value of std::filesystem::temp_directory_path() run through psexec (from SysInternals) on Win10 and Win11. On Win10: C:\test>psexec -s C:\test\main.exe <...> Temp directory is "C:\\WINDOWS\\TEMP\\" On Win11: C:\test>psexec -s C:\test\main.exe <...> Temp directory is "C:\\Windows\\SystemTemp\\"
strega-nil-ms
force-pushed
the
GetTempPath2
branch
from
3390188 to
5d1e997
Compare
|
Validated and pushed changes. I was slightly daring in replacing the I observe that |
|
Changes look good to me! I usually prefer to use cmpexchg when possible, since I was under the impression that on some platforms, |
|
I'm mirroring this to the MSVC-internal repo - please notify me if any further changes are pushed. |
|
I've had to push an additional commit to fix OneCore (where we don't have the dynamic loading machinery) and |
thanks I hate it 😭 |
|
Thanks for this security improvement and congratulations on your first microsoft/STL commit, @talagrand! Also thanks to @strega-nil-ms for refactoring this PR for binary compatibility! 🛡️ 😻 🎉 |
|
Thank you for pushing this forward :) |
…t#2302) Co-authored-by: Nicole Mazzuca <[email protected]> Co-authored-by: Stephan T. Lavavej <[email protected]>
As a security measure, Windows 11 introduces a new temporary directory API, GetTempPath2.
When the calling process is running as SYSTEM, a separate temporary directory
will be returned inaccessible to non-SYSTEM processes. For non-SYSTEM processes
the behavior will be the same as before.
This can help mitigate against attacks such as this one:
https://medium.com/csis-techblog/cve-2020-1088-yet-another-arbitrary-delete-eop-a00b97d8c3e2
This PR updates the filesystem library to call into this new API when available.
Note that there is a small possible compatibility impact if software relies on temporary files to
communicate between SYSTEM and non-SYSTEM processes and one uses GetTempPath (prior to this change)
and the other GetTempPath2. In many cases, such patterns may be vulnerable to the very attacks the new
API was introduced to harden against. The standard itself requires only that this API should return
"an unspecified directory path suitable for temporary files," though GetTempPath is mentioned as an
example implementation.
How tested: Sample program printing out the value of std::filesystem::temp_directory_path()
run through psexec (from SysInternals) on Win10 and Win11.
On Win10:
C:\test>psexec -s C:\test\main.exe
<...>
Temp directory is "C:\WINDOWS\TEMP\"
On Win11:
C:\test>psexec -s C:\test\main.exe
<...>
Temp directory is "C:\Windows\SystemTemp\"