VNX-781 – Improper Address Validation in IOCTL

Overview

This rule flags Windows kernel driver code that handles IOCTL requests without calling ProbeForRead or ProbeForWrite to validate user-space buffer addresses. Without validation, a malicious user-mode process can supply kernel-space addresses, causing the driver to read from or write to kernel memory under attacker control. This maps to CWE-781: Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code.

Severity: Medium | CWE: CWE-781

Why This Matters

Kernel drivers operate at ring 0 with full access to all memory. An IOCTL handler that accepts a user-provided address without validation can be exploited to read kernel memory (information disclosure including KASLR bypass) or write to kernel memory (privilege escalation to SYSTEM). This vulnerability class has been extensively exploited by local privilege escalation exploits.

What Gets Flagged

// FLAGGED: IOCTL handler without ProbeForRead/ProbeForWrite
NTSTATUS DriverDispatch(PDEVICE_OBJECT DeviceObject, PIRP Irp) {
    PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp);
    ULONG code = stack->Parameters.DeviceIoControl.IoControlCode;

    if (code == IOCTL_MY_CODE) {  // METHOD_NEITHER
        PVOID inputBuffer = stack->Parameters.DeviceIoControl.Type3InputBuffer;
        // MISSING: ProbeForRead(inputBuffer, length, alignment)
        RtlCopyMemory(localBuf, inputBuffer, length);  // dangerous
    }
}

Remediation

// SAFE: validate user-space addresses before access
NTSTATUS DriverDispatch(PDEVICE_OBJECT DeviceObject, PIRP Irp) {
    PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp);
    PVOID inputBuffer = stack->Parameters.DeviceIoControl.Type3InputBuffer;
    ULONG inputLength = stack->Parameters.DeviceIoControl.InputBufferLength;

    __try {
        ProbeForRead(inputBuffer, inputLength, sizeof(UCHAR));
        RtlCopyMemory(localBuf, inputBuffer, inputLength);
    } __except (EXCEPTION_EXECUTE_HANDLER) {
        return GetExceptionCode();
    }
}

Use METHOD_BUFFERED or METHOD_IN_DIRECT/METHOD_OUT_DIRECT IOCTL types where the I/O Manager handles buffering and validation automatically.

References