[Bug 258870] sysutils/fusefs-ntfs -- ntfs-3g can crash if MFT has unexpected attributes

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 02 Oct 2021 15:44:24 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258870

            Bug ID: 258870
           Summary: sysutils/fusefs-ntfs -- ntfs-3g can crash if MFT has
                    unexpected attributes
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
                CC: freebsd@dussan.org
             Flags: maintainer-feedback?(freebsd@dussan.org)
                CC: freebsd@dussan.org

Created attachment 228379
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=228379&action=edit
sysutils/fusefs-ntfs -- an NTFS disk image that causes ntfs-3g to crash

The attached NTFS disk image causes ntfs-3g (from fusefs-ntfs-2017.3.23)
to crash.

% gunzip ntx3.img.gz
% sudo mdconfig -f ntx3.img
% sudo ntfs-3g /dev/md0p1 /mnt
Segmentation fault

It looks like the problem is that ntx3.img has attributes on
the MFT which ntfs-3g doesn't expect; this causes ntfs_attr_lookup()
to call ntfs_external_attr_find() (line 3395 of attrib.c) during
mount, where I think the code is expecting no attributes and
to call ntfs_attr_find(); because in this path vol->mft_na is
still NULL (it hasn't yet been set by ntfs_mft_load()),
ntfs_extent_inode_open() crashes when it tries to use vol->mft_na.

The backtrace:

#0  0x00000000400c31ee in ntfs_extent_inode_open (base_ni=0x408690a0,
mref=281474976710655) at inode.c:604
#1  0x00000000400b0112 in ntfs_external_attr_find
(type=AT_STANDARD_INFORMATION, name=0x1ce7c <AT_UNNAMED>, name_len=0,
ic=CASE_SENSITIVE, 
    lowest_vcn=<optimized out>, val=0x0, val_len=0, ctx=0x40819080) at
attrib.c:3177
#2  0x00000000400ad6c8 in ntfs_attr_lookup (type=AT_UNUSED,
name=0xffffffffffff, name_len=1082413056, ic=CASE_SENSITIVE, lowest_vcn=0, 
    val=0x409d8000 "\020", val_len=0, ctx=0x40819080) at attrib.c:3395
#3  0x00000000400ad196 in ntfs_attr_open (ni=0x408690a0,
type=AT_STANDARD_INFORMATION, name=0x1ce7c <AT_UNNAMED>, name_len=0) at
attrib.c:428
#4  0x00000000400b3ad4 in ntfs_attr_readall (ni=0x408690a0,
type=AT_STANDARD_INFORMATION, name=0x40845000, name_len=0, data_size=0x0) at
attrib.c:6658
#5  0x00000000400d6c20 in ntfs_attr_setup_flag (ni=<optimized out>) at
volume.c:228
#6  0x00000000400d4816 in ntfs_mft_load (vol=0x40845000) at volume.c:315
#7  0x00000000400d4640 in ntfs_volume_startup (dev=0x4083f030, flags=<optimized
out>) at volume.c:625
#8  0x00000000400d52f2 in ntfs_device_mount (dev=0x0, flags=436207616) at
volume.c:929
#9  0x00000000400d63b0 in ntfs_mount (name=<optimized out>, flags=436207616) at
volume.c:1386

My machine:

FreeBSD xxx 13.0-RELEASE-p4 FreeBSD 13.0-RELEASE-p4 #0: Tue Aug 24 07:33:27 UTC
2021    
root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC 
amd64

-- 
You are receiving this mail because:
You are the assignee for the bug.