[Bug 258929] sysutils/fusefs-ntfs: ntfs-3g can seg fault if a directory entry is corrupt

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 258929] sysutils/fusefs-ntfs: ntfs-3g can seg fault if a directory entry is corrupt"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 258929] sysutils/fusefs-ntfs: ntfs-3g can seg fault if a directory entry is corrupt"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 258929] sysutils/fusefs-ntfs: ntfs-3g can seg fault if a directory entry is corrupt"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 258929] sysutils/fusefs-ntfs: ntfs-3g can seg fault if a directory entry is corrupt"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 258929] sysutils/fusefs-ntfs: ntfs-3g can seg fault if a directory entry is corrupt"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 04 Oct 2021 16:43:26 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258929

            Bug ID: 258929
           Summary: sysutils/fusefs-ntfs: ntfs-3g can seg fault if a
                    directory entry is corrupt
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
                CC: freebsd@dussan.org
             Flags: maintainer-feedback?(freebsd@dussan.org)
                CC: freebsd@dussan.org

Created attachment 228439
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=228439&action=edit
sysutils/fusefs-ntfs: this disk image causes ntfs-3g to seg fault due to a
corrupt directory entry

ntfs_inode_lookup_by_name() doesn't adequately bounds-check
the ie loop variable. If ir->index.entries_offset is huge,
then ie = &ir->index + ir->index.entries_offset will be
a wild pointer. If in addition ir->index.index_length is
huge, then the for-loop's check that ie < index_end won't
be effective. And the for loop will crash when it tries to
check that ie + ie->key_length < index_end, because ie isn't
valid.

I've attached a demo disk image.

% gunzip ntx6.img.gz
% sudo mdconfig -f ntx6.img
% sudo ntfs-3g /dev/md0p1 /mnt
Segmentation fault
% ntfs-3g --version
ntfs-3g 2017.3.23 external FUSE 29
% uname -a
FreeBSD xxx 13.0-RELEASE-p4 FreeBSD 13.0-RELEASE-p4 #0: Tue Aug 24 07:33:27 UTC
2021    
root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC 
amd64

The backtrace:

#0  ntfs_inode_lookup_by_name (dir_ni=0x40869320, uname=0x40842010, 
    uname_len=7) at dir.c:307
#1  0x00000000400bb0b0 in ntfs_pathname_to_inode (vol=0x40845000, parent=0x0, 
    pathname=<optimized out>) at dir.c:782
#2  0x00000000400d113a in ntfs_open_secure (vol=<optimized out>)
    at security.c:4482
#3  0x00000000400d5dca in ntfs_device_mount (dev=<optimized out>, 
    flags=436207616) at volume.c:1243
#4  0x00000000400d6478 in ntfs_mount (name=<optimized out>, flags=436207616)
    at volume.c:1386

-- 
You are receiving this mail because:
You are the assignee for the bug.