Bug 278281 - /usr/sbin/fstyp potential read through wild pointer
Summary: /usr/sbin/fstyp potential read through wild pointer
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: Mark Johnston
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-09 21:51 UTC by Robert Morris
Modified: 2024-11-11 14:12 UTC (History)
2 users (show)

See Also:

Attachments
file system image that causes fstyp's fstyp_ntfs() to crash (122.30 KB, application/x-gzip)
2024-04-09 21:51 UTC, Robert Morris 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2024-04-09 21:51:53 UTC 
Created attachment 249865 [details]
file system image that causes fstyp's fstyp_ntfs() to crash

This code in fstyp's ntfs.c fstyp_ntfs():

        filerecp = read_buf(fp, voloff, recsize);
        ...;
        for (ap = filerecp + fr->fr_attroff;
            atr = (struct ntfs_attr *)ap, (int)atr->a_type != -1;
            ap += atr->reclen) {

can cause ap and atr to have crazy values if the filesystem being
inspected provides something bad for atr->reclen.

If atr->reclen == 0, it's an infinite loop.

Separately, in hammer2.c read_label(), "vols[i] = read_buf(...)" can
be NULL, but the next line dereferences vols[i] without checking.

I've attached a demo for the first bug:

# uname -a
FreeBSD stock14 15.0-CURRENT FreeBSD 15.0-CURRENT #21 main-n269145-3e1c8a35f741-dirty: Sat Apr  6 15:52:00 AST 2024     root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64
# gunzip fstyp6b.img.gz 
# fstyp -u -l fstyp6b.img 
Segmentation fault


Program received signal SIGSEGV, Segmentation fault.
Address not mapped to object.
fstyp_ntfs (fp=0x80131f330, label=0x7fffffffe7f0 "", size=257)
    at /usr/src/usr.sbin/fstyp/ntfs.c:169
169                 atr = (struct ntfs_attr *)ap, (int)atr->a_type != -1;
(gdb) where
#0  fstyp_ntfs (fp=0x80131f330, label=0x7fffffffe7f0 "", size=257)
    at /usr/src/usr.sbin/fstyp/ntfs.c:169
#1  0x0000000001024a6c in main (argc=<optimized out>, argv=<optimized out>)
    at /usr/src/usr.sbin/fstyp/fstyp.c:240
Comment 1 Mark Johnston freebsd_committer freebsd_triage 2024-10-26 16:39:23 UTC 
https://reviews.freebsd.org/D47292
Comment 2 commit-hook freebsd_committer freebsd_triage 2024-10-28 15:15:23 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=878ede1a0d0f10f851b2bc54be1e28f512bfc016

commit 878ede1a0d0f10f851b2bc54be1e28f512bfc016
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-10-28 13:51:58 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-10-28 15:03:53 +0000

    fstyp: Fix some memory safety bugs

    In the hammer2 label reader, make sure to check for a NULL return from
    read_buf().

    In the NTFS label reader,
    - Avoid an infinite loop if a record length is 0.
    - Avoid walking past the end of the buffer.
    - When a label is found, avoid reading past the end of the buffer.

    PR:             278281
    Reviewed by:    emaste
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D47292

 usr.sbin/fstyp/hammer2.c |  2 ++
 usr.sbin/fstyp/ntfs.c    | 36 ++++++++++++++++++++++++------------
 2 files changed, 26 insertions(+), 12 deletions(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2024-11-11 14:09:35 UTC 
A commit in branch stable/14 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=de03af6da75990e56c45aea2c7eb53a06705b4c1

commit de03af6da75990e56c45aea2c7eb53a06705b4c1
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-10-28 13:51:58 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-11-11 14:01:16 +0000

    fstyp: Fix some memory safety bugs

    In the hammer2 label reader, make sure to check for a NULL return from
    read_buf().

    In the NTFS label reader,
    - Avoid an infinite loop if a record length is 0.
    - Avoid walking past the end of the buffer.
    - When a label is found, avoid reading past the end of the buffer.

    PR:             278281
    Reviewed by:    emaste
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D47292

    (cherry picked from commit 878ede1a0d0f10f851b2bc54be1e28f512bfc016)

 usr.sbin/fstyp/hammer2.c |  2 ++
 usr.sbin/fstyp/ntfs.c    | 36 ++++++++++++++++++++++++------------
 2 files changed, 26 insertions(+), 12 deletions(-)
Comment 4 commit-hook freebsd_committer freebsd_triage 2024-11-11 14:11:37 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=75351a04884e7c79332f9c7a148424bf8cfa2c7f

commit 75351a04884e7c79332f9c7a148424bf8cfa2c7f
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-10-28 13:51:58 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-11-11 14:01:23 +0000

    fstyp: Fix some memory safety bugs

    In the hammer2 label reader, make sure to check for a NULL return from
    read_buf().

    In the NTFS label reader,
    - Avoid an infinite loop if a record length is 0.
    - Avoid walking past the end of the buffer.
    - When a label is found, avoid reading past the end of the buffer.

    PR:             278281
    Reviewed by:    emaste
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D47292

    (cherry picked from commit 878ede1a0d0f10f851b2bc54be1e28f512bfc016)

 usr.sbin/fstyp/hammer2.c |  2 ++
 usr.sbin/fstyp/ntfs.c    | 36 ++++++++++++++++++++++++------------
 2 files changed, 26 insertions(+), 12 deletions(-)