Summary: | /usr/sbin/fstyp potential read through wild pointer | ||||||
---|---|---|---|---|---|---|---|
Product: | Base System | Reporter: | Robert Morris <rtm> | ||||
Component: | bin | Assignee: | Mark Johnston <markj> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Some People | CC: | emaste, markj | ||||
Priority: | --- | ||||||
Version: | CURRENT | ||||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Attachments: |
|
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=878ede1a0d0f10f851b2bc54be1e28f512bfc016 commit 878ede1a0d0f10f851b2bc54be1e28f512bfc016 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2024-10-28 13:51:58 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2024-10-28 15:03:53 +0000 fstyp: Fix some memory safety bugs In the hammer2 label reader, make sure to check for a NULL return from read_buf(). In the NTFS label reader, - Avoid an infinite loop if a record length is 0. - Avoid walking past the end of the buffer. - When a label is found, avoid reading past the end of the buffer. PR: 278281 Reviewed by: emaste MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D47292 usr.sbin/fstyp/hammer2.c | 2 ++ usr.sbin/fstyp/ntfs.c | 36 ++++++++++++++++++++++++------------ 2 files changed, 26 insertions(+), 12 deletions(-) A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=de03af6da75990e56c45aea2c7eb53a06705b4c1 commit de03af6da75990e56c45aea2c7eb53a06705b4c1 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2024-10-28 13:51:58 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2024-11-11 14:01:16 +0000 fstyp: Fix some memory safety bugs In the hammer2 label reader, make sure to check for a NULL return from read_buf(). In the NTFS label reader, - Avoid an infinite loop if a record length is 0. - Avoid walking past the end of the buffer. - When a label is found, avoid reading past the end of the buffer. PR: 278281 Reviewed by: emaste MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D47292 (cherry picked from commit 878ede1a0d0f10f851b2bc54be1e28f512bfc016) usr.sbin/fstyp/hammer2.c | 2 ++ usr.sbin/fstyp/ntfs.c | 36 ++++++++++++++++++++++++------------ 2 files changed, 26 insertions(+), 12 deletions(-) A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=75351a04884e7c79332f9c7a148424bf8cfa2c7f commit 75351a04884e7c79332f9c7a148424bf8cfa2c7f Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2024-10-28 13:51:58 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2024-11-11 14:01:23 +0000 fstyp: Fix some memory safety bugs In the hammer2 label reader, make sure to check for a NULL return from read_buf(). In the NTFS label reader, - Avoid an infinite loop if a record length is 0. - Avoid walking past the end of the buffer. - When a label is found, avoid reading past the end of the buffer. PR: 278281 Reviewed by: emaste MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D47292 (cherry picked from commit 878ede1a0d0f10f851b2bc54be1e28f512bfc016) usr.sbin/fstyp/hammer2.c | 2 ++ usr.sbin/fstyp/ntfs.c | 36 ++++++++++++++++++++++++------------ 2 files changed, 26 insertions(+), 12 deletions(-) |
Created attachment 249865 [details] file system image that causes fstyp's fstyp_ntfs() to crash This code in fstyp's ntfs.c fstyp_ntfs(): filerecp = read_buf(fp, voloff, recsize); ...; for (ap = filerecp + fr->fr_attroff; atr = (struct ntfs_attr *)ap, (int)atr->a_type != -1; ap += atr->reclen) { can cause ap and atr to have crazy values if the filesystem being inspected provides something bad for atr->reclen. If atr->reclen == 0, it's an infinite loop. Separately, in hammer2.c read_label(), "vols[i] = read_buf(...)" can be NULL, but the next line dereferences vols[i] without checking. I've attached a demo for the first bug: # uname -a FreeBSD stock14 15.0-CURRENT FreeBSD 15.0-CURRENT #21 main-n269145-3e1c8a35f741-dirty: Sat Apr 6 15:52:00 AST 2024 root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 # gunzip fstyp6b.img.gz # fstyp -u -l fstyp6b.img Segmentation fault Program received signal SIGSEGV, Segmentation fault. Address not mapped to object. fstyp_ntfs (fp=0x80131f330, label=0x7fffffffe7f0 "", size=257) at /usr/src/usr.sbin/fstyp/ntfs.c:169 169 atr = (struct ntfs_attr *)ap, (int)atr->a_type != -1; (gdb) where #0 fstyp_ntfs (fp=0x80131f330, label=0x7fffffffe7f0 "", size=257) at /usr/src/usr.sbin/fstyp/ntfs.c:169 #1 0x0000000001024a6c in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/usr.sbin/fstyp/fstyp.c:240