Bug 278281

Summary: /usr/sbin/fstyp potential read through wild pointer
Product: Base System Reporter: Robert Morris <rtm>
Component: binAssignee: Mark Johnston <markj>
Status: Closed FIXED    
Severity: Affects Some People CC: emaste, markj
Priority: ---    
Version: CURRENT   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file system image that causes fstyp's fstyp_ntfs() to crash none

Description Robert Morris 2024-04-09 21:51:53 UTC
Created attachment 249865 [details]
file system image that causes fstyp's fstyp_ntfs() to crash

This code in fstyp's ntfs.c fstyp_ntfs():

        filerecp = read_buf(fp, voloff, recsize);
        ...;
        for (ap = filerecp + fr->fr_attroff;
            atr = (struct ntfs_attr *)ap, (int)atr->a_type != -1;
            ap += atr->reclen) {

can cause ap and atr to have crazy values if the filesystem being
inspected provides something bad for atr->reclen.

If atr->reclen == 0, it's an infinite loop.

Separately, in hammer2.c read_label(), "vols[i] = read_buf(...)" can
be NULL, but the next line dereferences vols[i] without checking.

I've attached a demo for the first bug:

# uname -a
FreeBSD stock14 15.0-CURRENT FreeBSD 15.0-CURRENT #21 main-n269145-3e1c8a35f741-dirty: Sat Apr  6 15:52:00 AST 2024     root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64
# gunzip fstyp6b.img.gz 
# fstyp -u -l fstyp6b.img 
Segmentation fault


Program received signal SIGSEGV, Segmentation fault.
Address not mapped to object.
fstyp_ntfs (fp=0x80131f330, label=0x7fffffffe7f0 "", size=257)
    at /usr/src/usr.sbin/fstyp/ntfs.c:169
169                 atr = (struct ntfs_attr *)ap, (int)atr->a_type != -1;
(gdb) where
#0  fstyp_ntfs (fp=0x80131f330, label=0x7fffffffe7f0 "", size=257)
    at /usr/src/usr.sbin/fstyp/ntfs.c:169
#1  0x0000000001024a6c in main (argc=<optimized out>, argv=<optimized out>)
    at /usr/src/usr.sbin/fstyp/fstyp.c:240
Comment 1 Mark Johnston freebsd_committer freebsd_triage 2024-10-26 16:39:23 UTC
https://reviews.freebsd.org/D47292
Comment 2 commit-hook freebsd_committer freebsd_triage 2024-10-28 15:15:23 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=878ede1a0d0f10f851b2bc54be1e28f512bfc016

commit 878ede1a0d0f10f851b2bc54be1e28f512bfc016
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-10-28 13:51:58 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-10-28 15:03:53 +0000

    fstyp: Fix some memory safety bugs

    In the hammer2 label reader, make sure to check for a NULL return from
    read_buf().

    In the NTFS label reader,
    - Avoid an infinite loop if a record length is 0.
    - Avoid walking past the end of the buffer.
    - When a label is found, avoid reading past the end of the buffer.

    PR:             278281
    Reviewed by:    emaste
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D47292

 usr.sbin/fstyp/hammer2.c |  2 ++
 usr.sbin/fstyp/ntfs.c    | 36 ++++++++++++++++++++++++------------
 2 files changed, 26 insertions(+), 12 deletions(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2024-11-11 14:09:35 UTC
A commit in branch stable/14 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=de03af6da75990e56c45aea2c7eb53a06705b4c1

commit de03af6da75990e56c45aea2c7eb53a06705b4c1
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-10-28 13:51:58 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-11-11 14:01:16 +0000

    fstyp: Fix some memory safety bugs

    In the hammer2 label reader, make sure to check for a NULL return from
    read_buf().

    In the NTFS label reader,
    - Avoid an infinite loop if a record length is 0.
    - Avoid walking past the end of the buffer.
    - When a label is found, avoid reading past the end of the buffer.

    PR:             278281
    Reviewed by:    emaste
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D47292

    (cherry picked from commit 878ede1a0d0f10f851b2bc54be1e28f512bfc016)

 usr.sbin/fstyp/hammer2.c |  2 ++
 usr.sbin/fstyp/ntfs.c    | 36 ++++++++++++++++++++++++------------
 2 files changed, 26 insertions(+), 12 deletions(-)
Comment 4 commit-hook freebsd_committer freebsd_triage 2024-11-11 14:11:37 UTC
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=75351a04884e7c79332f9c7a148424bf8cfa2c7f

commit 75351a04884e7c79332f9c7a148424bf8cfa2c7f
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-10-28 13:51:58 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-11-11 14:01:23 +0000

    fstyp: Fix some memory safety bugs

    In the hammer2 label reader, make sure to check for a NULL return from
    read_buf().

    In the NTFS label reader,
    - Avoid an infinite loop if a record length is 0.
    - Avoid walking past the end of the buffer.
    - When a label is found, avoid reading past the end of the buffer.

    PR:             278281
    Reviewed by:    emaste
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D47292

    (cherry picked from commit 878ede1a0d0f10f851b2bc54be1e28f512bfc016)

 usr.sbin/fstyp/hammer2.c |  2 ++
 usr.sbin/fstyp/ntfs.c    | 36 ++++++++++++++++++++++++------------
 2 files changed, 26 insertions(+), 12 deletions(-)