Date: Tue, 24 Jul 2007 10:59:03 GMT From: Ighighi <ighighi@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/114856: [PATCH]: Bug in NTFS allows bogus file modes. Message-ID: <200707241059.l6OAx3cw053576@www.freebsd.org> Resent-Message-ID: <200707241100.l6OB0Ar1078824@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 114856 >Category: kern >Synopsis: [PATCH]: Bug in NTFS allows bogus file modes. >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jul 24 11:00:10 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Ighighi >Release: 6.2-STABLE >Organization: >Environment: FreeBSD orion 6.2-STABLE FreeBSD 6.2-STABLE #0: Thu Jul 19 17:44:47 VET 2007 root@orion:/usr/obj/usr/src/sys/CUSTOM i386 >Description: There's a bug in the NTFS code that lets the user specify file mode bits other than 0777 allowing for hijacking the file's type in strange ways. >How-To-Repeat: $ id uid=501(ighighi) gid=501(ighighi) groups=501(ighighi),69(network) $ sysctl vfs.usermount vfs.usermount: 1 $ mkdir /tmp/mnt $ /sbin/mount_ntfs -o ro -m 010555 /dev/ad0s1 /tmp/mnt/ $ /bin/ls -l /tmp/mnt ?rwxr-xr-x 1 ighighi wheel 0 Apr 22 2009 /tmp/mnt $ /sbin/umount /tmp/mnt $ /sbin/mount_ntfs -o ro -m 020555 /dev/ad0s1 /tmp/mnt/ $ /bin/ls -l /tmp/mnt brwxr-xr-x 1 ighighi wheel 0, 0 Apr 22 2009 /tmp/mnt $ /sbin/umount /tmp/mnt $ /sbin/mount_ntfs -o ro -m 040555 /dev/ad0s1 /tmp/mnt/ $ /bin/ls -l /tmp/mnt total 425220 srwxr-xr-x 1 ighighi wheel 2560 Apr 22 2009 $AttrDef srwxr-xr-x 1 ighighi wheel 0 Apr 26 2006 $BadClus srwxr-xr-x 1 ighighi wheel 183248 Apr 22 2009 $Bitmap srwxr-xr-x 1 ighighi wheel 8192 Apr 26 2006 $Boot drwxr-xr-x 1 ighighi wheel 0 Apr 26 2006 $Extend srwxr-xr-x 1 ighighi wheel 32129024 Apr 26 2006 $LogFile srwxr-xr-x 1 ighighi wheel 4096 Apr 26 2006 $MFTMirr srwxr-xr-x 1 ighighi wheel 0 Apr 22 2009 $Secure srwxr-xr-x 1 ighighi wheel 131072 Apr 22 2009 $UpCase srwxr-xr-x 1 ighighi wheel 0 Apr 26 2006 $Volume srwxr-xr-x 1 ighighi wheel 0 Apr 26 2006 AUTOEXEC.BAT srwxr-xr-x 1 ighighi wheel 4952 Dec 22 2002 Bootfont.bin srwxr-xr-x 1 ighighi wheel 0 Apr 26 2006 CONFIG.SYS drwxr-xr-x 1 ighighi wheel 0 Jun 29 2006 Documents and Settings srwxr-xr-x 1 ighighi wheel 0 Apr 26 2006 IO.SYS srwxr-xr-x 1 ighighi wheel 0 Apr 26 2006 MSDOS.SYS drwxr-xr-x 1 ighighi wheel 0 Apr 27 2006 MSOCache srwxr-xr-x 1 ighighi wheel 47564 Aug 3 2004 NTDETECT.COM drwxr-xr-x 1 ighighi wheel 0 Jul 6 2006 RECYCLER drwxr-xr-x 1 ighighi wheel 0 Apr 26 2006 System Volume Information drwxr-xr-x 1 ighighi wheel 0 Feb 8 01:56 WINDOWS srwxr-xr-x 1 ighighi wheel 211 Apr 26 2006 boot.ini drwxr-xr-x 1 ighighi wheel 0 Dec 18 2006 cygwin srwxr-xr-x 1 ighighi wheel 250640 Aug 3 2004 ntldr srwxr-xr-x 1 ighighi wheel 402653184 Jul 22 23:56 pagefile.sys drwxr-xr-x 1 ighighi wheel 0 Dec 18 2006 rsyncd $ /sbin/umount /tmp/mnt $ /sbin/mount_ntfs -o ro -m 100555 /dev/ad0s1 /tmp/mnt/ $ /bin/ls -l /tmp/mnt srwxr-xr-x 1 ighighi wheel 0 Apr 22 2009 /tmp/mnt $ /sbin/umount /tmp/mnt $ /sbin/mount_ntfs -o ro -m 120555 /dev/ad0s1 /tmp/mnt/ $ /bin/ls -l /tmp/mnt wrwxr-xr-x 1 ighighi wheel 0 Apr 22 2009 /tmp/mnt $ /sbin/umount /tmp/mnt >Fix: The attached patch performs the same masking as in sys/fs/msdosfs/msdosfs_vfsops.c It was successfully built and tested on 6.2-STABLE and known to patch against -CURRENT. Maybe we should patch mount_ntfs(8) too to remind the user that "only the nine low-order bits of mask are used", just as mount_msdosfs(8) does... Patch attached with submission follows: --- src/sys/fs/ntfs/ntfs_vfsops.c.orig 2006-10-10 05:43:20.000000000 -0400 +++ src/sys/fs/ntfs/ntfs_vfsops.c 2007-07-24 06:28:22.368847737 -0400 @@ -42,6 +42,7 @@ #include <sys/fcntl.h> #include <sys/malloc.h> #include <sys/systm.h> +#include <sys/stat.h> /* ACCESSPERMS */ #include <geom/geom.h> #include <geom/geom_vfs.h> @@ -318,7 +319,7 @@ ntfs_mountfs(devvp, mp, td) if (1 == vfs_scanopt(mp->mnt_optnew, "gid", "%d", &v)) ntmp->ntm_gid = v; if (1 == vfs_scanopt(mp->mnt_optnew, "mode", "%d", &v)) - ntmp->ntm_mode = v; + ntmp->ntm_mode = v & ACCESSPERMS; vfs_flagopt(mp->mnt_optnew, "caseins", &ntmp->ntm_flag, NTFS_MFLAG_CASEINS); vfs_flagopt(mp->mnt_optnew, >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200707241059.l6OAx3cw053576>