Date: Mon, 04 Oct 2021 16:43:26 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 258929] sysutils/fusefs-ntfs: ntfs-3g can seg fault if a directory entry is corrupt Message-ID: <bug-258929-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258929 Bug ID: 258929 Summary: sysutils/fusefs-ntfs: ntfs-3g can seg fault if a directory entry is corrupt Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu CC: freebsd@dussan.org Flags: maintainer-feedback?(freebsd@dussan.org) CC: freebsd@dussan.org Created attachment 228439 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D228439&action= =3Dedit sysutils/fusefs-ntfs: this disk image causes ntfs-3g to seg fault due to a corrupt directory entry ntfs_inode_lookup_by_name() doesn't adequately bounds-check the ie loop variable. If ir->index.entries_offset is huge, then ie =3D &ir->index + ir->index.entries_offset will be a wild pointer. If in addition ir->index.index_length is huge, then the for-loop's check that ie < index_end won't be effective. And the for loop will crash when it tries to check that ie + ie->key_length < index_end, because ie isn't valid. I've attached a demo disk image. % gunzip ntx6.img.gz % sudo mdconfig -f ntx6.img % sudo ntfs-3g /dev/md0p1 /mnt Segmentation fault % ntfs-3g --version ntfs-3g 2017.3.23 external FUSE 29 % uname -a FreeBSD xxx 13.0-RELEASE-p4 FreeBSD 13.0-RELEASE-p4 #0: Tue Aug 24 07:33:27= UTC 2021=20=20=20=20 root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC= =20 amd64 The backtrace: #0 ntfs_inode_lookup_by_name (dir_ni=3D0x40869320, uname=3D0x40842010,=20 uname_len=3D7) at dir.c:307 #1 0x00000000400bb0b0 in ntfs_pathname_to_inode (vol=3D0x40845000, parent= =3D0x0,=20 pathname=3D<optimized out>) at dir.c:782 #2 0x00000000400d113a in ntfs_open_secure (vol=3D<optimized out>) at security.c:4482 #3 0x00000000400d5dca in ntfs_device_mount (dev=3D<optimized out>,=20 flags=3D436207616) at volume.c:1243 #4 0x00000000400d6478 in ntfs_mount (name=3D<optimized out>, flags=3D43620= 7616) at volume.c:1386 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-258929-7788>