Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 04 Oct 2021 16:43:26 +0000
From:      bugzilla-noreply@freebsd.org
To:        ports-bugs@FreeBSD.org
Subject:   [Bug 258929] sysutils/fusefs-ntfs: ntfs-3g can seg fault if a directory entry is corrupt
Message-ID:  <bug-258929-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258929

            Bug ID: 258929
           Summary: sysutils/fusefs-ntfs: ntfs-3g can seg fault if a
                    directory entry is corrupt
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
                CC: freebsd@dussan.org
             Flags: maintainer-feedback?(freebsd@dussan.org)
                CC: freebsd@dussan.org

Created attachment 228439
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D228439&action=
=3Dedit
sysutils/fusefs-ntfs: this disk image causes ntfs-3g to seg fault due to a
corrupt directory entry

ntfs_inode_lookup_by_name() doesn't adequately bounds-check
the ie loop variable. If ir->index.entries_offset is huge,
then ie =3D &ir->index + ir->index.entries_offset will be
a wild pointer. If in addition ir->index.index_length is
huge, then the for-loop's check that ie < index_end won't
be effective. And the for loop will crash when it tries to
check that ie + ie->key_length < index_end, because ie isn't
valid.

I've attached a demo disk image.

% gunzip ntx6.img.gz
% sudo mdconfig -f ntx6.img
% sudo ntfs-3g /dev/md0p1 /mnt
Segmentation fault
% ntfs-3g --version
ntfs-3g 2017.3.23 external FUSE 29
% uname -a
FreeBSD xxx 13.0-RELEASE-p4 FreeBSD 13.0-RELEASE-p4 #0: Tue Aug 24 07:33:27=
 UTC
2021=20=20=20=20
root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC=
=20
amd64

The backtrace:

#0  ntfs_inode_lookup_by_name (dir_ni=3D0x40869320, uname=3D0x40842010,=20
    uname_len=3D7) at dir.c:307
#1  0x00000000400bb0b0 in ntfs_pathname_to_inode (vol=3D0x40845000, parent=
=3D0x0,=20
    pathname=3D<optimized out>) at dir.c:782
#2  0x00000000400d113a in ntfs_open_secure (vol=3D<optimized out>)
    at security.c:4482
#3  0x00000000400d5dca in ntfs_device_mount (dev=3D<optimized out>,=20
    flags=3D436207616) at volume.c:1243
#4  0x00000000400d6478 in ntfs_mount (name=3D<optimized out>, flags=3D43620=
7616)
    at volume.c:1386

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-258929-7788>