On Fri, 28 Feb 2025 14:04:51 +0100
Daniel Kiper via Grub-devel <grub-devel@gnu.org> wrote:
> Huh!
>
> B Horn, may I ask you to take a look at this and prepare a fix?
>
> Andreas, please help with testing the fix.
Not that anyone cares, but this regression was caught by the file
system tests. It causes grub-fstest to segfault on listing the
generated ntfs image. Seems like running them the tests before
committing large patch series, like this security update, might be a
good idea.
Glenn
> Daniel
>
> On Fri, Feb 28, 2025 at 10:55:46AM +0100, Andreas Klauer wrote:
> > Hello,
> >
> > (I'm not on this list; hope this message finds you well.)
> >
> > it seems that this patch triggers an infinite loop when
> > trying to access ntfs, so any search command that comes
> > across any ntfs partition gets stuck.
> >
> > Basically this while-loop in find_attr()
> >
> > while (at->attr_cur < mft_end && *at->attr_cur != 0xFF)
> > {
> > at->attr_nxt = next_attribute (at->attr_cur, at->end);
> > if (*at->attr_cur == GRUB_NTFS_AT_ATTRIBUTE_LIST)
> > at->attr_end = at->attr_cur;
> > if ((*at->attr_cur == attr) || (attr == 0))
> > return at->attr_cur;
> > at->attr_cur = at->attr_nxt;
> > }
> >
> > loops indefinitely (at->attr_cur=0) after next_attribute() returns NULL
> > here:
> >
> > next += u16at (curr_attribute, 4);
> > if (validate_attribute (next, end) == false)
> > return NULL;
> >
> > after validate_attribute() (introduced in this patch) returns false here
> >
> > /* Not an error case, just reached the end of the attributes. */
> > if (attr_size == 0)
> > return false;
> >
> > Simply checking at->attr_cur in the while loop makes it work again:
> >
> > while (at->attr_cur && at->attr_cur < mft_end && *at->attr_cur != 0xFF)
> >
> > but I don't understand half of what that code actually does,
> > so I can't vouch for correctness (not sending it as a patch).
> >
> > Also filed here https://savannah.gnu.org/bugs/index.php?66855
> >
> > and here
> > https://gitlab.archlinux.org/archlinux/packaging/packages/grub/-/issues/12
> >
> > Kind regards,
> > Andreas Klauer
> >
> > On Tue, Feb 18, 2025 at 07:00:24PM +0100, Daniel Kiper via Grub-devel wrote:
> > > From: B Horn <b...@horn.uk>
> > >
> > > It was possible to read OOB when an attribute had a size that exceeded
> > > the allocated buffer. This resolves that by making sure all attributes
> > > that get read are fully in the allocated space by implementing
> > > a function to validate them.
> > >
> > > Defining the offsets in include/grub/ntfs.h but they are only used in
> > > the validation function and not across the rest of the NTFS code.
> > >
> > > Signed-off-by: B Horn <b...@horn.uk>
> > > Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com>
> > > ---
> > > grub-core/fs/ntfs.c | 153
> > > ++++++++++++++++++++++++++++++++++++++++++++++++++++
> > > include/grub/ntfs.h | 22 ++++++++
> > > 2 files changed, 175 insertions(+)
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
