Hi all, We found a potentially exploitable out-of-bound vulnerability in the latest version of ntfs-3g(ntfs-3g-2017.3.23AR.6). It can be triggered by mounting a malformed ntfs image. The root cause is that the content of "ATTR_RECORD" is not sanitized in "ntfs_inode_real_open". There are many ways to trigger this bug. One way to crash ntfs-3g is to provide a huge "value_offset" in a MFT entry. The content of an MFT entry propagates like this in ntfs_inode_real_open: read into ni->mrec
passed into ctx->mrec and ctx->attr inside function ntfs_attr_get_search_ctx used as std_info = (STANDARD_INFORMATION *)((u8 *)ctx->attr +le16_to_cpu(ctx->attr->value_offset)); Notice that ctx->attr points to the MFT entry and ctx->attr->value_offset is user-provided and not sanitized. if value_offset is huge, step 3 can leads to out-of-bound access. Apart from that, another unsanitized attribute "value_length" can potentially lead to overflow. But we didn't investigate further. A sample ASAN report is attached. Please let us know if any additional information is needed to fix this bug. Best, Yihui Zeng, Kyle Akshay Ajayan ~~~ $ ./bins/asan-ntfs-3g ./minimized/min ./test ntfs_mst_post_read_fixup_warn: magic: 0x454c4946 size: 1024 usa_ofs: 12336 usa_count: 12336: Invalid argument ntfs_attr_open failed, inode 0 attr 0x10: No such file or directory ntfs_mst_post_read_fixup_warn: magic: 0x454c4946 size: 1024 usa_ofs: 12336 usa_count: 12336: Invalid argument ================================================================= ==109990==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000004508 at pc 0x00000045eb4b bp 0x7ffc23913b70 sp 0x7ffc23913b68 READ of size 4 at 0x619000004508 thread T0 ==109990==WARNING: invalid path to external symbolizer! ==109990==WARNING: Failed to use and restart external symbolizer! #0 0x45eb4a (/home/kylebot/Desktop/Targets/ntfs_fuzzer/bins/asan-ntfs-3g+0x45eb4a) #1 0x4d73bf (/home/kylebot/Desktop/Targets/ntfs_fuzzer/bins/asan-ntfs-3g+0x4d73bf) #2 0x4dbb30 (/home/kylebot/Desktop/Targets/ntfs_fuzzer/bins/asan-ntfs-3g+0x4dbb30) #3 0x3513e8 (/home/kylebot/Desktop/Targets/ntfs_fuzzer/bins/asan-ntfs-3g+0x3513e8) #4 0x7f74ae66c0b2 (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #5 0x27e56d (/home/kylebot/Desktop/Targets/ntfs_fuzzer/bins/asan-ntfs-3g+0x27e56d)Address 0x619000004508 is a wild pointer. SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/kylebot/Desktop/Targets/ntfs_fuzzer/bins/asan-ntfs-3g+0x45eb4a) Shadow bytes around the buggy address: 0x0c327fff8850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c327fff88a0: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff88b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff88c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff88d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff88e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff88f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==109990==ABORTING ~~~
_______________________________________________ ntfs-3g-devel mailing list ntfs-3g-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ntfs-3g-devel