Hi all,

We found a potentially exploitable out-of-bound vulnerability in the latest 
version of ntfs-3g(ntfs-3g-2017.3.23AR.6). It can be triggered by mounting a 
malformed ntfs image.
The root cause is that the content of "ATTR_RECORD" is not sanitized in 
"ntfs_inode_real_open".
There are many ways to trigger this bug. One way to crash ntfs-3g is to provide 
a huge "value_offset" in a MFT entry. The content of an MFT entry propagates 
like this in ntfs_inode_real_open:
read into ni->mrec

passed into ctx->mrec and ctx->attr inside function ntfs_attr_get_search_ctx

used as std_info = (STANDARD_INFORMATION *)((u8 *)ctx->attr 
+le16_to_cpu(ctx->attr->value_offset));

Notice that ctx->attr points to the MFT entry and ctx->attr->value_offset is 
user-provided and not sanitized. if value_offset is huge, step 3 can leads to 
out-of-bound access.

Apart from that, another unsanitized attribute "value_length" can potentially 
lead to overflow. But we didn't investigate further.
A sample ASAN report is attached.
Please let us know if any additional information is needed to fix this bug.

Best,
Yihui Zeng, Kyle
Akshay Ajayan

~~~

$ ./bins/asan-ntfs-3g ./minimized/min ./test
ntfs_mst_post_read_fixup_warn: magic: 0x454c4946 size: 1024 usa_ofs: 12336 
usa_count: 12336: Invalid argument
ntfs_attr_open failed, inode 0 attr 0x10: No such file or directory
ntfs_mst_post_read_fixup_warn: magic: 0x454c4946 size: 1024 usa_ofs: 12336 
usa_count: 12336: Invalid argument
=================================================================
==109990==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x619000004508 at pc 0x00000045eb4b bp 0x7ffc23913b70 sp 0x7ffc23913b68
READ of size 4 at 0x619000004508 thread T0
==109990==WARNING: invalid path to external symbolizer!
==109990==WARNING: Failed to use and restart external symbolizer!
#0 0x45eb4a 
(/home/kylebot/Desktop/Targets/ntfs_fuzzer/bins/asan-ntfs-3g+0x45eb4a)
#1 0x4d73bf 
(/home/kylebot/Desktop/Targets/ntfs_fuzzer/bins/asan-ntfs-3g+0x4d73bf)
#2 0x4dbb30 
(/home/kylebot/Desktop/Targets/ntfs_fuzzer/bins/asan-ntfs-3g+0x4dbb30)
#3 0x3513e8 
(/home/kylebot/Desktop/Targets/ntfs_fuzzer/bins/asan-ntfs-3g+0x3513e8)
#4 0x7f74ae66c0b2 (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#5 0x27e56d 
(/home/kylebot/Desktop/Targets/ntfs_fuzzer/bins/asan-ntfs-3g+0x27e56d)Address 
0x619000004508 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow 
(/home/kylebot/Desktop/Targets/ntfs_fuzzer/bins/asan-ntfs-3g+0x45eb4a)

Shadow bytes around the buggy address:
0x0c327fff8850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fff88a0: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff88b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff88c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff88d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff88e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff88f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07

Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==109990==ABORTING
~~~

_______________________________________________
ntfs-3g-devel mailing list
ntfs-3g-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ntfs-3g-devel

Reply via email to