Date: Sat, 02 Oct 2021 15:44:24 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 258870] sysutils/fusefs-ntfs -- ntfs-3g can crash if MFT has unexpected attributes Message-ID: <bug-258870-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258870 Bug ID: 258870 Summary: sysutils/fusefs-ntfs -- ntfs-3g can crash if MFT has unexpected attributes Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu CC: freebsd@dussan.org Flags: maintainer-feedback?(freebsd@dussan.org) CC: freebsd@dussan.org Created attachment 228379 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D228379&action= =3Dedit sysutils/fusefs-ntfs -- an NTFS disk image that causes ntfs-3g to crash The attached NTFS disk image causes ntfs-3g (from fusefs-ntfs-2017.3.23) to crash. % gunzip ntx3.img.gz % sudo mdconfig -f ntx3.img % sudo ntfs-3g /dev/md0p1 /mnt Segmentation fault It looks like the problem is that ntx3.img has attributes on the MFT which ntfs-3g doesn't expect; this causes ntfs_attr_lookup() to call ntfs_external_attr_find() (line 3395 of attrib.c) during mount, where I think the code is expecting no attributes and to call ntfs_attr_find(); because in this path vol->mft_na is still NULL (it hasn't yet been set by ntfs_mft_load()), ntfs_extent_inode_open() crashes when it tries to use vol->mft_na. The backtrace: #0 0x00000000400c31ee in ntfs_extent_inode_open (base_ni=3D0x408690a0, mref=3D281474976710655) at inode.c:604 #1 0x00000000400b0112 in ntfs_external_attr_find (type=3DAT_STANDARD_INFORMATION, name=3D0x1ce7c <AT_UNNAMED>, name_len=3D0, ic=3DCASE_SENSITIVE,=20 lowest_vcn=3D<optimized out>, val=3D0x0, val_len=3D0, ctx=3D0x40819080)= at attrib.c:3177 #2 0x00000000400ad6c8 in ntfs_attr_lookup (type=3DAT_UNUSED, name=3D0xffffffffffff, name_len=3D1082413056, ic=3DCASE_SENSITIVE, lowest_v= cn=3D0,=20 val=3D0x409d8000 "\020", val_len=3D0, ctx=3D0x40819080) at attrib.c:3395 #3 0x00000000400ad196 in ntfs_attr_open (ni=3D0x408690a0, type=3DAT_STANDARD_INFORMATION, name=3D0x1ce7c <AT_UNNAMED>, name_len=3D0) = at attrib.c:428 #4 0x00000000400b3ad4 in ntfs_attr_readall (ni=3D0x408690a0, type=3DAT_STANDARD_INFORMATION, name=3D0x40845000, name_len=3D0, data_size= =3D0x0) at attrib.c:6658 #5 0x00000000400d6c20 in ntfs_attr_setup_flag (ni=3D<optimized out>) at volume.c:228 #6 0x00000000400d4816 in ntfs_mft_load (vol=3D0x40845000) at volume.c:315 #7 0x00000000400d4640 in ntfs_volume_startup (dev=3D0x4083f030, flags=3D<o= ptimized out>) at volume.c:625 #8 0x00000000400d52f2 in ntfs_device_mount (dev=3D0x0, flags=3D436207616) = at volume.c:929 #9 0x00000000400d63b0 in ntfs_mount (name=3D<optimized out>, flags=3D43620= 7616) at volume.c:1386 My machine: FreeBSD xxx 13.0-RELEASE-p4 FreeBSD 13.0-RELEASE-p4 #0: Tue Aug 24 07:33:27= UTC 2021=20=20=20=20 root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC= =20 amd64 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-258870-7788>