Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 09 Apr 2024 21:51:53 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 278281] /usr/sbin/fstyp potential read through wild pointer
Message-ID:  <bug-278281-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D278281

            Bug ID: 278281
           Summary: /usr/sbin/fstyp potential read through wild pointer
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

Created attachment 249865
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D249865&action=
=3Dedit
file system image that causes fstyp's fstyp_ntfs() to crash

This code in fstyp's ntfs.c fstyp_ntfs():

        filerecp =3D read_buf(fp, voloff, recsize);
        ...;
        for (ap =3D filerecp + fr->fr_attroff;
            atr =3D (struct ntfs_attr *)ap, (int)atr->a_type !=3D -1;
            ap +=3D atr->reclen) {

can cause ap and atr to have crazy values if the filesystem being
inspected provides something bad for atr->reclen.

If atr->reclen =3D=3D 0, it's an infinite loop.

Separately, in hammer2.c read_label(), "vols[i] =3D read_buf(...)" can
be NULL, but the next line dereferences vols[i] without checking.

I've attached a demo for the first bug:

# uname -a
FreeBSD stock14 15.0-CURRENT FreeBSD 15.0-CURRENT #21
main-n269145-3e1c8a35f741-dirty: Sat Apr  6 15:52:00 AST 2024=20=20=20=20
root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64
# gunzip fstyp6b.img.gz=20
# fstyp -u -l fstyp6b.img=20
Segmentation fault


Program received signal SIGSEGV, Segmentation fault.
Address not mapped to object.
fstyp_ntfs (fp=3D0x80131f330, label=3D0x7fffffffe7f0 "", size=3D257)
    at /usr/src/usr.sbin/fstyp/ntfs.c:169
169                 atr =3D (struct ntfs_attr *)ap, (int)atr->a_type !=3D -=
1;
(gdb) where
#0  fstyp_ntfs (fp=3D0x80131f330, label=3D0x7fffffffe7f0 "", size=3D257)
    at /usr/src/usr.sbin/fstyp/ntfs.c:169
#1  0x0000000001024a6c in main (argc=3D<optimized out>, argv=3D<optimized o=
ut>)
    at /usr/src/usr.sbin/fstyp/fstyp.c:240

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-278281-227>