From owner-freebsd-bugs@FreeBSD.ORG  Tue Jul 24 11:00:11 2007
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 480AB16A41F
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 24 Jul 2007 11:00:11 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 22E3213C461
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 24 Jul 2007 11:00:11 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l6OB0ACx078830
	for <freebsd-bugs@freefall.freebsd.org>; Tue, 24 Jul 2007 11:00:11 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l6OB0Ar1078824;
	Tue, 24 Jul 2007 11:00:10 GMT (envelope-from gnats)
Resent-Date: Tue, 24 Jul 2007 11:00:10 GMT
Resent-Message-Id: <200707241100.l6OB0Ar1078824@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Ighighi <ighighi@gmail.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3E0B116A418
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 24 Jul 2007 10:59:04 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (unknown [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 2809213C46C
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 24 Jul 2007 10:59:04 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.1/8.14.1) with ESMTP id l6OAx3AD053578
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 24 Jul 2007 10:59:03 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.1/8.14.1/Submit) id l6OAx3cw053576;
	Tue, 24 Jul 2007 10:59:03 GMT (envelope-from nobody)
Message-Id: <200707241059.l6OAx3cw053576@www.freebsd.org>
Date: Tue, 24 Jul 2007 10:59:03 GMT
From: Ighighi <ighighi@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.0
Cc: 
Subject: kern/114856: [PATCH]: Bug in NTFS allows bogus file modes.
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jul 2007 11:00:11 -0000


>Number:         114856
>Category:       kern
>Synopsis:       [PATCH]: Bug in NTFS allows bogus file modes.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 24 11:00:10 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Ighighi
>Release:        6.2-STABLE
>Organization:
>Environment:
FreeBSD orion 6.2-STABLE FreeBSD 6.2-STABLE #0: Thu Jul 19 17:44:47 VET 2007     root@orion:/usr/obj/usr/src/sys/CUSTOM  i386
>Description:
There's a bug in the NTFS code that lets the user specify file mode bits other
than 0777 allowing for hijacking the file's type in strange ways.
>How-To-Repeat:
$ id
uid=501(ighighi) gid=501(ighighi) groups=501(ighighi),69(network)
$ sysctl vfs.usermount
vfs.usermount: 1
$ mkdir /tmp/mnt

$ /sbin/mount_ntfs -o ro -m 010555 /dev/ad0s1 /tmp/mnt/
$ /bin/ls -l /tmp/mnt
?rwxr-xr-x  1 ighighi  wheel  0 Apr 22  2009 /tmp/mnt
$ /sbin/umount /tmp/mnt

$ /sbin/mount_ntfs -o ro -m 020555 /dev/ad0s1 /tmp/mnt/
$ /bin/ls -l /tmp/mnt
brwxr-xr-x  1 ighighi  wheel    0,   0 Apr 22  2009 /tmp/mnt
$ /sbin/umount /tmp/mnt

$ /sbin/mount_ntfs -o ro -m 040555 /dev/ad0s1 /tmp/mnt/
$ /bin/ls -l /tmp/mnt
total 425220
srwxr-xr-x  1 ighighi  wheel       2560 Apr 22  2009 $AttrDef
srwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 $BadClus
srwxr-xr-x  1 ighighi  wheel     183248 Apr 22  2009 $Bitmap
srwxr-xr-x  1 ighighi  wheel       8192 Apr 26  2006 $Boot
drwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 $Extend
srwxr-xr-x  1 ighighi  wheel   32129024 Apr 26  2006 $LogFile
srwxr-xr-x  1 ighighi  wheel       4096 Apr 26  2006 $MFTMirr
srwxr-xr-x  1 ighighi  wheel          0 Apr 22  2009 $Secure
srwxr-xr-x  1 ighighi  wheel     131072 Apr 22  2009 $UpCase
srwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 $Volume
srwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 AUTOEXEC.BAT
srwxr-xr-x  1 ighighi  wheel       4952 Dec 22  2002 Bootfont.bin
srwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 CONFIG.SYS
drwxr-xr-x  1 ighighi  wheel          0 Jun 29  2006 Documents and Settings
srwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 IO.SYS
srwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 MSDOS.SYS
drwxr-xr-x  1 ighighi  wheel          0 Apr 27  2006 MSOCache
srwxr-xr-x  1 ighighi  wheel      47564 Aug  3  2004 NTDETECT.COM
drwxr-xr-x  1 ighighi  wheel          0 Jul  6  2006 RECYCLER
drwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 System Volume Information
drwxr-xr-x  1 ighighi  wheel          0 Feb  8 01:56 WINDOWS
srwxr-xr-x  1 ighighi  wheel        211 Apr 26  2006 boot.ini
drwxr-xr-x  1 ighighi  wheel          0 Dec 18  2006 cygwin
srwxr-xr-x  1 ighighi  wheel     250640 Aug  3  2004 ntldr
srwxr-xr-x  1 ighighi  wheel  402653184 Jul 22 23:56 pagefile.sys
drwxr-xr-x  1 ighighi  wheel          0 Dec 18  2006 rsyncd
$ /sbin/umount /tmp/mnt

$ /sbin/mount_ntfs -o ro -m 100555 /dev/ad0s1 /tmp/mnt/
$ /bin/ls -l /tmp/mnt
srwxr-xr-x  1 ighighi  wheel  0 Apr 22  2009 /tmp/mnt
$ /sbin/umount /tmp/mnt

$ /sbin/mount_ntfs -o ro -m 120555 /dev/ad0s1 /tmp/mnt/
$ /bin/ls -l /tmp/mnt
wrwxr-xr-x  1 ighighi  wheel  0 Apr 22  2009 /tmp/mnt
$ /sbin/umount /tmp/mnt


>Fix:
The attached patch performs the same masking as in sys/fs/msdosfs/msdosfs_vfsops.c
It was successfully built and tested on 6.2-STABLE and known to patch against -CURRENT.

Maybe we should patch mount_ntfs(8) too to remind the user that "only the nine 
low-order bits of mask are used", just as mount_msdosfs(8) does...


Patch attached with submission follows:

--- src/sys/fs/ntfs/ntfs_vfsops.c.orig	2006-10-10 05:43:20.000000000 -0400
+++ src/sys/fs/ntfs/ntfs_vfsops.c	2007-07-24 06:28:22.368847737 -0400
@@ -42,6 +42,7 @@
 #include <sys/fcntl.h>
 #include <sys/malloc.h>
 #include <sys/systm.h>
+#include <sys/stat.h>	/* ACCESSPERMS */
 
 #include <geom/geom.h>
 #include <geom/geom_vfs.h>
@@ -318,7 +319,7 @@ ntfs_mountfs(devvp, mp, td)
 	if (1 == vfs_scanopt(mp->mnt_optnew, "gid", "%d", &v))
 		ntmp->ntm_gid = v;
 	if (1 == vfs_scanopt(mp->mnt_optnew, "mode", "%d", &v))
-		ntmp->ntm_mode = v;
+		ntmp->ntm_mode = v & ACCESSPERMS;
 	vfs_flagopt(mp->mnt_optnew,
 	    "caseins", &ntmp->ntm_flag, NTFS_MFLAG_CASEINS);
 	vfs_flagopt(mp->mnt_optnew,


>Release-Note:
>Audit-Trail:
>Unformatted: