[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 3/6] fs/ntfs: Fix an OOB read when parsing directory ent
|
From: |
Daniel Kiper |
|
Subject: |
[SECURITY PATCH 3/6] fs/ntfs: Fix an OOB read when parsing directory entries from resident and non-resident index attributes |
|
Date: |
Tue, 3 Oct 2023 19:12:25 +0200 |
From: Maxim Suhanov <dfirblog@gmail.com>
This fix introduces checks to ensure that index entries are never read
beyond the corresponding directory index.
The lack of this check is a minor issue, likely not exploitable in any way.
Reported-by: Maxim Suhanov <dfirblog@gmail.com>
Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/ntfs.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
index a68e173d8..2d78b96e1 100644
--- a/grub-core/fs/ntfs.c
+++ b/grub-core/fs/ntfs.c
@@ -599,7 +599,7 @@ get_utf8 (grub_uint8_t *in, grub_size_t len)
}
static int
-list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos,
+list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos, grub_uint8_t
*end_pos,
grub_fshelp_iterate_dir_hook_t hook, void *hook_data)
{
grub_uint8_t *np;
@@ -610,6 +610,9 @@ list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos,
grub_uint8_t namespace;
char *ustr;
+ if ((pos >= end_pos) || (end_pos - pos < 0x52))
+ break;
+
if (pos[0xC] & 2) /* end signature */
break;
@@ -617,6 +620,9 @@ list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos,
ns = *(np++);
namespace = *(np++);
+ if (2 * ns > end_pos - pos - 0x52)
+ break;
+
/*
* Ignore files in DOS namespace, as they will reappear as Win32
* names.
@@ -806,7 +812,9 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
}
cur_pos += 0x10; /* Skip index root */
- ret = list_file (mft, cur_pos + u16at (cur_pos, 0), hook, hook_data);
+ ret = list_file (mft, cur_pos + u16at (cur_pos, 0),
+ at->mft->buf + (at->mft->data->mft_size <<
GRUB_NTFS_BLK_SHR),
+ hook, hook_data);
if (ret)
goto done;
@@ -893,6 +901,7 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
(const grub_uint8_t *) "INDX")))
goto done;
ret = list_file (mft, &indx[0x18 + u16at (indx, 0x18)],
+ indx + (mft->data->idx_size <<
GRUB_NTFS_BLK_SHR),
hook, hook_data);
if (ret)
goto done;
--
2.11.0
- [SECURITY PATCH 0/6] GRUB2 NTFS driver vulnerabilities - 2023/10/03, Daniel Kiper, 2023/10/03
- [SECURITY PATCH 1/6] fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for the $MFT file, Daniel Kiper, 2023/10/03
- [SECURITY PATCH 2/6] fs/ntfs: Fix an OOB read when reading data from the resident $DATA attribute, Daniel Kiper, 2023/10/03
- [SECURITY PATCH 3/6] fs/ntfs: Fix an OOB read when parsing directory entries from resident and non-resident index attributes,
Daniel Kiper <=
- [SECURITY PATCH 4/6] fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes, Daniel Kiper, 2023/10/03
- [SECURITY PATCH 5/6] fs/ntfs: Fix an OOB read when parsing a volume label, Daniel Kiper, 2023/10/03
- [SECURITY PATCH 6/6] fs/ntfs: Make code more readable, Daniel Kiper, 2023/10/03