]>
Commit | Line | Data |
---|---|---|
279cc2d1 MK |
1 | From: Maxim Suhanov <dfirblog@gmail.com> |
2 | Date: Mon, 28 Aug 2023 16:33:17 +0300 | |
3 | Subject: fs/ntfs: Fix an OOB read when parsing directory entries from | |
4 | resident and non-resident index attributes | |
5 | ||
6 | This fix introduces checks to ensure that index entries are never read | |
7 | beyond the corresponding directory index. | |
8 | ||
9 | The lack of this check is a minor issue, likely not exploitable in any way. | |
10 | ||
11 | Reported-by: Maxim Suhanov <dfirblog@gmail.com> | |
12 | Signed-off-by: Maxim Suhanov <dfirblog@gmail.com> | |
13 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | |
14 | --- | |
15 | grub-core/fs/ntfs.c | 13 +++++++++++-- | |
16 | 1 file changed, 11 insertions(+), 2 deletions(-) | |
17 | ||
18 | diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c | |
19 | index a68e173..2d78b96 100644 | |
20 | --- a/grub-core/fs/ntfs.c | |
21 | +++ b/grub-core/fs/ntfs.c | |
22 | @@ -599,7 +599,7 @@ get_utf8 (grub_uint8_t *in, grub_size_t len) | |
23 | } | |
24 | ||
25 | static int | |
26 | -list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos, | |
27 | +list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos, grub_uint8_t *end_pos, | |
28 | grub_fshelp_iterate_dir_hook_t hook, void *hook_data) | |
29 | { | |
30 | grub_uint8_t *np; | |
31 | @@ -610,6 +610,9 @@ list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos, | |
32 | grub_uint8_t namespace; | |
33 | char *ustr; | |
34 | ||
35 | + if ((pos >= end_pos) || (end_pos - pos < 0x52)) | |
36 | + break; | |
37 | + | |
38 | if (pos[0xC] & 2) /* end signature */ | |
39 | break; | |
40 | ||
41 | @@ -617,6 +620,9 @@ list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos, | |
42 | ns = *(np++); | |
43 | namespace = *(np++); | |
44 | ||
45 | + if (2 * ns > end_pos - pos - 0x52) | |
46 | + break; | |
47 | + | |
48 | /* | |
49 | * Ignore files in DOS namespace, as they will reappear as Win32 | |
50 | * names. | |
51 | @@ -806,7 +812,9 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir, | |
52 | } | |
53 | ||
54 | cur_pos += 0x10; /* Skip index root */ | |
55 | - ret = list_file (mft, cur_pos + u16at (cur_pos, 0), hook, hook_data); | |
56 | + ret = list_file (mft, cur_pos + u16at (cur_pos, 0), | |
57 | + at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR), | |
58 | + hook, hook_data); | |
59 | if (ret) | |
60 | goto done; | |
61 | ||
62 | @@ -893,6 +901,7 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir, | |
63 | (const grub_uint8_t *) "INDX"))) | |
64 | goto done; | |
65 | ret = list_file (mft, &indx[0x18 + u16at (indx, 0x18)], | |
66 | + indx + (mft->data->idx_size << GRUB_NTFS_BLK_SHR), | |
67 | hook, hook_data); | |
68 | if (ret) | |
69 | goto done; |