Heap overflow in ntfsck

[msuhanov]

Hello.

I have found a vulnerability in the NTFS-3G driver, specifically in the ntfsck tool (see: ntfsprogs/ntfsck.c).

In the check_file_record function, the update sequence array is applied, but no proper boundary checks are implemented, so the function can write bytes from the update sequence array beyond the buffer being checked.

The vulnerable code is here:

usa_ofs = le16_to_cpu(mft_rec->usa_ofs);
usa_count = le16_to_cpu(mft_rec->usa_count);

[...]

// Remove update seq & check it.
usa = *(u16*)(buffer+usa_ofs); // The value that should be at the end of every sector.
assert_u32_equal(usa_count-1, buflen/NTFS_BLOCK_SIZE, "USA length");
for (i=1;i<usa_count;i++) {
    u16 *fixup = (u16*)(buffer+NTFS_BLOCK_SIZE*i-2); // the value at the end of the sector.
    u16 saved_val = *(u16*)(buffer+usa_ofs+2*i); // the actual data value that was saved in the us array.

    assert_u32_equal(*fixup, usa, "fixup");
    *fixup = saved_val; // remove it.
}

If buflen is 1024, but the update sequence array contains 4 entries (including the first one, which you call usa), the loop will replace bytes 3 times, at the following offsets: buffer+512*1−2 (within the buffer), buffer+512*2−2 (within the buffer), buffer+512*3−2 (beyond the allocated buffer size). (The offset of the first attribute should be set to make room for additional entries in the update sequence array, so the usa_ofs+usa_count <= attrs_offset check is passed.)

Thus, bytes beyond the allocated buffer can be replaced, this is a heap overflow.

It should be noted that the assert_u32_equal function just reports the errors, it doesn’t terminate the execution flow.

Since the ntfsck tool is used in some GNU/Linux distributions (it’s fsck.ntfs in Fedora), I strongly suggest implementing a fix.

---

Report date (to info at tuxera dot com): 2021-09-24. No reply.
Ping (to info at tuxera dot com): 2021-09-29. No reply.

[jpandre]

Hmm,

assert_u32_equal(usa_count-1, buflen/NTFS_BLOCK_SIZE, "USA length");

should probably be

if (assert_u32_equal(usa_count-1, buflen/NTFS_BLOCK_SIZE, "USA length"))
   return (1)

Thanks for reporting.

Note : ntfsck does nothing useful, it has been put into the quarantine section, and the distributions should not use it.

[msuhanov]

Fedora is using it.

https://src.fedoraproject.org/rpms/ntfs-3g/blob/rawhide/f/ntfs-3g.spec#_100
https://src.fedoraproject.org/rpms/ntfs-3g/blob/rawhide/f/ntfs-3g_ntfsprogs-2011.10.9-RC-ntfsck-unsupported-return-0.patch

Actually, I also reported this to Red Hat Security Team, including this message:

The issue affects Fedora 35 (Beta) and 34 (older versions not tested).
 
The vulnerability is in the ntfsck tool, which is marked as quarantined by the vendor (this means the tool isn’t performing well), but it’s used as fsck.ntfs in Fedora.
 
I have attached a sample disk image and a screenshot (you can see the tool reporting more writes than needed, although an out-of-bounds write doesn’t result in a crash).
 
The disclosure date is going to be 2021-11-20 (or later).

The answer was:

Hi Guito [sic],
 
Apologies for the delayed response.
 
We Red Hat Product Security deals with the vulnerabilities which are shipped in our enterprise products and I can see NTFS-3G is shipped in our community products (Fedora & epel), please report this to upstream.
 
Please let me know if you have any questions.
--
Best Regards,
Dhananjay Arunesh / Red Hat Product Security

[jpandre]

Fixed in ntfs-3g-2022.5.17