New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap overflow in ntfsck #16
Comments
Hmm,
should probably be
Thanks for reporting. Note : ntfsck does nothing useful, it has been put into the quarantine section, and the distributions should not use it. |
Fedora is using it. https://src.fedoraproject.org/rpms/ntfs-3g/blob/rawhide/f/ntfs-3g.spec#_100 Actually, I also reported this to Red Hat Security Team, including this message:
The answer was:
|
Fixed in ntfs-3g-2022.5.17 |
Hello.
I have found a vulnerability in the NTFS-3G driver, specifically in the ntfsck tool (see: ntfsprogs/ntfsck.c).
In the check_file_record function, the update sequence array is applied, but no proper boundary checks are implemented, so the function can write bytes from the update sequence array beyond the buffer being checked.
The vulnerable code is here:
If buflen is 1024, but the update sequence array contains 4 entries (including the first one, which you call usa), the loop will replace bytes 3 times, at the following offsets:
buffer+512*1−2
(within the buffer),buffer+512*2−2
(within the buffer),buffer+512*3−2
(beyond the allocated buffer size). (The offset of the first attribute should be set to make room for additional entries in the update sequence array, so the usa_ofs+usa_count <= attrs_offset check is passed.)Thus, bytes beyond the allocated buffer can be replaced, this is a heap overflow.
It should be noted that the assert_u32_equal function just reports the errors, it doesn’t terminate the execution flow.
Since the ntfsck tool is used in some GNU/Linux distributions (it’s fsck.ntfs in Fedora), I strongly suggest implementing a fix.
Report date (to info at tuxera dot com): 2021-09-24. No reply.
Ping (to info at tuxera dot com): 2021-09-29. No reply.
The text was updated successfully, but these errors were encountered: