Skip to content

fuzzrf/netbsd_hfs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
test.img
test.img
 
 

Repository files navigation

NetBSD hfs local overflow

Bug details:

size_t
hfslib_reada_node_offsets(void* in_bytes, uint16_t* out_offset_array)
{
        void*           ptr;

        if (in_bytes == NULL || out_offset_array == NULL)
                return 0;

        ptr = in_bytes;

        /*
         * The offset for record 0 (which is the very last offset in the node) is
         * always equal to 14, the size of the node descriptor. So, once we hit
         * offset=14, we know this is the last offset. In this way, we don't need
         * to know the number of records beforehand.
         */
        out_offset_array--;
        do {
                out_offset_array++;
                *out_offset_array = be16tohp(&ptr);
        } while (*out_offset_array != (uint16_t)14);

        return ((uint8_t*)ptr - (uint8_t*)in_bytes);
}

while loop has no range checks, so we can overflow out_offset_array array.

How to test:

1. enable user mounts
# sysctl -w vfs.generic.usermount=1


2. mount test.img

About

NetBSD hfs overflow

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages