From nobody Tue Apr 09 21:51:53 2024 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VDfn53Gnrz5G57F for ; Tue, 9 Apr 2024 21:51:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VDfn51Vcmz56d7 for ; Tue, 9 Apr 2024 21:51:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1712699513; a=rsa-sha256; cv=none; b=X6qs6YeBQ13yQ75F2pENmn3O00f7PB7dUaXa1CEQjwpJJeS7J66NIW4lmkgQV6pbi//x46 8v29lH+/lOxByKOqr6TGvGpBj8blE78oYG0KrVpS9zG9SxepviYDJ/RnmSB8McdzOy8bTE Avk3KBlpc+PQ/rY6I6ftH/UpTULtNSWolBCVXF3pSsh0Nn0FmA0p3kuPrUa7k/34dv74Ve d+y+EsHJ2UiHG2KKCy5Ph8/+FqeyOlSnvFtC/UhRo+50/U5xXFNW31HShkFEvXhVLS3nKh QElm6fa3I9V+O9RyBmgZpSQx7UfpW10a3jLmA4H5DcgbXtYtIbf9UUMDs91+Zw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1712699513; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=0tfxNEKLnU3l53HLh2LJcEcaL7psymiDTNGdYLUFcJg=; b=pLndYKYudrVT9esvgZTMsdGCcQMSQnSWUyMiFAzdvV4kdOHlG46sxSPBWRGsXtf13MS7Qt +H5wBuW+oeDQg5dqOTpvLlAAEi3RL58Uv1nGVNQjBHa27uZx+sy3Z7Te5BnyORThkGdROc C7Zw5d8OTH4qJIoSBCENAj9JRUKBch7kJSqicgbds8pQzSrfU/MrickwC7qBIrvO5vJvZv jXUZjk8Xsvwa1qCqnZsZBFDnWv3z+GN4Pe0/YXBFscB5tv0/Z6eh8ETyMHkyj/IEgmVlL3 r1ZepFBvSXt6IllEF6C8dNT31j6q3zuRNtdm1QYoEHvaptJmDnKBnE/ErVeVCw== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VDfn516MZz19wm for ; Tue, 9 Apr 2024 21:51:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 439Lpr8h085984 for ; Tue, 9 Apr 2024 21:51:53 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 439LprIB085979 for bugs@FreeBSD.org; Tue, 9 Apr 2024 21:51:53 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 278281] /usr/sbin/fstyp potential read through wild pointer Date: Tue, 09 Apr 2024 21:51:53 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rtm@lcs.mit.edu X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: freebsd-bugs+owner@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D278281 Bug ID: 278281 Summary: /usr/sbin/fstyp potential read through wild pointer Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Created attachment 249865 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D249865&action= =3Dedit file system image that causes fstyp's fstyp_ntfs() to crash This code in fstyp's ntfs.c fstyp_ntfs(): filerecp =3D read_buf(fp, voloff, recsize); ...; for (ap =3D filerecp + fr->fr_attroff; atr =3D (struct ntfs_attr *)ap, (int)atr->a_type !=3D -1; ap +=3D atr->reclen) { can cause ap and atr to have crazy values if the filesystem being inspected provides something bad for atr->reclen. If atr->reclen =3D=3D 0, it's an infinite loop. Separately, in hammer2.c read_label(), "vols[i] =3D read_buf(...)" can be NULL, but the next line dereferences vols[i] without checking. I've attached a demo for the first bug: # uname -a FreeBSD stock14 15.0-CURRENT FreeBSD 15.0-CURRENT #21 main-n269145-3e1c8a35f741-dirty: Sat Apr 6 15:52:00 AST 2024=20=20=20=20 root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 # gunzip fstyp6b.img.gz=20 # fstyp -u -l fstyp6b.img=20 Segmentation fault Program received signal SIGSEGV, Segmentation fault. Address not mapped to object. fstyp_ntfs (fp=3D0x80131f330, label=3D0x7fffffffe7f0 "", size=3D257) at /usr/src/usr.sbin/fstyp/ntfs.c:169 169 atr =3D (struct ntfs_attr *)ap, (int)atr->a_type !=3D -= 1; (gdb) where #0 fstyp_ntfs (fp=3D0x80131f330, label=3D0x7fffffffe7f0 "", size=3D257) at /usr/src/usr.sbin/fstyp/ntfs.c:169 #1 0x0000000001024a6c in main (argc=3D, argv=3D) at /usr/src/usr.sbin/fstyp/fstyp.c:240 --=20 You are receiving this mail because: You are the assignee for the bug.=