kern/114856: [PATCH]: Bug in NTFS allows bogus file modes.

Ighighi ighighi at gmail.com
Tue Jul 24 11:00:11 UTC 2007 

>Number:         114856
>Category:       kern
>Synopsis:       [PATCH]: Bug in NTFS allows bogus file modes.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 24 11:00:10 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Ighighi
>Release:        6.2-STABLE
>Organization:
>Environment:
FreeBSD orion 6.2-STABLE FreeBSD 6.2-STABLE #0: Thu Jul 19 17:44:47 VET 2007     root at orion:/usr/obj/usr/src/sys/CUSTOM  i386
>Description:
There's a bug in the NTFS code that lets the user specify file mode bits other
than 0777 allowing for hijacking the file's type in strange ways.
>How-To-Repeat:
$ id
uid=501(ighighi) gid=501(ighighi) groups=501(ighighi),69(network)
$ sysctl vfs.usermount
vfs.usermount: 1
$ mkdir /tmp/mnt

$ /sbin/mount_ntfs -o ro -m 010555 /dev/ad0s1 /tmp/mnt/
$ /bin/ls -l /tmp/mnt
?rwxr-xr-x  1 ighighi  wheel  0 Apr 22  2009 /tmp/mnt
$ /sbin/umount /tmp/mnt

$ /sbin/mount_ntfs -o ro -m 020555 /dev/ad0s1 /tmp/mnt/
$ /bin/ls -l /tmp/mnt
brwxr-xr-x  1 ighighi  wheel    0,   0 Apr 22  2009 /tmp/mnt
$ /sbin/umount /tmp/mnt

$ /sbin/mount_ntfs -o ro -m 040555 /dev/ad0s1 /tmp/mnt/
$ /bin/ls -l /tmp/mnt
total 425220
srwxr-xr-x  1 ighighi  wheel       2560 Apr 22  2009 $AttrDef
srwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 $BadClus
srwxr-xr-x  1 ighighi  wheel     183248 Apr 22  2009 $Bitmap
srwxr-xr-x  1 ighighi  wheel       8192 Apr 26  2006 $Boot
drwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 $Extend
srwxr-xr-x  1 ighighi  wheel   32129024 Apr 26  2006 $LogFile
srwxr-xr-x  1 ighighi  wheel       4096 Apr 26  2006 $MFTMirr
srwxr-xr-x  1 ighighi  wheel          0 Apr 22  2009 $Secure
srwxr-xr-x  1 ighighi  wheel     131072 Apr 22  2009 $UpCase
srwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 $Volume
srwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 AUTOEXEC.BAT
srwxr-xr-x  1 ighighi  wheel       4952 Dec 22  2002 Bootfont.bin
srwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 CONFIG.SYS
drwxr-xr-x  1 ighighi  wheel          0 Jun 29  2006 Documents and Settings
srwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 IO.SYS
srwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 MSDOS.SYS
drwxr-xr-x  1 ighighi  wheel          0 Apr 27  2006 MSOCache
srwxr-xr-x  1 ighighi  wheel      47564 Aug  3  2004 NTDETECT.COM
drwxr-xr-x  1 ighighi  wheel          0 Jul  6  2006 RECYCLER
drwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 System Volume Information
drwxr-xr-x  1 ighighi  wheel          0 Feb  8 01:56 WINDOWS
srwxr-xr-x  1 ighighi  wheel        211 Apr 26  2006 boot.ini
drwxr-xr-x  1 ighighi  wheel          0 Dec 18  2006 cygwin
srwxr-xr-x  1 ighighi  wheel     250640 Aug  3  2004 ntldr
srwxr-xr-x  1 ighighi  wheel  402653184 Jul 22 23:56 pagefile.sys
drwxr-xr-x  1 ighighi  wheel          0 Dec 18  2006 rsyncd
$ /sbin/umount /tmp/mnt

$ /sbin/mount_ntfs -o ro -m 100555 /dev/ad0s1 /tmp/mnt/
$ /bin/ls -l /tmp/mnt
srwxr-xr-x  1 ighighi  wheel  0 Apr 22  2009 /tmp/mnt
$ /sbin/umount /tmp/mnt

$ /sbin/mount_ntfs -o ro -m 120555 /dev/ad0s1 /tmp/mnt/
$ /bin/ls -l /tmp/mnt
wrwxr-xr-x  1 ighighi  wheel  0 Apr 22  2009 /tmp/mnt
$ /sbin/umount /tmp/mnt


>Fix:
The attached patch performs the same masking as in sys/fs/msdosfs/msdosfs_vfsops.c
It was successfully built and tested on 6.2-STABLE and known to patch against -CURRENT.

Maybe we should patch mount_ntfs(8) too to remind the user that "only the nine 
low-order bits of mask are used", just as mount_msdosfs(8) does...


Patch attached with submission follows:

--- src/sys/fs/ntfs/ntfs_vfsops.c.orig	2006-10-10 05:43:20.000000000 -0400
+++ src/sys/fs/ntfs/ntfs_vfsops.c	2007-07-24 06:28:22.368847737 -0400
@@ -42,6 +42,7 @@
 #include <sys/fcntl.h>
 #include <sys/malloc.h>
 #include <sys/systm.h>
+#include <sys/stat.h>	/* ACCESSPERMS */
 
 #include <geom/geom.h>
 #include <geom/geom_vfs.h>
@@ -318,7 +319,7 @@ ntfs_mountfs(devvp, mp, td)
 	if (1 == vfs_scanopt(mp->mnt_optnew, "gid", "%d", &v))
 		ntmp->ntm_gid = v;
 	if (1 == vfs_scanopt(mp->mnt_optnew, "mode", "%d", &v))
-		ntmp->ntm_mode = v;
+		ntmp->ntm_mode = v & ACCESSPERMS;
 	vfs_flagopt(mp->mnt_optnew,
 	    "caseins", &ntmp->ntm_flag, NTFS_MFLAG_CASEINS);
 	vfs_flagopt(mp->mnt_optnew,


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list