https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278281
Bug ID: 278281
Summary: /usr/sbin/fstyp potential read through wild pointer
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: [email protected]
Reporter: [email protected]
Created attachment 249865
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=249865&action=edit
file system image that causes fstyp's fstyp_ntfs() to crash
This code in fstyp's ntfs.c fstyp_ntfs():
filerecp = read_buf(fp, voloff, recsize);
...;
for (ap = filerecp + fr->fr_attroff;
atr = (struct ntfs_attr *)ap, (int)atr->a_type != -1;
ap += atr->reclen) {
can cause ap and atr to have crazy values if the filesystem being
inspected provides something bad for atr->reclen.
If atr->reclen == 0, it's an infinite loop.
Separately, in hammer2.c read_label(), "vols[i] = read_buf(...)" can
be NULL, but the next line dereferences vols[i] without checking.
I've attached a demo for the first bug:
# uname -a
FreeBSD stock14 15.0-CURRENT FreeBSD 15.0-CURRENT #21
main-n269145-3e1c8a35f741-dirty: Sat Apr 6 15:52:00 AST 2024
root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64
# gunzip fstyp6b.img.gz
# fstyp -u -l fstyp6b.img
Segmentation fault
Program received signal SIGSEGV, Segmentation fault.
Address not mapped to object.
fstyp_ntfs (fp=0x80131f330, label=0x7fffffffe7f0 "", size=257)
at /usr/src/usr.sbin/fstyp/ntfs.c:169
169 atr = (struct ntfs_attr *)ap, (int)atr->a_type != -1;
(gdb) where
#0 fstyp_ntfs (fp=0x80131f330, label=0x7fffffffe7f0 "", size=257)
at /usr/src/usr.sbin/fstyp/ntfs.c:169
#1 0x0000000001024a6c in main (argc=<optimized out>, argv=<optimized out>)
at /usr/src/usr.sbin/fstyp/fstyp.c:240
--
You are receiving this mail because:
You are the assignee for the bug.
