[SECURITY PATCH 4/6] fs/ntfs: Fix an OOB read when parsing bitmaps for i

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SECURITY PATCH 4/6] fs/ntfs: Fix an OOB read when parsing bitmaps for i

From:	Daniel Kiper
Subject:	[SECURITY PATCH 4/6] fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes
Date:	Tue, 3 Oct 2023 19:12:26 +0200

From: Maxim Suhanov <dfirblog@gmail.com>

This fix introduces checks to ensure that bitmaps for directory indices
are never read beyond their actual sizes.

The lack of this check is a minor issue, likely not exploitable in any way.

Reported-by: Maxim Suhanov <dfirblog@gmail.com>
Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/fs/ntfs.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
index 2d78b96e1..bb70c89fb 100644
--- a/grub-core/fs/ntfs.c
+++ b/grub-core/fs/ntfs.c
@@ -843,6 +843,25 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
 
          if (is_resident)
            {
+              if (bitmap_len > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
+               {
+                 grub_error (GRUB_ERR_BAD_FS, "resident bitmap too large");
+                 goto done;
+               }
+
+              if (cur_pos >= at->mft->buf + (at->mft->data->mft_size << 
GRUB_NTFS_BLK_SHR))
+               {
+                 grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range");
+                 goto done;
+               }
+
+              if (u16at (cur_pos, 0x14) + u32at (cur_pos, 0x10) >
+                 (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << 
GRUB_NTFS_BLK_SHR) - (grub_addr_t) cur_pos)
+               {
+                 grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range");
+                 goto done;
+               }
+
               grub_memcpy (bmp, cur_pos + u16at (cur_pos, 0x14),
                            bitmap_len);
            }
-- 
2.11.0

[Prev in Thread]

Current Thread

[Next in Thread]

[SECURITY PATCH 0/6] GRUB2 NTFS driver vulnerabilities - 2023/10/03, Daniel Kiper, 2023/10/03
- [SECURITY PATCH 1/6] fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for the $MFT file, Daniel Kiper, 2023/10/03
- [SECURITY PATCH 2/6] fs/ntfs: Fix an OOB read when reading data from the resident $DATA attribute, Daniel Kiper, 2023/10/03
- [SECURITY PATCH 3/6] fs/ntfs: Fix an OOB read when parsing directory entries from resident and non-resident index attributes, Daniel Kiper, 2023/10/03
- [SECURITY PATCH 4/6] fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes, Daniel Kiper <=
- [SECURITY PATCH 5/6] fs/ntfs: Fix an OOB read when parsing a volume label, Daniel Kiper, 2023/10/03
- [SECURITY PATCH 6/6] fs/ntfs: Make code more readable, Daniel Kiper, 2023/10/03

Prev by Date: [SECURITY PATCH 3/6] fs/ntfs: Fix an OOB read when parsing directory entries from resident and non-resident index attributes
Next by Date: [SECURITY PATCH 5/6] fs/ntfs: Fix an OOB read when parsing a volume label
Previous by thread: [SECURITY PATCH 3/6] fs/ntfs: Fix an OOB read when parsing directory entries from resident and non-resident index attributes
Next by thread: [SECURITY PATCH 5/6] fs/ntfs: Fix an OOB read when parsing a volume label
Index(es):
- Date
- Thread