FAQ SearchLogin
Tuxera Home
View unanswered posts | View active topics It is currently Sun May 16, 2021 01:56



Post new topic Reply to topic  [ 2 posts ] 
Out of bounds memory read in function ntfs_inode_real_open() 
Author Message

Joined: Sun Sep 06, 2015 13:41
Posts: 5
Post Out of bounds memory read in function ntfs_inode_real_open()
I'll attach a malformed ntfs image (zip'ed due to size) that will cause an invalid memory read in ntfsfix. This was found with the fuzzing tool american fuzzy lop.

Here's a stack trace / error message from Address Sanitizer (test with -fsanitize=address in CFLAGS):
Code:
==6128==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000009508 at pc 0x000000577536 bp 0x7ffdc7d179d0 sp 0x7ffdc7d179c8
READ of size 4 at 0x619000009508 thread T0
    #0 0x577535 in ntfs_inode_real_open /mnt/ram/ntfs-3g_ntfsprogs-2016.2.22/libntfs-3g/inode.c:196:24
    #1 0x577535 in ntfs_inode_open /mnt/ram/ntfs-3g_ntfsprogs-2016.2.22/libntfs-3g/inode.c:481
    #2 0x5c5e1c in ntfs_mftmirr_load /mnt/ram/ntfs-3g_ntfsprogs-2016.2.22/libntfs-3g/volume.c:426:20
    #3 0x5c5e1c in ntfs_volume_startup /mnt/ram/ntfs-3g_ntfsprogs-2016.2.22/libntfs-3g/volume.c:622
    #4 0x5029dc in fix_mount /mnt/ram/ntfs-3g_ntfsprogs-2016.2.22/ntfsprogs/ntfsfix.c:1528:11
    #5 0x5029dc in main /mnt/ram/ntfs-3g_ntfsprogs-2016.2.22/ntfsprogs/ntfsfix.c:1590
    #6 0x7fdf18a55690 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #7 0x4197c8 in _start (/mnt/ram/ntfs-3g_ntfsprogs-2016.2.22/ntfsprogs/ntfsfix+0x4197c8)


Attachments:
File comment: malformed ntfs file triggering invalid memory read
ntfsfix-oob-heap-read-ntfs_inode_real_open.zip [611 Bytes]
Downloaded 639 times
Fri Nov 18, 2016 16:52
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Out of bounds memory read in function ntfs_inode_real_open()
Hi,

Can you retry with ntfs-3g-2016.2.22AR.2 ? ntfsfix outputs a bunch of errors, but it does not hang.

There has been a recent fix to the validation of protected records (not yet included in a stable version).

Regards

Jean-Pierre


Fri Nov 18, 2016 22:50
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Original forum style by Vjacheslav Trushkin.