grub-devel.gnu.org archive mirror
 help / color / mirror / Atom feed
From: Daniel Kiper <daniel.kiper@oracle.com>
To: grub-devel@gnu.org
Cc: dfirblog@gmail.com
Subject: [SECURITY PATCH 1/6] fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for the $MFT file
Date: Tue,  3 Oct 2023 19:12:23 +0200	[thread overview]
Message-ID: <20231003171228.17251-1-daniel.kiper@oracle.com> (raw)
In-Reply-To: <ZRxK8s4nQV2jBq/9@tomti.i.net-space.pl>

From: Maxim Suhanov <dfirblog@gmail.com>

When parsing an extremely fragmented $MFT file, i.e., the file described
using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer
containing bytes read from the underlying drive to store sector numbers,
which are consumed later to read data from these sectors into another buffer.

These sectors numbers, two 32-bit integers, are always stored at predefined
offsets, 0x10 and 0x14, relative to first byte of the selected entry within
the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem.

However, when parsing a specially-crafted file system image, this may cause
the NTFS code to write these integers beyond the buffer boundary, likely
causing the GRUB memory allocator to misbehave or fail. These integers contain
values which are controlled by on-disk structures of the NTFS file system.

Such modification and resulting misbehavior may touch a memory range not
assigned to the GRUB and owned by firmware or another EFI application/driver.

This fix introduces checks to ensure that these sector numbers are never
written beyond the boundary.

Fixes: CVE-2023-4692

Reported-by: Maxim Suhanov <dfirblog@gmail.com>
Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/fs/ntfs.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
index bbdbe24ad..c3c4db117 100644
--- a/grub-core/fs/ntfs.c
+++ b/grub-core/fs/ntfs.c
@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
     }
   if (at->attr_end)
     {
-      grub_uint8_t *pa;
+      grub_uint8_t *pa, *pa_end;
 
       at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
       if (at->emft_buf == NULL)
@@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
 	    }
 	  at->attr_nxt = at->edat_buf;
 	  at->attr_end = at->edat_buf + u32at (pa, 0x30);
+	  pa_end = at->edat_buf + n;
 	}
       else
 	{
 	  at->attr_nxt = at->attr_end + u16at (pa, 0x14);
 	  at->attr_end = at->attr_end + u32at (pa, 4);
+	  pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
 	}
       at->flags |= GRUB_NTFS_AF_ALST;
       while (at->attr_nxt < at->attr_end)
@@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
 	  at->flags |= GRUB_NTFS_AF_GPOS;
 	  at->attr_cur = at->attr_nxt;
 	  pa = at->attr_cur;
+
+	  if ((pa >= pa_end) || (pa_end - pa < 0x18))
+	    {
+	      grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
+	      return NULL;
+	    }
+
 	  grub_set_unaligned32 ((char *) pa + 0x10,
 				grub_cpu_to_le32 (at->mft->data->mft_start));
 	  grub_set_unaligned32 ((char *) pa + 0x14,
@@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
 	    {
 	      if (*pa != attr)
 		break;
+
+              if ((pa >= pa_end) || (pa_end - pa < 0x18))
+                {
+	          grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
+	          return NULL;
+	        }
+
 	      if (read_attr
 		  (at, pa + 0x10,
 		   u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR),
-- 
2.11.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

  reply	other threads:[~2023-10-03 17:13 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-03 17:10 [SECURITY PATCH 0/6] GRUB2 NTFS driver vulnerabilities - 2023/10/03 Daniel Kiper
2023-10-03 17:12 ` Daniel Kiper [this message]
2023-10-03 17:12 ` [SECURITY PATCH 2/6] fs/ntfs: Fix an OOB read when reading data from the resident $DATA attribute Daniel Kiper
2023-10-03 17:12 ` [SECURITY PATCH 3/6] fs/ntfs: Fix an OOB read when parsing directory entries from resident and non-resident index attributes Daniel Kiper
2023-10-03 17:12 ` [SECURITY PATCH 4/6] fs/ntfs: Fix an OOB read when parsing bitmaps for " Daniel Kiper
2023-10-03 17:12 ` [SECURITY PATCH 5/6] fs/ntfs: Fix an OOB read when parsing a volume label Daniel Kiper
2023-10-03 17:12 ` [SECURITY PATCH 6/6] fs/ntfs: Make code more readable Daniel Kiper

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231003171228.17251-1-daniel.kiper@oracle.com \
    --to=daniel.kiper@oracle.com \
    --cc=dfirblog@gmail.com \
    --cc=grub-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).