lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 14 Aug 2020 17:30:16 +0200
From:   Aurélien Aptel <aaptel@...e.com>
To:     Konstantin Komarov <almaz.alexandrovich@...agon-software.com>,
        "viro@...iv.linux.org.uk" <viro@...iv.linux.org.uk>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>
Subject: Re: [PATCH] fs: NTFS read-write driver GPL implementation by
 Paragon Software.

I've tried this using libntfs-3g mkfs.ntfs

# mkfs.ntfs /dev/vb1
# mount -t ntfs3 /dev/vb1 /mnt

This already triggered UBSAN:

 ================================================================================
 UBSAN: object-size-mismatch in fs/ntfs3/super.c:834:16
 load of address 000000006ae096b5 with insufficient space
 for an object of type 'const char'
 CPU: 3 PID: 1248 Comm: mount Not tainted 5.8.0+ #4
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4-rebuilt.opensuse.org 04/01/2014
 Call Trace:
  dump_stack+0x78/0xa0
  ubsan_epilogue+0x5/0x40
  ubsan_type_mismatch_common.cold+0xc8/0xcd
  __ubsan_handle_type_mismatch_v1+0x32/0x37
  ntfs_fill_super+0x9f/0x13e0
  ? vsnprintf+0x1ef/0x4f0
  mount_bdev+0x193/0x1c0

Which points to:

	sb->s_magic = *(unsigned long *)s_magic; /* TODO */

Maybe store ('n'<<32)|('t'<<24)|('f'<<16)|('s'<<8) ?
Seems harmless.

* * *

Then I've tried to copy /etc into it:

# cp -rp /etc /mnt

But this triggered a NULL ptr deref:

 BUG: kernel NULL pointer dereference, address: 0000000000000028
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 PGD 0 P4D 0 
 Oops: 0000 [#1] SMP NOPTI
 CPU: 0 PID: 1255 Comm: cp Not tainted 5.8.0+ #4
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4-rebuilt.opensuse.org 04/01/2014
 RIP: 0010:ntfs_insert_security+0x187/0x4a0
 Code: 00 48 83 c4 18 85 c0 0f 85 54 01 00 00 48 8b 44 24 50 49 8d b5 d8 01 00 00 8b 54 24 60 83 c3 14 48 89 74 24 30 48 85 c0 74 3a <39> 58 28 0f 84 7e 01 00 00 49 89 e8 48 8d 4c 24 50 4c 89 f2 4c 89
 RSP: 0018:ffffac73403dfc58 EFLAGS: 00010246
 RAX: 0000000000000000 RBX: 0000000000000064 RCX: 0000000000000010
 RDX: 00000000000000b0 RSI: 0000000000000000 RDI: 0000000000000000
 RBP: ffff94154ed5fe00 R08: 0000000000000000 R09: 0000000000000001
 R10: ffff9415781a6180 R11: 0000000000000003 R12: ffff94155c989800
 R13: ffff94151e8d2a38 R14: ffff9415781a6170 R15: ffff9415781173f0
 FS:  00007fd19b86e580(0000) GS:ffff94157dc00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000028 CR3: 000000001ac2a000 CR4: 0000000000350ef0
 Call Trace:
  ? mark_held_locks+0x49/0x70
  ? lockdep_hardirqs_on_prepare+0xf7/0x190
  ? ktime_get_coarse_real_ts64+0x9e/0xd0
  ? trace_hardirqs_on+0x1c/0xe0
  ntfs_create_inode+0x2db/0x11c0
  ntfs_mkdir+0x58/0x90
  vfs_mkdir+0x109/0x1f0
  do_mkdirat+0x81/0x120
  do_syscall_64+0x33/0x40
  entry_SYSCALL_64_after_hwframe+0x44/0xa9
 RIP: 0033:0x7fd19ad54dd7
 Code: 00 b8 ff ff ff ff c3 0f 1f 40 00 48 8b 05 b9 70 2c 00 64 c7 00 5f 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 70 2c 00 f7 d8 64 89 01 48
 RSP: 002b:00007ffec3c41588 EFLAGS: 00000206 ORIG_RAX: 0000000000000053
 RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fd19ad54dd7
 RDX: 00000000000c0001 RSI: 00000000000001c0 RDI: 000055cad585fcf0
 RBP: 00007ffec3c41990 R08: 00007ffec3c41b50 R09: 00007fd19ada55c0
 R10: 00000000000001ef R11: 0000000000000206 R12: 00007ffec3c41b50
 R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffec3c437be


(gdb) list *(ntfs_insert_security+0x187)
0xffffffff814e5097 is in ntfs_insert_security (fs/ntfs3/fsntfs.c:1811).
1806
1807            if (!e)
1808                    goto insert_security;
1809
1810    next_security:
1811            if (le32_to_cpu(e->sec_hdr.size) != new_sec_size)
1812                    goto skip_read_sds;
1813
1814            err = ntfs_read_run_nb(sbi, &ni->file.run, le64_to_cpu(e->sec_hdr.off),
1815                                   d_security, new_sec_size, NULL);

(gdb) disas /s ntfs_insert_security
....
1811            if (le32_to_cpu(e->sec_hdr.size) != new_sec_size)
   0xffffffff814e5097 <+391>:   cmp    %ebx,0x28(%rax) <=====
   0xffffffff814e509a <+394>:   je     0xffffffff814e521e <ntfs_insert_security+782>

(gdb) p/x (int)&((NTFS_DE_SDH*)0)->sec_hdr.size
$4 = 0x28

So I think 'e' is NULL. Not sure how it can happen.

Cheers,
-- 
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)

Powered by blists - more mailing lists