d2fcd91e36
(CVE-2023-4692) (CVE-2023-4693) Resolves: #2236613 Resolves: #2241978 Resolves: #2241976 Resolves: #2238343 Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
59 lines
2.0 KiB
Diff
59 lines
2.0 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Maxim Suhanov <dfirblog@gmail.com>
|
|
Date: Tue, 3 Oct 2023 19:12:27 +0200
|
|
Subject: [PATCH] fs/ntfs: Fix an OOB read when parsing a volume label
|
|
|
|
This fix introduces checks to ensure that an NTFS volume label is always
|
|
read from the corresponding file record segment.
|
|
|
|
The current NTFS code allows the volume label string to be read from an
|
|
arbitrary, attacker-chosen memory location. However, the bytes read are
|
|
always treated as UTF-16LE. So, the final string displayed is mostly
|
|
unreadable and it can't be easily converted back to raw bytes.
|
|
|
|
The lack of this check is a minor issue, likely not causing a significant
|
|
data leak.
|
|
|
|
Reported-by: Maxim Suhanov <dfirblog@gmail.com>
|
|
Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/fs/ntfs.c | 18 +++++++++++++++++-
|
|
1 file changed, 17 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
|
|
index 74515114287f..32ba8276dd8d 100644
|
|
--- a/grub-core/fs/ntfs.c
|
|
+++ b/grub-core/fs/ntfs.c
|
|
@@ -1209,13 +1209,29 @@ grub_ntfs_label (grub_device_t device, char **label)
|
|
|
|
init_attr (&mft->attr, mft);
|
|
pa = find_attr (&mft->attr, GRUB_NTFS_AT_VOLUME_NAME);
|
|
+
|
|
+ if (pa >= mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR))
|
|
+ {
|
|
+ grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label");
|
|
+ goto fail;
|
|
+ }
|
|
+
|
|
+ if (mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR) - pa < 0x16)
|
|
+ {
|
|
+ grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label");
|
|
+ goto fail;
|
|
+ }
|
|
+
|
|
if ((pa) && (pa[8] == 0) && (u32at (pa, 0x10)))
|
|
{
|
|
int len;
|
|
|
|
len = u32at (pa, 0x10) / 2;
|
|
pa += u16at (pa, 0x14);
|
|
- *label = get_utf8 (pa, len);
|
|
+ if (mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR) - pa >= 2 * len)
|
|
+ *label = get_utf8 (pa, len);
|
|
+ else
|
|
+ grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label");
|
|
}
|
|
|
|
fail:
|