Headline
CVE-2021-46790: Heap overflow in ntfsck · Issue #16 · tuxera/ntfs-3g
ntfsck in NTFS-3G through 2021.8.22 has a heap-based buffer overflow involving buffer+512*3-2. NOTE: the upstream position is that ntfsck is deprecated; however, it is shipped by some Linux distributions.
Hello.
I have found a vulnerability in the NTFS-3G driver, specifically in the ntfsck tool (see: ntfsprogs/ntfsck.c).
In the check_file_record function, the update sequence array is applied, but no proper boundary checks are implemented, so the function can write bytes from the update sequence array beyond the buffer being checked.
The vulnerable code is here:
usa_ofs = le16_to_cpu(mft_rec->usa_ofs);
usa_count = le16_to_cpu(mft_rec->usa_count);
[...]
// Remove update seq & check it.
usa = *(u16*)(buffer+usa_ofs); // The value that should be at the end of every sector.
assert_u32_equal(usa_count-1, buflen/NTFS_BLOCK_SIZE, "USA length");
for (i=1;i<usa_count;i++) {
u16 *fixup = (u16*)(buffer+NTFS_BLOCK_SIZE*i-2); // the value at the end of the sector.
u16 saved_val = *(u16*)(buffer+usa_ofs+2*i); // the actual data value that was saved in the us array.
assert_u32_equal(*fixup, usa, "fixup");
*fixup = saved_val; // remove it.
}
If buflen is 1024, but the update sequence array contains 4 entries (including the first one, which you call usa), the loop will replace bytes 3 times, at the following offsets: buffer+5121−2 (within the buffer), buffer+5122−2 (within the buffer), buffer+512*3−2 (beyond the allocated buffer size). (The offset of the first attribute should be set to make room for additional entries in the update sequence array, so the usa_ofs+usa_count <= attrs_offset check is passed.)
Thus, bytes beyond the allocated buffer can be replaced, this is a heap overflow.
It should be noted that the assert_u32_equal function just reports the errors, it doesn’t terminate the execution flow.
Since the ntfsck tool is used in some GNU/Linux distributions (it’s fsck.ntfs in Fedora), I strongly suggest implementing a fix.
Report date (to info at tuxera dot com): 2021-09-24. No reply.
Ping (to info at tuxera dot com): 2021-09-29. No reply.
Related news
An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46790: A vulnerability was found in NTFS-3G, specifically in the ntfsck utility. Incorrect validation of NTFS metadata can result in a heap-based buffer overflow when processing a crafted NTFS image file or partition. * CVE-2022-3165: An integer underflow issue was found in the QEMU VNC server while processing ClientCut...
An update for libguestfs-winsupport is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46790: A vulnerability was found in NTFS-3G, specifically in the ntfsck utility. Incorrect validation of NTFS metadata can result in a heap-based buffer overflow when processing a crafted NTFS image file or partition. * CVE-2022-30784: A vulnerability was found in NTFS-3G. Incorrect validation of NTFS metadata can result in a heap exhausti...
OpenHarmony-v3.1.2 and prior versions have a heap overflow vulnerability. Local attackers can trigger a heap overflow and get network sensitive information.
Ubuntu Security Notice 5463-1 - It was discovered that NTFS-3G incorrectly handled the ntfsck tool. If a user or automated system were tricked into using ntfsck on a specially crafted disk image, a remote attacker could possibly use this issue to execute arbitrary code. Roman Fiedler discovered that NTFS-3G incorrectly handled certain return codes. A local attacker could possibly use this issue to intercept protocol traffic between FUSE and the kernel.
Ubuntu Security Notice 5452-1 - It was discovered that NTFS-3G was incorrectly validating NTFS metadata in its ntfsck tool by not performing boundary checks. A local attacker could possibly use this issue to cause a denial of service or to execute arbitrary code.
A crafted NTFS image can cause a heap-based buffer overflow in ntfs_check_log_client_array in NTFS-3G through 2021.8.22.