| Patrick Williams | ac13d5f | 2023-11-24 18:59:46 -0600 | [diff] [blame] | 1 | From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001 |
| 2 | From: Maxim Suhanov <dfirblog@...> |
| 3 | Date: Mon, 28 Aug 2023 16:32:33 +0300 |
| 4 | Subject: fs/ntfs: Fix an OOB read when reading data from the resident $DATA |
| 5 | attribute |
| 6 | |
| 7 | When reading a file containing resident data, i.e., the file data is stored in |
| 8 | the $DATA attribute within the NTFS file record, not in external clusters, |
| 9 | there are no checks that this resident data actually fits the corresponding |
| 10 | file record segment. |
| 11 | |
| 12 | When parsing a specially-crafted file system image, the current NTFS code will |
| 13 | read the file data from an arbitrary, attacker-chosen memory offset and of |
| 14 | arbitrary, attacker-chosen length. |
| 15 | |
| 16 | This allows an attacker to display arbitrary chunks of memory, which could |
| 17 | contain sensitive information like password hashes or even plain-text, |
| 18 | obfuscated passwords from BS EFI variables. |
| 19 | |
| 20 | This fix implements a check to ensure that resident data is read from the |
| 21 | corresponding file record segment only. |
| 22 | |
| 23 | Fixes: CVE-2023-4693 |
| 24 | |
| 25 | Upstream-Status: Backport from |
| 26 | [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0ed2458cc4eff6d9a9199527e2a0b6d445802f94] |
| 27 | CVE: CVE-2023-4693 |
| 28 | |
| 29 | Reported-by: Maxim Suhanov <dfirblog@...> |
| 30 | Signed-off-by: Maxim Suhanov <dfirblog@...> |
| 31 | Reviewed-by: Daniel Kiper <daniel.kiper@...> |
| 32 | Signed-off-by: Xiangyu Chen <xiangyu.chen@...> |
| 33 | --- |
| 34 | grub-core/fs/ntfs.c | 13 ++++++++++++- |
| 35 | 1 file changed, 12 insertions(+), 1 deletion(-) |
| 36 | |
| 37 | diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c |
| 38 | index c3c4db1..a68e173 100644 |
| 39 | --- a/grub-core/fs/ntfs.c |
| 40 | +++ b/grub-core/fs/ntfs.c |
| 41 | @@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest, |
| 42 | { |
| 43 | if (ofs + len > u32at (pa, 0x10)) |
| 44 | return grub_error (GRUB_ERR_BAD_FS, "read out of range"); |
| 45 | - grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len); |
| 46 | + |
| 47 | + if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) |
| 48 | + return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large"); |
| 49 | + |
| 50 | + if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) |
| 51 | + return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range"); |
| 52 | + |
| 53 | + if (u16at (pa, 0x14) + u32at (pa, 0x10) > |
| 54 | + (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa) |
| 55 | + return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range"); |
| 56 | + |
| 57 | + grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len); |
| 58 | return 0; |
| 59 | } |
| 60 | |
| 61 | -- |
| 62 | cgit v1.1 |
| 63 | |