Commit Graph

5162 Commits (9adc98352da188a19a7a15f88845cf60b9b3ae60)

Author SHA1 Message Date
safocl 9adc98352d fix: use of uninitialized memory
int selected[NPAT];
[...]
fill_buffer([...], selected);
->[...]
if (pat_no % npasses == 0) {
    for (i = 0; i < NPAT; i++) {
	selected[i] = 0;
    }
} -> false
[...]
if (selected[i] == 0) // access to uninitialized memory!!!
2025-01-30 04:33:00 +04:00
Erik Larsson 75dcdc2cf3 unistr.c: Fix use-after-free in 'ntfs_uppercase_mbs'.
If 'utf8_to_unicode' throws an error due to an invalid UTF-8 sequence,
then 'n' will be less than 0 and the loop will terminate without storing
anything in '*t'. After the loop the uppercase string's allocation is
freed, however after it is freed it is unconditionally accessed through
'*t', which points into the freed allocation, for the purpose of NULL-
terminating the string. This leads to a use-after-free.
Fixed by only NULL-terminating the string when no error has been thrown.

Thanks for Jeffrey Bencteux for reporting this issue:
https://github.com/tuxera/ntfs-3g/issues/84
2023-06-13 17:47:15 +03:00
Erik Larsson 6b3f096069 ntfsprogs/Makefile.am: Only install manpages for 'extras' when enabled.
We used to always install all the manpages, but some are specific to the
'extras' enabled with the configure option '--enable-extras'.
Fixed by only installing the 'extras' manpages when '--enable-extras' is
active.

Also since this commit touches the list of manpages a bit of cleanup was
done to make sure there's only one manpage per line (helps to minimize
diffs) and also that the manpages are sorted in alphabetical order in
ntfsprogs/Makefile.am to avoid future confusion.

Thanks to user 'opty77' for reporting this issue:
https://github.com/tuxera/ntfs-3g/issues/82
2023-05-28 08:21:34 +03:00
Erik Larsson 233658e5a1 attrib.c: Fix another instance of errno not being set on error. 2023-05-19 12:20:54 +03:00
Erik Larsson 1565b01e21 mft.c: Fix broken free MFT records accounting during bitmap extension.
When the bitmap needs extending, 'vol->free_mft_records' is incremented
by 8*8=64 records. This is due to the bitmap's initialized area being
extended 8 bytes at a time.
However the way 'vol->free_mft_records' is being initialized is that all
the bits that are currently allocated to the MFT bitmap are already
taken into account at initialization time. This leads to a value for
'vol->free_mft_records' that is larger than the actual available number
of MFT records.

For example if there are 20 used MFT records and the bitmap has a 4096
byte allocation where 16 bytes are initialized, the number of free MFT
records are ((8 * 16) - 20) + (8 * (4096 - 16)) = 32748 records
available.
If we now expand the bitmap by 8 initialized bytes, we'd be adding 64
MFT entries according to the logic in the function
'ntfs_mft_bitmap_extend_initialized'.
However we are expanding it within the bounds of the existing allocation
where there is (4096 - 16) bytes free, so they shouldn't be added at all
at this stage.

The result is that our internal accounting is that we have 32748 + 64 =
32812 available MFT records, but in reality we will have 32748 records
available all the time until we expand the allocation beyond 4096 bytes.

Fixed by incrementing 'vol->free_mft_records' when the allocation is
expanded, not when the initialized size is.
2023-05-09 11:25:10 +03:00
Erik Larsson 241ddb3860 index.c: Fix crash when a reparse tag cannot be found in the index.
When 'remove_reparse_index', called by 'ntfs_delete_reparse_index',
fails to look up a reparse key in the index, it leaves the
'ntfs_index_context' without a populated 'INDEX_BLOCK *ib' field.

This causes 'remove_reparse_index' to fail but the index entry is then
marked dirty unconditionally in 'ntfs_index_entry_mark_dirty', called by
'ntfs_delete_reparse_index', even though 'ib' may be NULL.

The following 'ntfs_index_ctx_put' call then starts to write out the
dirty 'INDEX_BLOCK', which causes a crash.

Fixed by only marking the index block dirty in if it's non-NULL.

Thanks to Stephen Greenham <sg@solarisfire.com> for reporting this issue
and providing debug information.
2023-05-03 10:44:57 +02:00
Erik Larsson 01b9bddc0c attrib.c: Fix errno not being set on NULL character in attribute name.
This is an error condition as we jump to err_out, but there's no errno
value set to accompany it. Fixed by setting EIO.
2023-05-03 09:57:34 +02:00
Erik Larsson e73d481a76 mkntfs.c: Enable microsecond-precision volume creation time.
Previously the creation time was filled in with seconds (obtained using
time(NULL)) but the microsecond part was left zeroed. Fixed by using
gettimeofday when available.
2022-12-12 18:51:12 +02:00
Sam James 71ecccf279 configure.ac: fix bashism in fuse check
configure scripts need to be runnable with a POSIX-compliant /bin/sh.

On many (but not all!) systems, /bin/sh is provided by Bash, so errors
like this aren't spotted. Notably Debian defaults to /bin/sh provided
by dash which doesn't tolerate such bashisms as '=='.

This retains compatibility with bash.

Fixes configure warnings/errors like:
```
checking Windows OS... no
./configure: 13360: test: xinternal: unexpected operator
checking for pthread_create in -lpthread... yes
checking Solaris OS... no
```

Signed-off-by: Sam James <sam@gentoo.org>
2022-11-08 13:54:36 +02:00
Jean-Pierre André 78414d9361 Configured for version 2022.10.3 2022-10-03 11:10:36 +02:00
Jean-Pierre André 76c3a799a9 Avoided merging runlists with no runs
Runlists with no runs are tolerated though not expected. However merging
such runlists is problematic as there is no significant vcn to examine.
So avoid merging them, and just return the other runlist.
2022-09-14 08:31:31 +02:00
Jean-Pierre André 18bfc67611 Rejected zero-sized runs
A zero-size run is the universal way to indentify the end of a runlist,
so we must reject zero-sized runs when decompressing a runlist. A
zero-size data run is an error, and a zero-size hole is simply ignored.
2022-09-14 08:29:58 +02:00
Jean-Pierre André 875a1d4e90 Configured for version 2022.5.17
This is a security release. The soname is unchanged as no API has changed.
2022-05-17 08:34:26 +02:00
Jean-Pierre André fb28eef6f1 Hardened the checking of directory offset requested by a readdir
When asked for the next directory entries, make sure the chunk offset
is within valid values, otherwise return no more entries in chunk.
2022-05-10 10:48:18 +02:00
Jean-Pierre André 7f81935f32 Returned an error code when the --help or --version options are used
Accepting --help or --version options may leave the ntfs-3g process in an
unclean state, so reject them while processing options. Also reject
them in libfuse-lite.
2022-05-10 10:44:34 +02:00
Jean-Pierre André bce5734a75 Fixed operation on little endian data
Forcing an even usa_of, in a recent security patch, must be made on cpu
endian data.
2022-05-10 10:40:17 +02:00
Jean-Pierre André 96412e28e5 Fixed possible out-of-buffer condition in ntfsck
A bad usa_count could lead to an out-of-buffer condition. Just avoid
the issue and report the error, still not fix it.
2022-05-10 10:30:24 +02:00
Jean-Pierre André 5ce8941bf4 Made sure there is no null character in an attribute name (bis)
When copying an attribute name which contains a null, it is truncated
and this may lead to accessing non-allocated bytes when relying on the
expected name length. Such (illegal) names must therefore be rejected.
2021-11-05 08:41:20 +01:00
Jean-Pierre André 6efc1305c1 Made sure the client log data does not overflow from restart page
Strengthen the consistency check of the length of restart pages, and
check that log client records are within such a restart page.
2021-10-20 09:53:28 +02:00
Jean-Pierre André 60717a846d Avoided allocating and reading an attribute beyond its full size
Before reading a full attribute value for internal use, its expected
length has been checked to be < 0x40000. However the allocated size
in the runlist may be much bigger as a consequence of a bug or malice.
To prevent malloc'ing excessive size, restrict the size of the last
run to read to the needed length.
2021-09-21 10:56:06 +02:00
Jean-Pierre André 838b6e35b4 Made sure there is no null character in an attribute name
When copying an attribute name which contains a null, it is truncated
and this may lead to accessing non-allocated bytes when relying on the
expected name length. Such names must therefore be rejected.
2021-09-21 10:54:50 +02:00
Jean-Pierre André a8818cf779 Used a default usn when the former one cannot be retrieved
When creating a new MFT record, the former seq_no and usn are retrieved
to avoid the new one to be mistaken for the former one.
This may not be possible when the record is used for the first time
or after some bad error. In such situation use default values.
2021-09-21 10:53:16 +02:00
Jean-Pierre André 92b9fbc6fe Updated the urls present in the ntfsprogs manuals
The urls now point at Github
2021-08-30 10:42:14 +02:00
Jean-Pierre André 399ba862c9 Updated the urls present in ntfs-3g code
The urls now point at Github
2021-08-30 09:27:33 +02:00
Jean-Pierre André 84739d9e4d Updated the ntfs-3g manual
Reordered the options alphabetically and updated the urls.
2021-08-30 09:20:48 +02:00
Jean-Pierre André 88c4a19c5a Updated the README
Added a recommendation to use ntfs-3g packaged by a distribution, and
inserted a link to the Wiki.
2021-08-25 08:50:03 +02:00
Jean-Pierre André 31ac7e4f0f Configured for version 2021.8.22 2021-08-22 17:05:00 +02:00
Jean-Pierre André a213e6352b Defined Github as the host for documentation
Documentation and support is now on github.com/tuxera
2021-08-22 17:01:39 +02:00
Jean-Pierre André 21b49600ea Configured for version 2021.8.14 2021-08-14 08:44:08 +02:00
Jean-Pierre André 1261e6b60a Fixed the detection of the end of attribute list
The recent detection of a truncated attribute list entry overlooked the
normal detection of the end of list. Moreover the check for name
overflow is to be done later and not needed at this stage.
2021-07-26 08:49:45 +02:00
Jean-Pierre André a337c4c1eb Renamed ntfs_index_entry_consistent() as ntfs_index_entry_inconsistent()
The original name was error prone when checking the condition.
2021-07-19 09:23:23 +02:00
Jean-Pierre André 45141516d7 Renamed ntfs_attr_consistent() as ntfs_attr_inconsistent()
The original name was error prone while checking the condition.
2021-07-19 09:23:23 +02:00
Jean-Pierre André bb4456d339 Redesigned the INDEX_ROOT consistency checks
By ordering the values from smallest to biggest, there is less chance
to be caught by an arithmetic overflow.
2021-07-19 09:23:23 +02:00
Jean-Pierre André 81725f6a54 Made sure the requested compression block size is supported
Compressed files can only be opened if NTFS version < 3.0, and
the only supported compression block size is 16 clusters long.
2021-07-19 09:23:23 +02:00
Jean-Pierre André 4462f82580 Reset the resident attribute offset when appending from none
When there is no resident attribute value, its offset is unsafe, so better
to recompute it when appending data.
2021-07-19 09:23:23 +02:00
Jean-Pierre André 0911ef206d Rejected negative data length in an attribute list
The negative data length of an attribute list is an indication of a
probable corruption and must be rejected.
2021-07-19 09:23:23 +02:00
Jean-Pierre André b95b4ba1a5 Rejected negative data length in readall()
The negative data length of an attribute is an indication of a probable
corruption and must be rejected.
2021-07-19 09:23:23 +02:00
Jean-Pierre André e70d10d848 Added a check of the minimal length of some attributes
The minimal lengths of STANDARD_ATTRIBUTE and OBJECT_ID were not
checked and could lead to out-of-buffer access.
2021-07-19 09:23:23 +02:00
Jean-Pierre André 2bf5077804 Checked consistency of index blocks
Improved existing consistency checks of index blocks and grouped them
into a specific function.
2021-07-19 09:23:23 +02:00
Jean-Pierre André 55e7326350 Avoided endless recursions when allocating the main bitmap
Allocating clusters to the main bitmap may imply updating the bitmap
itself within a cluster not yet allocated. This can turn into endless
recursions and has to be rejected. Currently the bitmap is assumed
to be fully allocated.
2021-07-19 09:23:23 +02:00
Jean-Pierre André 61134117c1 Fixed checking the end of attrdef data
Incomplete attribute definitions have to be rejected.
2021-07-19 09:23:23 +02:00
Jean-Pierre André f85ce6ff2e Skipped errors for bad free clusters before they are computed
The count of free clusters may be updated while mounting before it
has been initialized, which may lead to irrelevant error messages.
Moreover the count is not computed at all in some ntfsprogs utilities.
So set up a flags to avoid outputting irrelevant errors.
2021-07-19 09:23:23 +02:00
Jean-Pierre André 67f959df96 Fixed the computation of the end of index entry
The end of an index entry is related to its full length, not to the
length of the key. Added an error message in an overflow case.
2021-07-12 08:31:18 +02:00
Jean-Pierre André 5c002438f2 Checked that indexes do not exceed the index block size
Make sure the used part of an index block fits into the allocated buffer.
Note : a negative size may cause overflow on 32-bit cpus.
(contributed by Rakesh Pandit)
2021-07-12 08:31:18 +02:00
Jean-Pierre André 20d700841b Shown in log the inode of directory read error
The unreadable directory record was poorly identified
2021-07-12 08:31:18 +02:00
Jean-Pierre André f30b52490f Restricted the attribute definition table size to 24 bits
The standard size is 2560 bytes. It can be extended for specific purposes,
but its former limit to 32 bits was unreasonable. Anyway ntfs-3g is
not committed to support non-standard situations.
2021-07-12 08:31:18 +02:00
Jean-Pierre André af1bc0f5ec Hardened the check of locations of MFT and MFTMirr
The MFT and MFTMirr may not be negative or overlap the boot sector.
2021-07-12 08:31:18 +02:00
Jean-Pierre André 7f45544ed7 Added and grouped generic attribute checks
Checked that attributes are [non-]resident when they have to be, and
grouped consistency checks on each of them in a dedicated function.
Consequenly request the checks where needed and remove existing index
checks.
2021-07-12 08:31:18 +02:00
Jean-Pierre André 436fe09f87 Checked consistency of index entries
Make sure the data and key in indexes do not overflow from index entries
2021-07-12 08:31:18 +02:00
Jean-Pierre André 32e858a87a Aborted mounting when cannot access standard information of MFT
The standard information of the MFT must be its first attribute in the
base record. If it is not accessible initially, we end up searching it
in an extent before the MFT struct is ready for that.
2021-07-12 08:31:18 +02:00