1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
From d05276dc1d6de119da518d62930b9a8ef55ef7e9 Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Fri, 25 Oct 2019 10:48:47 +0000
Subject: [PATCH] libblkid-tiny: ntfs: fix use-after-free
The memory pointed to by ns can be reallocated when checking mft records
Fixes FS#2129
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
---
libblkid-tiny/ntfs.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/libblkid-tiny/ntfs.c
+++ b/libblkid-tiny/ntfs.c
@@ -88,6 +88,7 @@ static int probe_ntfs(blkid_probe pr, co
uint32_t sectors_per_cluster, mft_record_size;
uint16_t sector_size;
+ uint64_t volume_serial;
uint64_t nr_clusters, off; //, attr_off;
unsigned char *buf_mft;
@@ -148,15 +149,16 @@ static int probe_ntfs(blkid_probe pr, co
return 1;
+ volume_serial = ns->volume_serial;
off = le64_to_cpu(ns->mft_cluster_location) * sector_size *
sectors_per_cluster;
DBG(LOWPROBE, ul_debug("NTFS: sector_size=%"PRIu16", mft_record_size=%"PRIu32", "
"sectors_per_cluster=%"PRIu32", nr_clusters=%"PRIu64" "
- "cluster_offset=%"PRIu64"",
+ "cluster_offset=%"PRIu64", volume_serial=%"PRIu64"",
sector_size, mft_record_size,
sectors_per_cluster, nr_clusters,
- off));
+ off, volume_serial));
buf_mft = blkid_probe_get_buffer(pr, off, mft_record_size);
if (!buf_mft)
@@ -207,9 +209,9 @@ static int probe_ntfs(blkid_probe pr, co
#endif
blkid_probe_sprintf_uuid(pr,
- (unsigned char *) &ns->volume_serial,
- sizeof(ns->volume_serial),
- "%016" PRIX64, le64_to_cpu(ns->volume_serial));
+ (unsigned char *) &volume_serial,
+ sizeof(volume_serial),
+ "%016" PRIX64, le64_to_cpu(volume_serial));
return 0;
}
|
