fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes

This fix introduces checks to ensure that bitmaps for directory indices
are never read beyond their actual sizes.

The lack of this check is a minor issue, likely not exploitable in any way.

Reported-by: Maxim Suhanov <dfirblog@gmail.com>
Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
index 2d78b96e19fb24658149607b1431f000bd9b82ae..bb70c89fb803c997c77842e184e21c30c44cef76 100644 (file)
--- a/grub-core/fs/ntfs.c
+++ b/grub-core/fs/ntfs.c
@@ -843,6 +843,25 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
 
          if (is_resident)
            {
+              if (bitmap_len > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
+               {
+                 grub_error (GRUB_ERR_BAD_FS, "resident bitmap too large");
+                 goto done;
+               }
+
+              if (cur_pos >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
+               {
+                 grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range");
+                 goto done;
+               }
+
+              if (u16at (cur_pos, 0x14) + u32at (cur_pos, 0x10) >
+                 (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) cur_pos)
+               {
+                 grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range");
+                 goto done;
+               }
+
               grub_memcpy (bmp, cur_pos + u16at (cur_pos, 0x14),
                            bitmap_len);
            }