From 7e5056f33bdfd867ce6f1a642f560fdf0b402c1e Mon Sep 17 00:00:00 2001 From: =?utf8?q?Thomas=20Wei=C3=9Fschuh?= Date: Tue, 26 Sep 2023 00:27:22 +0200 Subject: [PATCH] libblkid: (ntfs) validate that sector_size is a power of two MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The NTFS prober reads data based off an offset of the sector size. If the sector size is unaligned and the read data is cached then other probers can read unaligned values. Sector sizes for NTFS actually only make sense as power-of-two so validate that and as a sideeffect avoid the unaligned reads. Also add the reproducer from OSS-Fuzz that found this issue. Fixes #2509 Signed-off-by: Thomas Weißschuh --- libblkid/src/superblocks/ntfs.c | 2 +- .../test_blkid_fuzz_files/oss-fuzz-62691 | Bin 0 -> 16863 bytes 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-62691 diff --git a/libblkid/src/superblocks/ntfs.c b/libblkid/src/superblocks/ntfs.c index 8309ea8ca9..ab8c9213b3 100644 --- a/libblkid/src/superblocks/ntfs.c +++ b/libblkid/src/superblocks/ntfs.c @@ -97,7 +97,7 @@ static int __probe_ntfs(blkid_probe pr, const struct blkid_idmag *mag, int save_ */ sector_size = le16_to_cpu(ns->bpb.sector_size); - if (sector_size < 256 || sector_size > 4096) + if (sector_size < 256 || sector_size > 4096 || !is_power_of_2(sector_size)) return 1; switch (ns->bpb.sectors_per_cluster) { diff --git a/tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-62691 b/tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-62691 new file mode 100644 index 0000000000000000000000000000000000000000..9d10ae3cb07dab6d0a6723a80ac57dff666e172c GIT binary patch literal 16863 zc-rk-3s_WD9{=9~84)zrSK`+0kf^8uGb1XiArBco`5eF)5YkLganwXj7b8tUY0D&) z9whegv8HWA_S!5J&5}~L(l$-aAhCZ7XZ3v6oD5jRLK=AV6hj}r;p zVo(6|e4f2IVF%#+S$+sa$opkT(QT~fo0zad%$vlM(3#y-QqfLOEA&>s0cwL7T~AqC zB5&el%i+3ZcN!Wtmnt{WzLZ;zdQ@C=TaXHk#3d-P(rF%PD)51Na)(}V2kojWrA4J$ zV@N589B=rBkP?7J(#t z)oSPqkZad}5*L&in)|Z3EokCV(4l&!+)6p%Z?ivuvlJ zosAWUiw6i0i5qT9oJ;N25#J=gWqmB1uLUa)9^_D;e27ZWr4EQp zQq9X$&sZ4f25gx)APW0ui0^9K8}`z+f!8!}TM0Raqi?b>X(aU|HO3G%1w|4*Cl~8t zVpZb_9b)r@4QjkVdDMawdIJcdMY=JjM!OsbA!lNhWV3UP+$1VhS9|6KK1xH%g!>78ssZrV(P zq-$zff97xaStYecdOfZ_yd+5Z>Y3cdoxV=FuzuCTZie*!+YTP>`gmV>?1p9c;;T7& z(s;tWt09a$mXo1=@cr6#b*4woN1aMPz43_lLMR!r)9+|q?CGNLwVT4$rS2Jh&xx%c z-M{0Nc?Zr_yai-kU})svL0!+T zIG3MZF%7Do{PM}`yS1KAMP8r0DYD4pK>ColcSNJM)lbQus@KO7~U<8TS|0l6Ha1Iymt3f4Rxk-KJNKTz<|_oxQ!547mQ- z3q_5%`{N8Lm8ngRYbM2xsY9ktb==v*gvpnv5f&>Gtqk*B0Mqck6z>lxAE2-9%ERY8 zd``go(|4snw9*Zp#b*tj?&c;}1w*V4LDpo0m^e$jw;(@1Zzklab41p)sLmQzTe}AA z8sJ^LtMUGlysH7uDG*GcT=Chh`Q5<5l|~ZDHYKIejgTI)w@TSOdZ5jC=+k4L$lDi0 zd}Lx07O8#^a}v|fzhWa&!pq<5iT5th3b=#iJA#xqz{j8vEMa$ld(kbX3Z3=mfPPZF zncvU+m2hSyddf@$*Q`Z=oE)2sEE|ANql|0Z9$+ekxI9HX%hIe6%4>IYKZu;A{ZJy#WCy zPXq)=+Rcj}+hN%}@uG3Nlismcl}hk;)4|VvGHo%)nuMIPvVCP`WvNjy00yAq%x^A4 z0m&toNg8e*UZ5zF;XTcw;&6b$KAtEfOQE#1G;7W%4-XG+;IvFXzqwgRuNPMQErBDu zgCvg8|C%;Bb3i3=_m_87BK#|5a4gJ+5WJ8(ywJtoCgf)OyMs4XbvNPTR8n6l7@h{+ z@cg%e`wP^evLlA-H${r0V-v@f?0o$L-ttrn&<@jRwV@-_!+#=5$IcB=lr7QM$30*k zLx{?Q)0n$Mk7RvtvSENOKKd%Qu6t-Tc?w%4ia{xaG=>@s|Jslc&5I~6HQRgd5!^FZ z$pr|If(MC>oKA;!|6(mIVO}-xZf`|aL&*VDB;J*t)JrgeZ|vN60saA&tqK;@K%-4F zTpJqMW&Aidcc!o+ng=1@xp9uHa7!1@u?SkAk2;rQMe9sXOp@sti)KyBplrl3qck&< z?}>>=po$%d4s@5oQDXRn&18;+*B&hAKG?N)=iU-zo{@BtJSA(1cJgWn$>yHGFT+HlYFjs~4yVySHe|FL?0vOCLd$j#PPH^~;q%!)Ge;M{rJ zJvjQHun~Jo213w?VIi6jZRo*P0eIt$xAa6QrA7DKYWV@|5MLzVCE7K8h|I2LiFla|klqtd^$1m$cBOyLAlGQK}AG=z- zM32COWuMv`?3`AMnTmHtERoZSc#&SRSIgl7GyJI#H#&CUnafLBxFp$`bV(uva*~Tv z9-OcO*V_O17lbR#jeA#!@cG;A4Gp=|v!~o+AS!=#q z&|*ifc@L>JnJD5#GqMJ@L8sjvfy9nL;vXuInEG|6#T|jf+b@tvuko?e43l^OeHt-l zz|POwV6nI7v~OxJ{EGE#otFtv@8v_i%roQe3(CvOJr)wgxv5D3{PD4sYp4-|)DqgK zr*;X18)q0_T`ZZL=wRQ#x|P?S)}{7Gy+-w!s8v3%q+dGtXEUY$R|msfwE56Xu1Ip* zT&mn6d>)__J`ebOWl%Kylb%lZfx#Zp5Hae+jUfqYkI|;!>%*B{O3hMEFtT|2RHG5b zl5Mp^_BD$|1-jH2p7OR}Iw5&^G3XNJc`rBJpdK@y1WTV~DoRwME=*@gf$p~4Qdag^ znTQpRCKgBkY{IbS)4#mbk#>SG1=RoJ)Sfn!pip4w%R;Fu@05Ko4ZF?I@Zx72_U^Rq7^dGB3 zU&vaQT9K0SSEhx`m0~;D!_Z%}o_U1lF3y$V2`OcN*do0MV^?GD(tQdkFS+<~)#b|z z=ILh{jq7Jn`x6&n4Cs@`8FuY$JYLOfIg2@~1&H5-$icn|X&{FcwvK_lM@vjQiRleu zLhp*Ec9J{O*#^waq`dKsgncf8wn@)29N%;tpmiLewbub!$Jt89*-ER=R`&l9&sH2E z@MuMw*z-2BOMf%{a@!pgIFIpRQ)5|Fmk1Tm`mSmkVO3QfdZr!qj5~C|HI%zp&h}%E zp7{5AlX{hc?p89!_7#=524-=g@@n89LD3lPI;D}f+tdcNPqQ3YR^I(P+2y|{T3W)S z(f6!LtNQHa@0J961&$8(T5|be!-k0=+qo%+q7NQ=?psw-+E>xtW=AIv=>%lzxJA!w zDH*nkNtvH(jrA47PpS5Ayb+TwhwK z;bYPY3#)vRkHQo^`{bHw%T_Dktt|$boy+ka5Q|gzKrgw9Rt2{Nl`0Jl*r>n-^Mq5q z!PIz)OTOi6G2e=o1h!B6?~L96?EBZTcw>e;8q#z0N_}~`6!hZtOK_74EI&VgRX)We z{9Bvv1a;o))F-|z{W53InVyT1&0nv$7G<*h)OVZqt$@A@yyuVNL$`Ti=$1b_QUOuc zQhPO?_~RxpyQZEi3#?H%g}Zfv3H>nA`bRHu#3qwR4zVlgFx(xjIL0jDoNDilbT2m$ z`R|`ZSfeby?F8``GGYK{kiFsJ(t2vzw4P-yfPO6`%)xd>U_zosKNz*=xPG9+4Qq`; z;WBHq&ZDh_WdEIhY$Z6a((Iq&li#`kG0GK11q|oSZ=^qSaHhU{kF`=q5s-I_u(FwV z*wI6oG4plLrV?&q-24691;+zD6|(_7d%7Q8iZ@8J1R5 zoT+dP^yr%Px&dc<_ls-c8EeNLc7%+#dAfh6=b=xJ#e?SL&-=NTdc&I5eKYWr4X7{T z3_z~2(0FcdX?84TVuqTl>0KdGJ7VaF(10kSCJ9J=7E&CV1cuu}0??Yiz9!cz@B^U{ p#V`5-%7pgg^$u30zJ;u8&$=C2y+aiIPDMcn@3)Ef{|}c4