From: Andrew Hamilton <adhamilt@gmail.com>
Date: Sun, 1 Jun 2025 15:52:22 +0000 (-0500)
Subject: fs/ntfs: Correct next_attribute validation
X-Git-Tag: grub-2.14-rc1~11
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=000e48b42c7e41d0f75cb7c6d5bcc76f8df6311f;p=thirdparty%2Fgrub.git

fs/ntfs: Correct next_attribute validation

Improved ad-hoc fuzzing coverage revealed a possible access violation
around line 342 of grub-core/fs/ntfs.c when accessing the attr_cur
pointer due to possibility of moving pointer "next" beyond of the end of
the valid buffer inside next_attribute. Prevent this for cases where
full attribute validation is not performed (such as on attribute lists)
by performing a sanity check on the newly calculated next pointer.

Fixes: 06914b614 (fs/ntfs: Correct attribute vs attribute list validation)

Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---

diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
index 5b0a18f3d..bb3cec4e6 100644
--- a/grub-core/fs/ntfs.c
+++ b/grub-core/fs/ntfs.c
@@ -233,7 +233,12 @@ next_attribute (grub_uint8_t *curr_attribute, void *end, bool validate)
     return NULL;
 
   next += u16at (curr_attribute, 4);
-  if (validate && validate_attribute (next, end) == false)
+  if (validate)
+  {
+    if (validate_attribute (next, end) == false)
+      return NULL;
+  }
+  else if (next >= (grub_uint8_t *) end)
     return NULL;
 
   return next;