From 0cf52fc4a03db3c59ad31bde4e9a28b5642086dc Mon Sep 17 00:00:00 2001 From: =?utf8?q?Thomas=20Wei=C3=9Fschuh?= Date: Tue, 26 Sep 2023 00:27:22 +0200 Subject: [PATCH] libblkid: (ntfs) validate that sector_size is a power of two MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The NTFS prober reads data based off an offset of the sector size. If the sector size is unaligned and the read data is cached then other probers can read unaligned values. Sector sizes for NTFS actually only make sense as power-of-two so validate that and as a sideeffect avoid the unaligned reads. Also add the reproducer from OSS-Fuzz that found this issue. Fixes #2509 Signed-off-by: Thomas Weißschuh --- libblkid/src/superblocks/ntfs.c | 2 +- .../test_blkid_fuzz_files/oss-fuzz-62691 | Bin 0 -> 16863 bytes 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-62691 diff --git a/libblkid/src/superblocks/ntfs.c b/libblkid/src/superblocks/ntfs.c index d0dbb60fa2..8ce557a113 100644 --- a/libblkid/src/superblocks/ntfs.c +++ b/libblkid/src/superblocks/ntfs.c @@ -97,7 +97,7 @@ static int __probe_ntfs(blkid_probe pr, const struct blkid_idmag *mag, int save_ */ sector_size = le16_to_cpu(ns->bpb.sector_size); - if (sector_size < 256 || sector_size > 4096) + if (sector_size < 256 || sector_size > 4096 || !is_power_of_2(sector_size)) return 1; switch (ns->bpb.sectors_per_cluster) { diff --git a/tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-62691 b/tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-62691 new file mode 100644 index 0000000000000000000000000000000000000000..9d10ae3cb07dab6d0a6723a80ac57dff666e172c GIT binary patch literal 16863 zc-rk-3s_WD9{=9~84)zrSK`+0kf^8uGb1XiArBco`5eF)5YkLganwXj7b8tUY0D&) z9whegv8HWA_S!5J&5}~L(l$-aAhCZ7XZ3v6oD5jRLK=AV6hj}r;p zVo(6|e4f2IVF%#+S$+sa$opkT(QT~fo0zad%$vlM(3#y-QqfLOEA&>s0cwL7T~AqC zB5&el%i+3ZcN!Wtmnt{WzLZ;zdQ@C=TaXHk#3d-P(rF%PD)51Na)(}V2kojWrA4J$ zV@N589B=rBkP?7J(#t z)oSPqkZad}5*L&in)|Z3EokCV(4l&!+)6p%Z?ivuvlJ zosAWUiw6i0i5qT9oJ;N25#J=gWqmB1uLUa)9^_D;e27ZWr4EQp zQq9X$&sZ4f25gx)APW0ui0^9K8}`z+f!8!}TM0Raqi?b>X(aU|HO3G%1w|4*Cl~8t zVpZb_9b)r@4QjkVdDMawdIJcdMY=JjM!OsbA!lNhWV3UP+$1VhS9|6KK1xH%g!>78ssZrV(P zq-$zff97xaStYecdOfZ_yd+5Z>Y3cdoxV=FuzuCTZie*!+YTP>`gmV>?1p9c;;T7& z(s;tWt09a$mXo1=@cr6#b*4woN1aMPz43_lLMR!r)9+|q?CGNLwVT4$rS2Jh&xx%c z-M{0Nc?Zr_yai-kU})svL0!+T zIG3MZF%7Do{PM}`yS1KAMP8r0DYD4pK>ColcSNJM)lbQus@KO7~U<8TS|0l6Ha1Iymt3f4Rxk-KJNKTz<|_oxQ!547mQ- z3q_5%`{N8Lm8ngRYbM2xsY9ktb==v*gvpnv5f&>Gtqk*B0Mqck6z>lxAE2-9%ERY8 zd``go(|4snw9*Zp#b*tj?&c;}1w*V4LDpo0m^e$jw;(@1Zzklab41p)sLmQzTe}AA z8sJ^LtMUGlysH7uDG*GcT=Chh`Q5<5l|~ZDHYKIejgTI)w@TSOdZ5jC=+k4L$lDi0 zd}Lx07O8#^a}v|fzhWa&!pq<5iT5th3b=#iJA#xqz{j8vEMa$ld(kbX3Z3=mfPPZF zncvU+m2hSyddf@$*Q`Z=oE)2sEE|ANql|0Z9$+ekxI9HX%hIe6%4>IYKZu;A{ZJy#WCy zPXq)=+Rcj}+hN%}@uG3Nlismcl}hk;)4|VvGHo%)nuMIPvVCP`WvNjy00yAq%x^A4 z0m&toNg8e*UZ5zF;XTcw;&6b$KAtEfOQE#1G;7W%4-XG+;IvFXzqwgRuNPMQErBDu zgCvg8|C%;Bb3i3=_m_87BK#|5a4gJ+5WJ8(ywJtoCgf)OyMs4XbvNPTR8n6l7@h{+ z@cg%e`wP^evLlA-H${r0V-v@f?0o$L-ttrn&<@jRwV@-_!+#=5$IcB=lr7QM$30*k zLx{?Q)0n$Mk7RvtvSENOKKd%Qu6t-Tc?w%4ia{xaG=>@s|Jslc&5I~6HQRgd5!^FZ z$pr|If(MC>oKA;!|6(mIVO}-xZf`|aL&*VDB;J*t)JrgeZ|vN60saA&tqK;@K%-4F zTpJqMW&Aidcc!o+ng=1@xp9uHa7!1@u?SkAk2;rQMe9sXOp@sti)KyBplrl3qck&< z?}>>=po$%d4s@5oQDXRn&18;+*B&hAKG?N)=iU-zo{@BtJSA(1cJgWn$>yHGFT+HlYFjs~4yVySHe|FL?0vOCLd$j#PPH^~;q%!)Ge;M{rJ zJvjQHun~Jo213w?VIi6jZRo*P0eIt$xAa6QrA7DKYWV@|5MLzVCE7K8h|I2LiFla|klqtd^$1m$cBOyLAlGQK}AG=z- zM32COWuMv`?3`AMnTmHtERoZSc#&SRSIgl7GyJI#H#&CUnafLBxFp$`bV(uva*~Tv z9-OcO*V_O17lbR#jeA#!@cG;A4Gp=|v!~o+AS!=#q z&|*ifc@L>JnJD5#GqMJ@L8sjvfy9nL;vXuInEG|6#T|jf+b@tvuko?e43l^OeHt-l zz|POwV6nI7v~OxJ{EGE#otFtv@8v_i%roQe3(CvOJr)wgxv5D3{PD4sYp4-|)DqgK zr*;X18)q0_T`ZZL=wRQ#x|P?S)}{7Gy+-w!s8v3%q+dGtXEUY$R|msfwE56Xu1Ip* zT&mn6d>)__J`ebOWl%Kylb%lZfx#Zp5Hae+jUfqYkI|;!>%*B{O3hMEFtT|2RHG5b zl5Mp^_BD$|1-jH2p7OR}Iw5&^G3XNJc`rBJpdK@y1WTV~DoRwME=*@gf$p~4Qdag^ znTQpRCKgBkY{IbS)4#mbk#>SG1=RoJ)Sfn!pip4w%R;Fu@05Ko4ZF?I@Zx72_U^Rq7^dGB3 zU&vaQT9K0SSEhx`m0~;D!_Z%}o_U1lF3y$V2`OcN*do0MV^?GD(tQdkFS+<~)#b|z z=ILh{jq7Jn`x6&n4Cs@`8FuY$JYLOfIg2@~1&H5-$icn|X&{FcwvK_lM@vjQiRleu zLhp*Ec9J{O*#^waq`dKsgncf8wn@)29N%;tpmiLewbub!$Jt89*-ER=R`&l9&sH2E z@MuMw*z-2BOMf%{a@!pgIFIpRQ)5|Fmk1Tm`mSmkVO3QfdZr!qj5~C|HI%zp&h}%E zp7{5AlX{hc?p89!_7#=524-=g@@n89LD3lPI;D}f+tdcNPqQ3YR^I(P+2y|{T3W)S z(f6!LtNQHa@0J961&$8(T5|be!-k0=+qo%+q7NQ=?psw-+E>xtW=AIv=>%lzxJA!w zDH*nkNtvH(jrA47PpS5Ayb+TwhwK z;bYPY3#)vRkHQo^`{bHw%T_Dktt|$boy+ka5Q|gzKrgw9Rt2{Nl`0Jl*r>n-^Mq5q z!PIz)OTOi6G2e=o1h!B6?~L96?EBZTcw>e;8q#z0N_}~`6!hZtOK_74EI&VgRX)We z{9Bvv1a;o))F-|z{W53InVyT1&0nv$7G<*h)OVZqt$@A@yyuVNL$`Ti=$1b_QUOuc zQhPO?_~RxpyQZEi3#?H%g}Zfv3H>nA`bRHu#3qwR4zVlgFx(xjIL0jDoNDilbT2m$ z`R|`ZSfeby?F8``GGYK{kiFsJ(t2vzw4P-yfPO6`%)xd>U_zosKNz*=xPG9+4Qq`; z;WBHq&ZDh_WdEIhY$Z6a((Iq&li#`kG0GK11q|oSZ=^qSaHhU{kF`=q5s-I_u(FwV z*wI6oG4plLrV?&q-24691;+zD6|(_7d%7Q8iZ@8J1R5 zoT+dP^yr%Px&dc<_ls-c8EeNLc7%+#dAfh6=b=xJ#e?SL&-=NTdc&I5eKYWr4X7{T z3_z~2(0FcdX?84TVuqTl>0KdGJ7VaF(10kSCJ9J=7E&CV1cuu}0??Yiz9!cz@B^U{ p#V`5-%7pgg^$u30zJ;u8&$=C2y+aiIPDMcn@3)Ef{|}c4