* [PATCH 0/1] One More NTFS Fuzzing Fix
@ 2025-06-01 15:52 Andrew Hamilton
2025-06-01 15:52 ` [PATCH 1/1] fs/ntfs.c: Correct next_attribute validation Andrew Hamilton
2025-07-26 12:58 ` [PATCH 0/1] One More NTFS Fuzzing Fix Andrew Hamilton
0 siblings, 2 replies; 4+ messages in thread
From: Andrew Hamilton @ 2025-06-01 15:52 UTC (permalink / raw)
To: grub-devel; +Cc: daniel.kiper, Andrew Hamilton
I took one last pass at my attempts at ad-hoc fuzzing of NTFS
with the goal of improving coverage and letting the fuzzer run
for a while. After rebuilding afl++ to allow larger file inputs
that are more representative of real NTFS file systems, it was
uncovered that my last fix to address NTFS test regressions
left a possible access violation in find_attr.
This fixes the last remaining fuzzing issue uncovered.
Confirmed that NTFS test cases still pass.
Andrew Hamilton (1):
fs/ntfs.c: Correct possible access violation on next_attribute
grub-core/fs/ntfs.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--
2.39.5
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/1] fs/ntfs.c: Correct next_attribute validation
2025-06-01 15:52 [PATCH 0/1] One More NTFS Fuzzing Fix Andrew Hamilton
@ 2025-06-01 15:52 ` Andrew Hamilton
2025-10-24 16:21 ` Daniel Kiper
2025-07-26 12:58 ` [PATCH 0/1] One More NTFS Fuzzing Fix Andrew Hamilton
1 sibling, 1 reply; 4+ messages in thread
From: Andrew Hamilton @ 2025-06-01 15:52 UTC (permalink / raw)
To: grub-devel; +Cc: daniel.kiper, Andrew Hamilton
Improved ad-hoc fuzzing coverage releaved a possible access violation
around line 342 of ntfs.c when accessing the attr_cur pointer due to
possiblity of moving pointer 'next' beyond of the end of the valid
buffer inside next_attribute. Prevent this for cases where full
attribute validation is not performed (such as on attribute lists)
by performing a sanity check on the newly calculated next pointer.
Fixes: 06914b614 (fs/ntfs: Correct attribute vs attribute list validation)
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
---
grub-core/fs/ntfs.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
index 5b0a18f3d..9aff239c4 100644
--- a/grub-core/fs/ntfs.c
+++ b/grub-core/fs/ntfs.c
@@ -233,7 +233,12 @@ next_attribute (grub_uint8_t *curr_attribute, void *end, bool validate)
return NULL;
next += u16at (curr_attribute, 4);
- if (validate && validate_attribute (next, end) == false)
+ if (validate)
+ {
+ if (validate_attribute (next, end) == false)
+ return NULL;
+ }
+ else if (next >= (grub_uint8_t *)end)
return NULL;
return next;
--
2.39.5
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH 1/1] fs/ntfs.c: Correct next_attribute validation
2025-06-01 15:52 ` [PATCH 1/1] fs/ntfs.c: Correct next_attribute validation Andrew Hamilton
@ 2025-10-24 16:21 ` Daniel Kiper
0 siblings, 0 replies; 4+ messages in thread
From: Daniel Kiper @ 2025-10-24 16:21 UTC (permalink / raw)
To: Andrew Hamilton; +Cc: grub-devel
On Sun, Jun 01, 2025 at 10:52:22AM -0500, Andrew Hamilton wrote:
> Improved ad-hoc fuzzing coverage releaved a possible access violation
> around line 342 of ntfs.c when accessing the attr_cur pointer due to
> possiblity of moving pointer 'next' beyond of the end of the valid
> buffer inside next_attribute. Prevent this for cases where full
> attribute validation is not performed (such as on attribute lists)
> by performing a sanity check on the newly calculated next pointer.
>
> Fixes: 06914b614 (fs/ntfs: Correct attribute vs attribute list validation)
>
> Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Daniel
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 0/1] One More NTFS Fuzzing Fix
2025-06-01 15:52 [PATCH 0/1] One More NTFS Fuzzing Fix Andrew Hamilton
2025-06-01 15:52 ` [PATCH 1/1] fs/ntfs.c: Correct next_attribute validation Andrew Hamilton
@ 2025-07-26 12:58 ` Andrew Hamilton
1 sibling, 0 replies; 4+ messages in thread
From: Andrew Hamilton @ 2025-07-26 12:58 UTC (permalink / raw)
To: grub-devel; +Cc: daniel.kiper
[-- Attachment #1.1: Type: text/plain, Size: 853 bytes --]
Hello,
Just re-raising this for consideration.
Thank you,
Andrew
On Sun, Jun 1, 2025 at 10:52 AM Andrew Hamilton <adhamilt@gmail.com> wrote:
> I took one last pass at my attempts at ad-hoc fuzzing of NTFS
> with the goal of improving coverage and letting the fuzzer run
> for a while. After rebuilding afl++ to allow larger file inputs
> that are more representative of real NTFS file systems, it was
> uncovered that my last fix to address NTFS test regressions
> left a possible access violation in find_attr.
>
> This fixes the last remaining fuzzing issue uncovered.
>
> Confirmed that NTFS test cases still pass.
>
> Andrew Hamilton (1):
> fs/ntfs.c: Correct possible access violation on next_attribute
>
> grub-core/fs/ntfs.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> --
> 2.39.5
>
>
[-- Attachment #1.2: Type: text/html, Size: 1249 bytes --]
[-- Attachment #2: Type: text/plain, Size: 141 bytes --]
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-10-24 16:30 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-06-01 15:52 [PATCH 0/1] One More NTFS Fuzzing Fix Andrew Hamilton
2025-06-01 15:52 ` [PATCH 1/1] fs/ntfs.c: Correct next_attribute validation Andrew Hamilton
2025-10-24 16:21 ` Daniel Kiper
2025-07-26 12:58 ` [PATCH 0/1] One More NTFS Fuzzing Fix Andrew Hamilton
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.