[PATCH 0/1] One More NTFS Fuzzing Fix

[PATCH 0/1] One More NTFS Fuzzing Fix

[Andrew Hamilton]

I took one last pass at my attempts at ad-hoc fuzzing of NTFS
with the goal of improving coverage and letting the fuzzer run
for a while. After rebuilding afl++ to allow larger file inputs
that are more representative of real NTFS file systems, it was
uncovered that my last fix to address NTFS test regressions
left a possible access violation in find_attr.

This fixes the last remaining fuzzing issue uncovered.

Confirmed that NTFS test cases still pass.

Andrew Hamilton (1):
  fs/ntfs.c: Correct possible access violation on next_attribute

 grub-core/fs/ntfs.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

-- 
2.39.5


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH 1/1] fs/ntfs.c: Correct next_attribute validation

[Andrew Hamilton]

Improved ad-hoc fuzzing coverage releaved a possible access violation
around line 342 of ntfs.c when accessing the attr_cur pointer due to
possiblity of moving pointer 'next' beyond of the end of the valid
buffer inside next_attribute. Prevent this for cases where full
attribute validation is not performed (such as on attribute lists)
by performing a sanity check on the newly calculated next pointer.

Fixes: 06914b614 (fs/ntfs: Correct attribute vs attribute list validation)

Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
---
 grub-core/fs/ntfs.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
index 5b0a18f3d..9aff239c4 100644
--- a/grub-core/fs/ntfs.c
+++ b/grub-core/fs/ntfs.c
@@ -233,7 +233,12 @@ next_attribute (grub_uint8_t *curr_attribute, void *end, bool validate)
     return NULL;
 
   next += u16at (curr_attribute, 4);
-  if (validate && validate_attribute (next, end) == false)
+  if (validate)
+  {
+    if (validate_attribute (next, end) == false)
+      return NULL;
+  }
+  else if (next >= (grub_uint8_t *)end)
     return NULL;
 
   return next;
-- 
2.39.5


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Re: [PATCH 0/1] One More NTFS Fuzzing Fix

[Andrew Hamilton]

[-- Attachment #1.1: Type: text/plain, Size: 853 bytes --]

Hello,

Just re-raising this for consideration.

Thank you,
Andrew

On Sun, Jun 1, 2025 at 10:52 AM Andrew Hamilton <adhamilt@gmail.com> wrote:

> I took one last pass at my attempts at ad-hoc fuzzing of NTFS
> with the goal of improving coverage and letting the fuzzer run
> for a while. After rebuilding afl++ to allow larger file inputs
> that are more representative of real NTFS file systems, it was
> uncovered that my last fix to address NTFS test regressions
> left a possible access violation in find_attr.
>
> This fixes the last remaining fuzzing issue uncovered.
>
> Confirmed that NTFS test cases still pass.
>
> Andrew Hamilton (1):
>   fs/ntfs.c: Correct possible access violation on next_attribute
>
>  grub-core/fs/ntfs.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
> --
> 2.39.5
>
>

[-- Attachment #1.2: Type: text/html, Size: 1249 bytes --]

[-- Attachment #2: Type: text/plain, Size: 141 bytes --]

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Re: [PATCH 1/1] fs/ntfs.c: Correct next_attribute validation

[Daniel Kiper]

On Sun, Jun 01, 2025 at 10:52:22AM -0500, Andrew Hamilton wrote:
> Improved ad-hoc fuzzing coverage releaved a possible access violation
> around line 342 of ntfs.c when accessing the attr_cur pointer due to
> possiblity of moving pointer 'next' beyond of the end of the valid
> buffer inside next_attribute. Prevent this for cases where full
> attribute validation is not performed (such as on attribute lists)
> by performing a sanity check on the newly calculated next pointer.
>
> Fixes: 06914b614 (fs/ntfs: Correct attribute vs attribute list validation)
>
> Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>

Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

Daniel

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel