Hello.

I have found a vulnerability in the NTFS-3G driver, specifically in the ntfsck tool (see: ntfsprogs/ntfsck.c).

In the check_file_record function, the update sequence array is applied, but no proper boundary checks are implemented, so the function can write bytes from the update sequence array beyond the buffer being checked.

The vulnerable code is here:

usa_ofs = le16_to_cpu(mft_rec->usa_ofs);
usa_count = le16_to_cpu(mft_rec->usa_count);

[...]

// Remove update seq & check it.
usa = *(u16*)(buffer+usa_ofs); // The value that should be at the end of every sector.
assert_u32_equal(usa_count-1, buflen/NTFS_BLOCK_SIZE, "USA length");
for (i=1;i<usa_count;i++) {
    u16 *fixup = (u16*)(buffer+NTFS_BLOCK_SIZE*i-2); // the value at the end of the sector.
    u16 saved_val = *(u16*)(buffer+usa_ofs+2*i); // the actual data value that was saved in the us array.

    assert_u32_equal(*fixup, usa, "fixup");
    *fixup = saved_val; // remove it.
}

If buflen is 1024, but the update sequence array contains 4 entries (including the first one, which you call usa), the loop will replace bytes 3 times, at the following offsets: buffer+512*1−2 (within the buffer), buffer+512*2−2 (within the buffer), buffer+512*3−2 (beyond the allocated buffer size). (The offset of the first attribute should be set to make room for additional entries in the update sequence array, so the usa_ofs+usa_count <= attrs_offset check is passed.)

Thus, bytes beyond the allocated buffer can be replaced, this is a heap overflow.

It should be noted that the assert_u32_equal function just reports the errors, it doesn’t terminate the execution flow.

Since the ntfsck tool is used in some GNU/Linux distributions (it’s fsck.ntfs in Fedora), I strongly suggest implementing a fix.

Report date (to info at tuxera dot com): 2021-09-24. No reply.
Ping (to info at tuxera dot com): 2021-09-29. No reply.