From nobody@FreeBSD.org  Tue Jul 24 10:59:04 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3E0B116A418
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 24 Jul 2007 10:59:04 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (unknown [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 2809213C46C
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 24 Jul 2007 10:59:04 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.1/8.14.1) with ESMTP id l6OAx3AD053578
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 24 Jul 2007 10:59:03 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.1/8.14.1/Submit) id l6OAx3cw053576;
	Tue, 24 Jul 2007 10:59:03 GMT
	(envelope-from nobody)
Message-Id: <200707241059.l6OAx3cw053576@www.freebsd.org>
Date: Tue, 24 Jul 2007 10:59:03 GMT
From: Ighighi <ighighi@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [PATCH]: Bug in NTFS allows bogus file modes.
X-Send-Pr-Version: www-3.0

>Number:         114856
>Category:       kern
>Synopsis:       [ntfs] [patch] Bug in NTFS allows bogus file modes.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-fs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 24 11:00:10 GMT 2007
>Closed-Date:    Sat Jan 19 17:54:39 UTC 2008
>Last-Modified:  Sat Jan 19 17:54:39 UTC 2008
>Originator:     Ighighi
>Release:        6.2-STABLE
>Organization:
>Environment:
FreeBSD orion 6.2-STABLE FreeBSD 6.2-STABLE #0: Thu Jul 19 17:44:47 VET 2007     root@orion:/usr/obj/usr/src/sys/CUSTOM  i386
>Description:
There's a bug in the NTFS code that lets the user specify file mode bits other
than 0777 allowing for hijacking the file's type in strange ways.
>How-To-Repeat:
$ id
uid=501(ighighi) gid=501(ighighi) groups=501(ighighi),69(network)
$ sysctl vfs.usermount
vfs.usermount: 1
$ mkdir /tmp/mnt

$ /sbin/mount_ntfs -o ro -m 010555 /dev/ad0s1 /tmp/mnt/
$ /bin/ls -l /tmp/mnt
?rwxr-xr-x  1 ighighi  wheel  0 Apr 22  2009 /tmp/mnt
$ /sbin/umount /tmp/mnt

$ /sbin/mount_ntfs -o ro -m 020555 /dev/ad0s1 /tmp/mnt/
$ /bin/ls -l /tmp/mnt
brwxr-xr-x  1 ighighi  wheel    0,   0 Apr 22  2009 /tmp/mnt
$ /sbin/umount /tmp/mnt

$ /sbin/mount_ntfs -o ro -m 040555 /dev/ad0s1 /tmp/mnt/
$ /bin/ls -l /tmp/mnt
total 425220
srwxr-xr-x  1 ighighi  wheel       2560 Apr 22  2009 $AttrDef
srwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 $BadClus
srwxr-xr-x  1 ighighi  wheel     183248 Apr 22  2009 $Bitmap
srwxr-xr-x  1 ighighi  wheel       8192 Apr 26  2006 $Boot
drwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 $Extend
srwxr-xr-x  1 ighighi  wheel   32129024 Apr 26  2006 $LogFile
srwxr-xr-x  1 ighighi  wheel       4096 Apr 26  2006 $MFTMirr
srwxr-xr-x  1 ighighi  wheel          0 Apr 22  2009 $Secure
srwxr-xr-x  1 ighighi  wheel     131072 Apr 22  2009 $UpCase
srwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 $Volume
srwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 AUTOEXEC.BAT
srwxr-xr-x  1 ighighi  wheel       4952 Dec 22  2002 Bootfont.bin
srwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 CONFIG.SYS
drwxr-xr-x  1 ighighi  wheel          0 Jun 29  2006 Documents and Settings
srwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 IO.SYS
srwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 MSDOS.SYS
drwxr-xr-x  1 ighighi  wheel          0 Apr 27  2006 MSOCache
srwxr-xr-x  1 ighighi  wheel      47564 Aug  3  2004 NTDETECT.COM
drwxr-xr-x  1 ighighi  wheel          0 Jul  6  2006 RECYCLER
drwxr-xr-x  1 ighighi  wheel          0 Apr 26  2006 System Volume Information
drwxr-xr-x  1 ighighi  wheel          0 Feb  8 01:56 WINDOWS
srwxr-xr-x  1 ighighi  wheel        211 Apr 26  2006 boot.ini
drwxr-xr-x  1 ighighi  wheel          0 Dec 18  2006 cygwin
srwxr-xr-x  1 ighighi  wheel     250640 Aug  3  2004 ntldr
srwxr-xr-x  1 ighighi  wheel  402653184 Jul 22 23:56 pagefile.sys
drwxr-xr-x  1 ighighi  wheel          0 Dec 18  2006 rsyncd
$ /sbin/umount /tmp/mnt

$ /sbin/mount_ntfs -o ro -m 100555 /dev/ad0s1 /tmp/mnt/
$ /bin/ls -l /tmp/mnt
srwxr-xr-x  1 ighighi  wheel  0 Apr 22  2009 /tmp/mnt
$ /sbin/umount /tmp/mnt

$ /sbin/mount_ntfs -o ro -m 120555 /dev/ad0s1 /tmp/mnt/
$ /bin/ls -l /tmp/mnt
wrwxr-xr-x  1 ighighi  wheel  0 Apr 22  2009 /tmp/mnt
$ /sbin/umount /tmp/mnt


>Fix:
The attached patch performs the same masking as in sys/fs/msdosfs/msdosfs_vfsops.c
It was successfully built and tested on 6.2-STABLE and known to patch against -CURRENT.

Maybe we should patch mount_ntfs(8) too to remind the user that "only the nine 
low-order bits of mask are used", just as mount_msdosfs(8) does...


Patch attached with submission follows:

--- src/sys/fs/ntfs/ntfs_vfsops.c.orig	2006-10-10 05:43:20.000000000 -0400
+++ src/sys/fs/ntfs/ntfs_vfsops.c	2007-07-24 06:28:22.368847737 -0400
@@ -42,6 +42,7 @@
 #include <sys/fcntl.h>
 #include <sys/malloc.h>
 #include <sys/systm.h>
+#include <sys/stat.h>	/* ACCESSPERMS */
 
 #include <geom/geom.h>
 #include <geom/geom_vfs.h>
@@ -318,7 +319,7 @@ ntfs_mountfs(devvp, mp, td)
 	if (1 == vfs_scanopt(mp->mnt_optnew, "gid", "%d", &v))
 		ntmp->ntm_gid = v;
 	if (1 == vfs_scanopt(mp->mnt_optnew, "mode", "%d", &v))
-		ntmp->ntm_mode = v;
+		ntmp->ntm_mode = v & ACCESSPERMS;
 	vfs_flagopt(mp->mnt_optnew,
 	    "caseins", &ntmp->ntm_flag, NTFS_MFLAG_CASEINS);
 	vfs_flagopt(mp->mnt_optnew,


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-fs 
Responsible-Changed-By: remko 
Responsible-Changed-When: Wed Jul 25 06:02:48 UTC 2007 
Responsible-Changed-Why:  
I think the FS list is a better place for this PR. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=114856 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/114856: commit references a PR
Date: Sat, 17 Nov 2007 17:05:09 +0000 (UTC)

 maxim       2007-11-17 17:05:01 UTC
 
   FreeBSD src repository
 
   Modified files:
     sbin/mount_ntfs      mount_ntfs.8 
     sys/fs/ntfs          ntfs_vfsops.c 
   Log:
   o Mask maximum file permissions we get from mount_ntfs -m
   with ACCESSPERMS.  Document in mount_ntfs(8) only the nine
   low-order bits of mask are used (taken from mount_msdosfs(8)).
   
   PR:             kern/114856
   Submitted by:   Ighighi
   MFC after:      1 month
   
   Revision  Changes    Path
   1.22      +4 -1      src/sbin/mount_ntfs/mount_ntfs.8
   1.90      +2 -1      src/sys/fs/ntfs/ntfs_vfsops.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: maxim 
State-Changed-When: Sat Jan 19 17:54:16 UTC 2008 
State-Changed-Why:  
Merged to RELENG_6 and RELENG_7. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=114856 
>Unformatted:
