* [PATCH] fs/ntfs3: Validate attribute data and valid sizes [not found] <000000000000c2333105e9cc7b1c@google.com> @ 2022-10-04 3:15 ` Abdun Nihaal 2022-11-12 18:09 ` Konstantin Komarov via Linux-kernel-mentees 0 siblings, 1 reply; 2+ messages in thread From: Abdun Nihaal @ 2022-10-04 3:15 UTC (permalink / raw) To: almaz.alexandrovich Cc: linux-kernel, syzbot+fa4648a5446460b7b963, ntfs3, linux-kernel-mentees The data_size and valid_size fields of non resident attributes should be less than the its alloc_size field, but this is not checked in ntfs_read_mft function. Syzbot reports a allocation order warning due to a large unchecked value of data_size getting assigned to inode->i_size which is then passed to kcalloc. Add sanity check for ensuring that the data_size and valid_size fields are not larger than alloc_size field. Link: https://syzkaller.appspot.com/bug?extid=fa4648a5446460b7b963 Reported-and-tested-by: syzbot+fa4648a5446460b7b963@syzkaller.appspotmail.com Fixes: (82cae269cfa95) fs/ntfs3: Add initialization of super block Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com> --- fs/ntfs3/inode.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c index e9cf00d14733..9c244029be75 100644 --- a/fs/ntfs3/inode.c +++ b/fs/ntfs3/inode.c @@ -132,6 +132,13 @@ static struct inode *ntfs_read_mft(struct inode *inode, if (le16_to_cpu(attr->name_off) + attr->name_len > asize) goto out; + if (attr->non_res) { + t64 = le64_to_cpu(attr->nres.alloc_size); + if (le64_to_cpu(attr->nres.data_size) > t64 || + le64_to_cpu(attr->nres.valid_size) > t64) + goto out; + } + switch (attr->type) { case ATTR_STD: if (attr->non_res || -- 2.37.3 _______________________________________________ Linux-kernel-mentees mailing list Linux-kernel-mentees@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees ^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] fs/ntfs3: Validate attribute data and valid sizes 2022-10-04 3:15 ` [PATCH] fs/ntfs3: Validate attribute data and valid sizes Abdun Nihaal @ 2022-11-12 18:09 ` Konstantin Komarov via Linux-kernel-mentees 0 siblings, 0 replies; 2+ messages in thread From: Konstantin Komarov via Linux-kernel-mentees @ 2022-11-12 18:09 UTC (permalink / raw) To: Abdun Nihaal Cc: syzbot+fa4648a5446460b7b963, ntfs3, linux-kernel-mentees, linux-kernel On 10/4/22 06:15, Abdun Nihaal wrote: > The data_size and valid_size fields of non resident attributes should be > less than the its alloc_size field, but this is not checked in > ntfs_read_mft function. > > Syzbot reports a allocation order warning due to a large unchecked value > of data_size getting assigned to inode->i_size which is then passed to > kcalloc. > > Add sanity check for ensuring that the data_size and valid_size fields > are not larger than alloc_size field. > > Link: https://syzkaller.appspot.com/bug?extid=fa4648a5446460b7b963 > Reported-and-tested-by: syzbot+fa4648a5446460b7b963@syzkaller.appspotmail.com > Fixes: (82cae269cfa95) fs/ntfs3: Add initialization of super block > Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com> > --- > fs/ntfs3/inode.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c > index e9cf00d14733..9c244029be75 100644 > --- a/fs/ntfs3/inode.c > +++ b/fs/ntfs3/inode.c > @@ -132,6 +132,13 @@ static struct inode *ntfs_read_mft(struct inode *inode, > if (le16_to_cpu(attr->name_off) + attr->name_len > asize) > goto out; > > + if (attr->non_res) { > + t64 = le64_to_cpu(attr->nres.alloc_size); > + if (le64_to_cpu(attr->nres.data_size) > t64 || > + le64_to_cpu(attr->nres.valid_size) > t64) > + goto out; > + } > + > switch (attr->type) { > case ATTR_STD: > if (attr->non_res || Applied, thanks again for patch! _______________________________________________ Linux-kernel-mentees mailing list Linux-kernel-mentees@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-11-12 18:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <000000000000c2333105e9cc7b1c@google.com>
2022-10-04 3:15 ` [PATCH] fs/ntfs3: Validate attribute data and valid sizes Abdun Nihaal
2022-11-12 18:09 ` Konstantin Komarov via Linux-kernel-mentees
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).