From: Dan Carpenter <dan.carpenter@oracle.com>
To: eadavis@sina.com
Cc: syzbot+c4d950787fd5553287b7@syzkaller.appspotmail.com,
almaz.alexandrovich@paragon-software.com,
linux-kernel@vger.kernel.org, llvm@lists.linux.dev,
nathan@kernel.org, ndesaulniers@google.com,
ntfs3@lists.linux.dev, syzkaller-bugs@googlegroups.com,
trix@redhat.com
Subject: Re: [PATCH v2] fs/netfs3: add a boundary check for EA_FULL
Date: Wed, 14 Sep 2022 18:34:14 +0300 [thread overview]
Message-ID: <YyH0dkkuJnFNE9xT@kadam> (raw)
In-Reply-To: <20220912065431.3043731-1-eadavis@sina.com>
On Mon, Sep 12, 2022 at 02:54:31PM +0800, eadavis@sina.com wrote:
> From: Edward Adam Davis <eadavis@sina.com>
>
> the root cause is:
> The remaining space after the offset is less than the space needed to
> accommodate the next EA_FULL struct.
>
This needs to be checked on the first iteration as well before calling
unpacked_ea_size(ea).
if (bytes - *off < sizeof(*ea))
return false;
> Link: https://syzkaller.appspot.com/bug?extid=c4d950787fd5553287b7
> Reported-by: syzbot+c4d950787fd5553287b7@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@sina.com>
> ---
> fs/ntfs3/xattr.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
> index 7de8718c68a9..c90cc453390d 100644
> --- a/fs/ntfs3/xattr.c
> +++ b/fs/ntfs3/xattr.c
> @@ -52,6 +52,7 @@ static inline bool find_ea(const struct EA_FULL *ea_all, u32 bytes,
> for (;;) {
> const struct EA_FULL *ea = Add2Ptr(ea_all, *off);
> u32 next_off = *off + unpacked_ea_size(ea);
> + u32 next_len = 0;
>
> if (next_off > bytes)
> return false;
> @@ -63,6 +64,13 @@ static inline bool find_ea(const struct EA_FULL *ea_all, u32 bytes,
> *off = next_off;
> if (next_off >= bytes)
> return false;
> +
> + next_len = next_off + 8;
8 is a magic number. Use sizeof(*ea).
> + if (next_len >= bytes ||
> + ((!ea->size) &&
> + (next_len + ea->name_len +
> + le16_to_cpu(ea->elength) >= bytes)))
This is open coding unpacked_ea_size() but slightly different/incorrect.
No need to check this anyway, because it gets checked at the start of
the iteration.
If we add the if (bytes - *off < sizeof(*ea)) check to the start of the
iteration that means we can delete the "if (next_off == bytes)" check
from the end.
The second issue with this code is that unpacked_ea_size() is a user
controlled u32. We're adding it to "*off" which is also a u32 so that
can have an integer overflow...
See diff below. (Untested).
regards,
dan carpenter
diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
index 7de8718c68a9..c3dbe06fb784 100644
--- a/fs/ntfs3/xattr.c
+++ b/fs/ntfs3/xattr.c
@@ -44,14 +44,20 @@ static inline size_t packed_ea_size(const struct EA_FULL *ea)
static inline bool find_ea(const struct EA_FULL *ea_all, u32 bytes,
const char *name, u8 name_len, u32 *off)
{
+ const struct EA_FULL *ea;
+ u32 next_off;
+
*off = 0;
- if (!ea_all || !bytes)
+ if (!ea_all)
return false;
for (;;) {
- const struct EA_FULL *ea = Add2Ptr(ea_all, *off);
- u32 next_off = *off + unpacked_ea_size(ea);
+ if (bytes - *off < sizeof(*ea))
+ return false;
+
+ ea = Add2Ptr(ea_all, *off);
+ next_off = size_add(*off, unpacked_ea_size(ea));
if (next_off > bytes)
return false;
@@ -61,8 +67,6 @@ static inline bool find_ea(const struct EA_FULL *ea_all, u32 bytes,
return true;
*off = next_off;
- if (next_off >= bytes)
- return false;
}
}
next prev parent reply other threads:[~2022-09-14 15:34 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-06 16:55 [syzbot] KASAN: slab-out-of-bounds Read in ntfs_get_ea syzbot
2022-09-12 3:41 ` [PATCH] fs/netfs3: add a boundary check for EA_FULL eadavis
2022-09-12 6:16 ` kernel test robot
2022-09-12 6:16 ` kernel test robot
2022-09-19 5:19 ` [PATCH] fs/ntfs3: "add a boundary check for EA_FULL" lose right parenthesis eadavis
2022-09-19 5:19 ` eadavis
2022-09-19 10:42 ` Dan Carpenter
2022-09-19 10:42 ` Dan Carpenter
2022-09-19 11:19 ` [PATCH v3] fs/ntfs3: add a boundary check for EA_FULL eadavis
2022-09-19 11:19 ` eadavis
2022-09-19 12:04 ` Dan Carpenter
2022-09-19 12:04 ` Dan Carpenter
2022-09-19 13:21 ` [PATCH v4] fs/ntfs3: Fix buffer overflow and integer overflow eadavis
2022-09-19 13:21 ` eadavis
2022-09-19 13:32 ` eadavis
2022-09-19 13:32 ` eadavis
2022-11-13 5:07 ` [PATCH v5] fs/ntfs3: Validate parameter bytes and valid size eadavis
2022-09-12 6:54 ` [PATCH v2] fs/netfs3: add a boundary check for EA_FULL eadavis
2022-09-14 15:34 ` Dan Carpenter [this message]
2023-01-26 8:13 ` [syzbot] KASAN: slab-out-of-bounds Read in ntfs_get_ea syzbot
2023-04-12 13:11 ` Aleksandr Nogikh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YyH0dkkuJnFNE9xT@kadam \
--to=dan.carpenter@oracle.com \
--cc=almaz.alexandrovich@paragon-software.com \
--cc=eadavis@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=ntfs3@lists.linux.dev \
--cc=syzbot+c4d950787fd5553287b7@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=trix@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.