Re: [PATCH v2] fs/ntfs: fix BUG_ON of ntfs_read_block()

From: Namjae Jeon <linkinjeon@kernel.org>
To: Eric Biggers <ebiggers@kernel.org>, xu.xin16@zte.com.cn
Cc: cgel.zte@gmail.com, anton@tuxera.com,
	linux-ntfs-dev@lists.sourceforge.net, stable@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
	Zeal Robot <zealci@zte.com.cn>,
	syzbot+6a5a7672f663cce8b156@syzkaller.appspotmail.com,
	Songyi Zhang <zhang.songyi@zte.com.cn>,
	Yang Yang <yang.yang29@zte.com.cn>,
	Jiang Xuexin <jiang.xuexin@zte.com.cn>,
	Zhang wenya <zhang.wenya1@zte.com.cn>
Subject: Re: [PATCH v2] fs/ntfs: fix BUG_ON of ntfs_read_block()
Date: Fri, 24 Jun 2022 11:33:28 +0900	[thread overview]
Message-ID: <CAKYAXd8qoLKbWGX7omYUfarSugRnose8X8o3Zhb1XctiUtamQg@mail.gmail.com> (raw)
In-Reply-To: <YrSeAGmk4GZndtdn@sol.localdomain>

2022-06-24 2:08 GMT+09:00, Eric Biggers <ebiggers@kernel.org>:
> On Thu, Jun 23, 2022 at 09:49:56AM +0000, cgel.zte@gmail.com wrote:
>> From: xu xin <xu.xin16@zte.com.cn>
>>
>> As the bug description at
>> https://lore.kernel.org/lkml/20220623033635.973929-1-xu.xin16@zte.com.cn/
>> attckers can use this bug to crash the system.
>>
>> So to avoid panic, remove the BUG_ON, and use ntfs_warning to output a
>> warning to the syslog and return instead until someone really solve
>> the problem.
>>
>> Cc: stable@vger.kernel.org
>> Reported-by: Zeal Robot <zealci@zte.com.cn>
>> Reported-by: syzbot+6a5a7672f663cce8b156@syzkaller.appspotmail.com
>> Reviewed-by: Songyi Zhang <zhang.songyi@zte.com.cn>
>> Reviewed-by: Yang Yang <yang.yang29@zte.com.cn>
>> Reviewed-by: Jiang Xuexin<jiang.xuexin@zte.com.cn>
>> Reviewed-by: Zhang wenya<zhang.wenya1@zte.com.cn>
>> Signed-off-by: xu xin <xu.xin16@zte.com.cn>
>> ---
>>
>> Change for v2:
>>  - Use ntfs_warning instead of WARN().
>>  - Add the tag Cc: stable@vger.kernel.org.
>> ---
>>  fs/ntfs/aops.c | 7 ++++++-
>>  1 file changed, 6 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/ntfs/aops.c b/fs/ntfs/aops.c
>> index 5f4fb6ca6f2e..84d68efb4ace 100644
>> --- a/fs/ntfs/aops.c
>> +++ b/fs/ntfs/aops.c
>> @@ -183,7 +183,12 @@ static int ntfs_read_block(struct page *page)
>>  	vol = ni->vol;
>>
>>  	/* $MFT/$DATA must have its complete runlist in memory at all times. */
>> -	BUG_ON(!ni->runlist.rl && !ni->mft_no && !NInoAttr(ni));
>> +	if (unlikely(!ni->runlist.rl && !ni->mft_no && !NInoAttr(ni))) {
>> +		ntfs_warning(vi->i_sb, "Error because ni->runlist.rl, ni->mft_no, "
>> +				"and NInoAttr(ni) is null.");
>> +		unlock_page(page);
>> +		return -EINVAL;
>> +	}
>
> A better warning message that doesn't rely on implementation details
> (struct
> field and macro names) would be "Runlist of $MFT/$DATA is not cached".
> Also,
> why does this situation happen in the first place?  Is there a way to
> prevent
> this situation in the first place?

ntfs_mapping_pairs_decompress() should return error pointer instead of NULL.
Callers is checking error value using IS_ERR(). and the mapping pairs
array of @MFT entry is empty, I think it's corrupted, it should cause
mount failure.

I haven't checked if this patch fix the problem. Xu, Can you check it ?

diff --git a/fs/ntfs/runlist.c b/fs/ntfs/runlist.c
index 97932fb5179c..31263fe0772f 100644
--- a/fs/ntfs/runlist.c
+++ b/fs/ntfs/runlist.c
@@ -766,8 +766,11 @@ runlist_element
*ntfs_mapping_pairs_decompress(const ntfs_volume *vol,
                return ERR_PTR(-EIO);
        }
        /* If the mapping pairs array is valid but empty, nothing to do. */
-       if (!vcn && !*buf)
+       if (!vcn && !*buf) {
+               if (!old_rl)
+                       return ERR_PTR(-EIO);
                return old_rl;
+       }
        /* Current position in runlist array. */
        rlpos = 0;
        /* Allocate first page and set current runlist size to one page. */

>
> - Eric
>
