[PATCH] ntfs: move check for valid resident attribute offset and length

[PATCH] ntfs: move check for valid resident attribute offset and length

[Rustam Kovhaev]

we should check for valid resident atribute offset and length before
loading STANDARD_INFORMATION attribute in ntfs_read_locked_inode()
let's make that check a bit earlier in the same function to avoid
use-after-free bug

Reported-and-tested-by: syzbot+c584225dabdea2f71969@syzkaller.appspotmail.com
Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
Link: https://syzkaller.appspot.com/bug?extid=c584225dabdea2f71969
---
 fs/ntfs/inode.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
index f7e4cbc26eaf..70745aea5106 100644
--- a/fs/ntfs/inode.c
+++ b/fs/ntfs/inode.c
@@ -629,6 +629,13 @@ static int ntfs_read_locked_inode(struct inode *vi)
 	}
 	a = ctx->attr;
 	/* Get the standard information attribute value. */
+	if ((u8 *)a + le16_to_cpu(a->data.resident.value_offset)
+			+ le32_to_cpu(
+			a->data.resident.value_length) >
+			(u8 *)ctx->mrec + vol->mft_record_size) {
+		ntfs_error(vi->i_sb, "Corrupt attribute list in inode.");
+		goto unm_err_out;
+	}
 	si = (STANDARD_INFORMATION*)((u8*)a +
 			le16_to_cpu(a->data.resident.value_offset));
 
@@ -731,14 +738,6 @@ static int ntfs_read_locked_inode(struct inode *vi)
 				goto unm_err_out;
 			}
 		} else /* if (!a->non_resident) */ {
-			if ((u8*)a + le16_to_cpu(a->data.resident.value_offset)
-					+ le32_to_cpu(
-					a->data.resident.value_length) >
-					(u8*)ctx->mrec + vol->mft_record_size) {
-				ntfs_error(vi->i_sb, "Corrupt attribute list "
-						"in inode.");
-				goto unm_err_out;
-			}
 			/* Now copy the attribute list. */
 			memcpy(ni->attr_list, (u8*)a + le16_to_cpu(
 					a->data.resident.value_offset),
-- 
2.30.0

Re: [PATCH] ntfs: move check for valid resident attribute offset and length

[Anton Altaparmakov]

Hi Rustam,

Thank you for the patch but it is not quite correct:

1) The first delta: yes that is a good idea to add this check but the error message is incorrect.  It should say "Corrupt standard information attribute in inode." instead.

2) The second delta: The check of the attribute list attribute needs to remain, i.e. your second delta needs to be deleted.

Please could you address both of the above comments and then resend?  Please then also add: "Acked-by: Anton Altaparmakov <anton@tuxera.com>" to the patch.

Thanks a lot in advance!

Best regards,

	Anton

> On 14 Feb 2021, at 22:12, Rustam Kovhaev <rkovhaev@gmail.com> wrote:
> 
> we should check for valid resident atribute offset and length before
> loading STANDARD_INFORMATION attribute in ntfs_read_locked_inode()
> let's make that check a bit earlier in the same function to avoid
> use-after-free bug
> 
> Reported-and-tested-by: syzbot+c584225dabdea2f71969@syzkaller.appspotmail.com
> Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
> Link: https://syzkaller.appspot.com/bug?extid=c584225dabdea2f71969
> ---
> fs/ntfs/inode.c | 15 +++++++--------
> 1 file changed, 7 insertions(+), 8 deletions(-)
> 
> diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
> index f7e4cbc26eaf..70745aea5106 100644
> --- a/fs/ntfs/inode.c
> +++ b/fs/ntfs/inode.c
> @@ -629,6 +629,13 @@ static int ntfs_read_locked_inode(struct inode *vi)
> 	}
> 	a = ctx->attr;
> 	/* Get the standard information attribute value. */
> +	if ((u8 *)a + le16_to_cpu(a->data.resident.value_offset)
> +			+ le32_to_cpu(
> +			a->data.resident.value_length) >
> +			(u8 *)ctx->mrec + vol->mft_record_size) {
> +		ntfs_error(vi->i_sb, "Corrupt attribute list in inode.");
> +		goto unm_err_out;
> +	}
> 	si = (STANDARD_INFORMATION*)((u8*)a +
> 			le16_to_cpu(a->data.resident.value_offset));
> 
> @@ -731,14 +738,6 @@ static int ntfs_read_locked_inode(struct inode *vi)
> 				goto unm_err_out;
> 			}
> 		} else /* if (!a->non_resident) */ {
> -			if ((u8*)a + le16_to_cpu(a->data.resident.value_offset)
> -					+ le32_to_cpu(
> -					a->data.resident.value_length) >
> -					(u8*)ctx->mrec + vol->mft_record_size) {
> -				ntfs_error(vi->i_sb, "Corrupt attribute list "
> -						"in inode.");
> -				goto unm_err_out;
> -			}
> 			/* Now copy the attribute list. */
> 			memcpy(ni->attr_list, (u8*)a + le16_to_cpu(
> 					a->data.resident.value_offset),
> -- 
> 2.30.0
> 


-- 
Anton Altaparmakov <anton at tuxera.com> (replace at with @)
Lead in File System Development, Tuxera Inc., http://www.tuxera.com/
Linux NTFS maintainer

Re: [PATCH] ntfs: move check for valid resident attribute offset and length

[Rustam Kovhaev]

On Tue, Feb 16, 2021 at 02:40:37AM +0000, Anton Altaparmakov wrote:
> Hi Rustam,
> 
> Thank you for the patch but it is not quite correct:
> 
> 1) The first delta: yes that is a good idea to add this check but the error message is incorrect.  It should say "Corrupt standard information attribute in inode." instead.
> 
> 2) The second delta: The check of the attribute list attribute needs to remain, i.e. your second delta needs to be deleted.
> 
> Please could you address both of the above comments and then resend?  Please then also add: "Acked-by: Anton Altaparmakov <anton@tuxera.com>" to the patch.
> 
> Thanks a lot in advance!
> 
> Best regards,
> 
> 	Anton
> 
hi Anton, thank you for the review! I'll resend the patch!