[PATCH 0/5] fs/ntfs3: Refactoring and bugfix

[PATCH 0/5] fs/ntfs3: Refactoring and bugfix

[Konstantin Komarov]

This series contains various fixes and refactoring for ntfs3.

Konstantin Komarov (5):
   fs/ntfs3: Add null pointer checks
   fs/ntfs3: Improved checking of attribute's name length
   fs/ntfs3: Check for extremely large size of $AttrDef
   fs/ntfs3: Restore overflow checking for attr size in mi_enum_attr
   fs/ntfs3: Refactoring of various minor issues

  fs/ntfs3/bitmap.c  |  3 ++-
  fs/ntfs3/frecord.c |  2 +-
  fs/ntfs3/fsntfs.c  | 22 ++++++++++++++--------
  fs/ntfs3/index.c   | 10 ++++++----
  fs/ntfs3/inode.c   |  8 +++++++-
  fs/ntfs3/namei.c   |  2 +-
  fs/ntfs3/ntfs.h    |  3 ---
  fs/ntfs3/record.c  |  5 +++++
  fs/ntfs3/super.c   | 10 +++++++++-
  9 files changed, 45 insertions(+), 20 deletions(-)

-- 
2.34.1

[PATCH 1/5] fs/ntfs3: Add null pointer checks

[Konstantin Komarov]

Added null pointer checks in function ntfs_security_init.
Also added le32_to_cpu in functions ntfs_security_init and indx_read.

Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
---
  fs/ntfs3/fsntfs.c | 16 ++++++++++------
  fs/ntfs3/index.c  |  3 ++-
  2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/fs/ntfs3/fsntfs.c b/fs/ntfs3/fsntfs.c
index 8de861ddec60..1f36e89dcff7 100644
--- a/fs/ntfs3/fsntfs.c
+++ b/fs/ntfs3/fsntfs.c
@@ -1876,10 +1876,12 @@ int ntfs_security_init(struct ntfs_sb_info *sbi)
          goto out;
      }

-    root_sdh = resident_data_ex(attr, sizeof(struct INDEX_ROOT));
-    if (root_sdh->type != ATTR_ZERO ||
+    if(!(root_sdh = resident_data_ex(attr, sizeof(struct INDEX_ROOT))) ||
+        root_sdh->type != ATTR_ZERO ||
          root_sdh->rule != NTFS_COLLATION_TYPE_SECURITY_HASH ||
-        offsetof(struct INDEX_ROOT, ihdr) + root_sdh->ihdr.used > 
attr->res.data_size) {
+        offsetof(struct INDEX_ROOT, ihdr) +
+            le32_to_cpu(root_sdh->ihdr.used) >
+            le32_to_cpu(attr->res.data_size)) {
          err = -EINVAL;
          goto out;
      }
@@ -1895,10 +1897,12 @@ int ntfs_security_init(struct ntfs_sb_info *sbi)
          goto out;
      }

-    root_sii = resident_data_ex(attr, sizeof(struct INDEX_ROOT));
-    if (root_sii->type != ATTR_ZERO ||
+    if(!(root_sii = resident_data_ex(attr, sizeof(struct INDEX_ROOT))) ||
+        root_sii->type != ATTR_ZERO ||
          root_sii->rule != NTFS_COLLATION_TYPE_UINT ||
-        offsetof(struct INDEX_ROOT, ihdr) + root_sii->ihdr.used > 
attr->res.data_size) {
+        offsetof(struct INDEX_ROOT, ihdr) +
+            le32_to_cpu(root_sii->ihdr.used) >
+            le32_to_cpu(attr->res.data_size)) {
          err = -EINVAL;
          goto out;
      }
diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
index f716487ec8a0..8718df791a55 100644
--- a/fs/ntfs3/index.c
+++ b/fs/ntfs3/index.c
@@ -1102,7 +1102,8 @@ int indx_read(struct ntfs_index *indx, struct 
ntfs_inode *ni, CLST vbn,
      }

      /* check for index header length */
-    if (offsetof(struct INDEX_BUFFER, ihdr) + ib->ihdr.used > bytes) {
+    if (offsetof(struct INDEX_BUFFER, ihdr) + le32_to_cpu(ib->ihdr.used) >
+        bytes) {
          err = -EINVAL;
          goto out;
      }
-- 
2.34.1

[PATCH 2/5] fs/ntfs3: Improved checking of attribute's name length

[Konstantin Komarov]

Added comment, added null pointer checking.

Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
---
  fs/ntfs3/inode.c | 8 +++++++-
  1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
index 8225d0b7c48c..51f9542de7b0 100644
--- a/fs/ntfs3/inode.c
+++ b/fs/ntfs3/inode.c
@@ -137,7 +137,13 @@ static struct inode *ntfs_read_mft(struct inode *inode,
      rsize = attr->non_res ? 0 : le32_to_cpu(attr->res.data_size);
      asize = le32_to_cpu(attr->size);

-    if (le16_to_cpu(attr->name_off) + attr->name_len > asize)
+    /*
+     * Really this check was done in 'ni_enum_attr_ex' -> ... 
'mi_enum_attr'.
+     * There not critical to check this case again
+     */
+    if (attr->name_len &&
+        sizeof(short) * attr->name_len + le16_to_cpu(attr->name_off) >
+            asize)
          goto out;

      if (attr->non_res) {
-- 
2.34.1

[PATCH 3/5] fs/ntfs3: Check for extremely large size of $AttrDef

[Konstantin Komarov]

Added additional checking for size of $AttrDef.
Added comment.

Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
---
  fs/ntfs3/super.c | 10 +++++++++-
  1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
index ef4ea3f21905..0967035146ce 100644
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -1185,10 +1185,18 @@ static int ntfs_fill_super(struct super_block 
*sb, struct fs_context *fc)
          goto out;
      }

-    if (inode->i_size < sizeof(struct ATTR_DEF_ENTRY)) {
+    /*
+     * Typical $AttrDef contains up to 20 entries.
+     * Check for extremely large size.
+     */
+    if (inode->i_size < sizeof(struct ATTR_DEF_ENTRY) ||
+        inode->i_size > 100 * sizeof(struct ATTR_DEF_ENTRY)) {
+        ntfs_err(sb, "Looks like $AttrDef is corrupted (size=%llu).",
+             inode->i_size);
          err = -EINVAL;
          goto put_inode_out;
      }
+
      bytes = inode->i_size;
      sbi->def_table = t = kmalloc(bytes, GFP_NOFS | __GFP_NOWARN);
      if (!t) {
-- 
2.34.1

[PATCH 4/5] fs/ntfs3: Restore overflow checking for attr size in mi_enum_attr

[Konstantin Komarov]

Fixed comment.
Removed explicit initialization for INDEX_ROOT.

Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
---
  fs/ntfs3/index.c  | 7 ++++---
  fs/ntfs3/record.c | 5 +++++
  fs/ntfs3/super.c  | 2 +-
  3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
index 8718df791a55..9fefeac5fe7e 100644
--- a/fs/ntfs3/index.c
+++ b/fs/ntfs3/index.c
@@ -994,7 +994,7 @@ struct INDEX_ROOT *indx_get_root(struct ntfs_index 
*indx, struct ntfs_inode *ni,
      struct ATTR_LIST_ENTRY *le = NULL;
      struct ATTRIB *a;
      const struct INDEX_NAMES *in = &s_index_names[indx->type];
-    struct INDEX_ROOT *root = NULL;
+    struct INDEX_ROOT *root;

      a = ni_find_attr(ni, NULL, &le, ATTR_ROOT, in->name, in->name_len, 
NULL,
               mi);
@@ -1007,8 +1007,9 @@ struct INDEX_ROOT *indx_get_root(struct ntfs_index 
*indx, struct ntfs_inode *ni,
      root = resident_data_ex(a, sizeof(struct INDEX_ROOT));

      /* length check */
-    if (root && offsetof(struct INDEX_ROOT, ihdr) + 
le32_to_cpu(root->ihdr.used) >
-            le32_to_cpu(a->res.data_size)) {
+    if (root &&
+        offsetof(struct INDEX_ROOT, ihdr) + le32_to_cpu(root->ihdr.used) >
+            le32_to_cpu(a->res.data_size)) {
          return NULL;
      }

diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c
index abfe004774c0..0603169ee8a0 100644
--- a/fs/ntfs3/record.c
+++ b/fs/ntfs3/record.c
@@ -220,6 +220,11 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, 
struct ATTRIB *attr)
              return NULL;
          }

+        if (off + asize < off) {
+            /* Overflow check. */
+            return NULL;
+        }
+
          attr = Add2Ptr(attr, asize);
          off += asize;
      }
diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
index 0967035146ce..19d0889b131f 100644
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -1187,7 +1187,7 @@ static int ntfs_fill_super(struct super_block *sb, 
struct fs_context *fc)

      /*
       * Typical $AttrDef contains up to 20 entries.
-     * Check for extremely large size.
+     * Check for extremely large/small size.
       */
      if (inode->i_size < sizeof(struct ATTR_DEF_ENTRY) ||
          inode->i_size > 100 * sizeof(struct ATTR_DEF_ENTRY)) {
-- 
2.34.1

[PATCH 5/5] fs/ntfs3: Refactoring of various minor issues

[Konstantin Komarov]

Removed unused macro.
Changed null pointer checking.
Fixed inconsistent indenting.

Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
---
  fs/ntfs3/bitmap.c  | 3 ++-
  fs/ntfs3/frecord.c | 2 +-
  fs/ntfs3/fsntfs.c  | 6 ++++--
  fs/ntfs3/namei.c   | 2 +-
  fs/ntfs3/ntfs.h    | 3 ---
  5 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/fs/ntfs3/bitmap.c b/fs/ntfs3/bitmap.c
index 723fb64e6531..393c726ef17a 100644
--- a/fs/ntfs3/bitmap.c
+++ b/fs/ntfs3/bitmap.c
@@ -658,7 +658,8 @@ int wnd_init(struct wnd_bitmap *wnd, struct 
super_block *sb, size_t nbits)
      if (!wnd->bits_last)
          wnd->bits_last = wbits;

-    wnd->free_bits = kcalloc(wnd->nwnd, sizeof(u16), GFP_NOFS | 
__GFP_NOWARN);
+    wnd->free_bits =
+        kcalloc(wnd->nwnd, sizeof(u16), GFP_NOFS | __GFP_NOWARN);
      if (!wnd->free_bits)
          return -ENOMEM;

diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c
index 912eeb3d3471..1103d4d9a497 100644
--- a/fs/ntfs3/frecord.c
+++ b/fs/ntfs3/frecord.c
@@ -1645,7 +1645,7 @@ struct ATTR_FILE_NAME *ni_fname_name(struct 
ntfs_inode *ni,
  {
      struct ATTRIB *attr = NULL;
      struct ATTR_FILE_NAME *fname;
-       struct le_str *fns;
+    struct le_str *fns;

      if (le)
          *le = NULL;
diff --git a/fs/ntfs3/fsntfs.c b/fs/ntfs3/fsntfs.c
index 1f36e89dcff7..342938704cfd 100644
--- a/fs/ntfs3/fsntfs.c
+++ b/fs/ntfs3/fsntfs.c
@@ -2599,8 +2599,10 @@ static inline bool is_reserved_name(struct 
ntfs_sb_info *sbi,
      if (len == 4 || (len > 4 && le16_to_cpu(name[4]) == '.')) {
          port_digit = le16_to_cpu(name[3]);
          if (port_digit >= '1' && port_digit <= '9')
-            if (!ntfs_cmp_names(name, 3, COM_NAME, 3, upcase, false) ||
-                !ntfs_cmp_names(name, 3, LPT_NAME, 3, upcase, false))
+            if (!ntfs_cmp_names(name, 3, COM_NAME, 3, upcase,
+                        false) ||
+                !ntfs_cmp_names(name, 3, LPT_NAME, 3, upcase,
+                        false))
                  return true;
      }

diff --git a/fs/ntfs3/namei.c b/fs/ntfs3/namei.c
index 3db34d5c03dc..53ddea219e37 100644
--- a/fs/ntfs3/namei.c
+++ b/fs/ntfs3/namei.c
@@ -93,7 +93,7 @@ static struct dentry *ntfs_lookup(struct inode *dir, 
struct dentry *dentry,
       * If the MFT record of ntfs inode is not a base record, 
inode->i_op can be NULL.
       * This causes null pointer dereference in d_splice_alias().
       */
-    if (!IS_ERR(inode) && inode->i_op == NULL) {
+    if (!IS_ERR_OR_NULL(inode) && !inode->i_op) {
          iput(inode);
          inode = ERR_PTR(-EINVAL);
      }
diff --git a/fs/ntfs3/ntfs.h b/fs/ntfs3/ntfs.h
index 86ea1826d099..90151e56c122 100644
--- a/fs/ntfs3/ntfs.h
+++ b/fs/ntfs3/ntfs.h
@@ -435,9 +435,6 @@ static inline u64 attr_svcn(const struct ATTRIB *attr)
      return attr->non_res ? le64_to_cpu(attr->nres.svcn) : 0;
  }

-/* The size of resident attribute by its resident size. */
-#define BYTES_PER_RESIDENT(b) (0x18 + (b))
-
  static_assert(sizeof(struct ATTRIB) == 0x48);
  static_assert(sizeof(((struct ATTRIB *)NULL)->res) == 0x08);
  static_assert(sizeof(((struct ATTRIB *)NULL)->nres) == 0x38);
-- 
2.34.1