From: Dan Carpenter <dan.carpenter@oracle.com>
To: eadavis@sina.com
Cc: syzbot+c4d950787fd5553287b7@syzkaller.appspotmail.com,
almaz.alexandrovich@paragon-software.com,
linux-kernel@vger.kernel.org, llvm@lists.linux.dev,
nathan@kernel.org, ndesaulniers@google.com,
ntfs3@lists.linux.dev, syzkaller-bugs@googlegroups.com,
trix@redhat.com
Subject: Re: [PATCH v2] fs/netfs3: add a boundary check for EA_FULL
Date: Wed, 14 Sep 2022 18:34:14 +0300 [thread overview]
Message-ID: <YyH0dkkuJnFNE9xT@kadam> (raw)
In-Reply-To: <20220912065431.3043731-1-eadavis@sina.com>
On Mon, Sep 12, 2022 at 02:54:31PM +0800, eadavis@sina.com wrote:
> From: Edward Adam Davis <eadavis@sina.com>
>
> the root cause is:
> The remaining space after the offset is less than the space needed to
> accommodate the next EA_FULL struct.
>
This needs to be checked on the first iteration as well before calling
unpacked_ea_size(ea).
if (bytes - *off < sizeof(*ea))
return false;
> Link: https://syzkaller.appspot.com/bug?extid=c4d950787fd5553287b7
> Reported-by: syzbot+c4d950787fd5553287b7@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@sina.com>
> ---
> fs/ntfs3/xattr.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
> index 7de8718c68a9..c90cc453390d 100644
> --- a/fs/ntfs3/xattr.c
> +++ b/fs/ntfs3/xattr.c
> @@ -52,6 +52,7 @@ static inline bool find_ea(const struct EA_FULL *ea_all, u32 bytes,
> for (;;) {
> const struct EA_FULL *ea = Add2Ptr(ea_all, *off);
> u32 next_off = *off + unpacked_ea_size(ea);
> + u32 next_len = 0;
>
> if (next_off > bytes)
> return false;
> @@ -63,6 +64,13 @@ static inline bool find_ea(const struct EA_FULL *ea_all, u32 bytes,
> *off = next_off;
> if (next_off >= bytes)
> return false;
> +
> + next_len = next_off + 8;
8 is a magic number. Use sizeof(*ea).
> + if (next_len >= bytes ||
> + ((!ea->size) &&
> + (next_len + ea->name_len +
> + le16_to_cpu(ea->elength) >= bytes)))
This is open coding unpacked_ea_size() but slightly different/incorrect.
No need to check this anyway, because it gets checked at the start of
the iteration.
If we add the if (bytes - *off < sizeof(*ea)) check to the start of the
iteration that means we can delete the "if (next_off == bytes)" check
from the end.
The second issue with this code is that unpacked_ea_size() is a user
controlled u32. We're adding it to "*off" which is also a u32 so that
can have an integer overflow...
See diff below. (Untested).
regards,
dan carpenter
diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
index 7de8718c68a9..c3dbe06fb784 100644
--- a/fs/ntfs3/xattr.c
+++ b/fs/ntfs3/xattr.c
@@ -44,14 +44,20 @@ static inline size_t packed_ea_size(const struct EA_FULL *ea)
static inline bool find_ea(const struct EA_FULL *ea_all, u32 bytes,
const char *name, u8 name_len, u32 *off)
{
+ const struct EA_FULL *ea;
+ u32 next_off;
+
*off = 0;
- if (!ea_all || !bytes)
+ if (!ea_all)
return false;
for (;;) {
- const struct EA_FULL *ea = Add2Ptr(ea_all, *off);
- u32 next_off = *off + unpacked_ea_size(ea);
+ if (bytes - *off < sizeof(*ea))
+ return false;
+
+ ea = Add2Ptr(ea_all, *off);
+ next_off = size_add(*off, unpacked_ea_size(ea));
if (next_off > bytes)
return false;
@@ -61,8 +67,6 @@ static inline bool find_ea(const struct EA_FULL *ea_all, u32 bytes,
return true;
*off = next_off;
- if (next_off >= bytes)
- return false;
}
}
next prev parent reply other threads:[~2022-09-14 15:34 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-06 16:55 [syzbot] KASAN: slab-out-of-bounds Read in ntfs_get_ea syzbot
2022-09-12 3:41 ` [PATCH] fs/netfs3: add a boundary check for EA_FULL eadavis
2022-09-12 6:16 ` kernel test robot
2022-09-12 6:16 ` kernel test robot
2022-09-19 5:19 ` [PATCH] fs/ntfs3: "add a boundary check for EA_FULL" lose right parenthesis eadavis
2022-09-19 10:42 ` Dan Carpenter
2022-09-19 11:19 ` [PATCH v3] fs/ntfs3: add a boundary check for EA_FULL eadavis
2022-09-19 12:04 ` Dan Carpenter
2022-09-19 13:21 ` [PATCH v4] fs/ntfs3: Fix buffer overflow and integer overflow eadavis
2022-09-19 13:32 ` eadavis
2022-11-13 5:07 ` [PATCH v5] fs/ntfs3: Validate parameter bytes and valid size eadavis
2022-09-12 6:54 ` [PATCH v2] fs/netfs3: add a boundary check for EA_FULL eadavis
2022-09-14 15:34 ` Dan Carpenter [this message]
2023-01-26 8:13 ` [syzbot] KASAN: slab-out-of-bounds Read in ntfs_get_ea syzbot
2023-04-12 13:11 ` Aleksandr Nogikh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YyH0dkkuJnFNE9xT@kadam \
--to=dan.carpenter@oracle.com \
--cc=almaz.alexandrovich@paragon-software.com \
--cc=eadavis@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=ntfs3@lists.linux.dev \
--cc=syzbot+c4d950787fd5553287b7@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=trix@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).