From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
To: <ntfs3@lists.linux.dev>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
<linux-fsdevel@vger.kernel.org>
Subject: [PATCH 8/8] fs/ntfs3: Fix shift-out-of-bounds in ntfs_fill_super
Date: Mon, 3 Jul 2023 11:28:25 +0400 [thread overview]
Message-ID: <f54ef3d3-2cca-535d-344c-408d969545d8@paragon-software.com> (raw)
In-Reply-To: <e41f6717-7c70-edf2-2d3a-8034840d14c5@paragon-software.com>
Reported-by: syzbot+478c1bf0e6bf4a8f3a04@syzkaller.appspotmail.com
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
---
fs/ntfs3/ntfs_fs.h | 2 ++
fs/ntfs3/super.c | 26 ++++++++++++++++++++------
2 files changed, 22 insertions(+), 6 deletions(-)
diff --git a/fs/ntfs3/ntfs_fs.h b/fs/ntfs3/ntfs_fs.h
index 629403ede6e5..788567d71d93 100644
--- a/fs/ntfs3/ntfs_fs.h
+++ b/fs/ntfs3/ntfs_fs.h
@@ -42,9 +42,11 @@ enum utf16_endian;
#define MINUS_ONE_T ((size_t)(-1))
/* Biggest MFT / smallest cluster */
#define MAXIMUM_BYTES_PER_MFT 4096
+#define MAXIMUM_SHIFT_BYTES_PER_MFT 12
#define NTFS_BLOCKS_PER_MFT_RECORD (MAXIMUM_BYTES_PER_MFT / 512)
#define MAXIMUM_BYTES_PER_INDEX 4096
+#define MAXIMUM_SHIFT_BYTES_PER_INDEX 12
#define NTFS_BLOCKS_PER_INODE (MAXIMUM_BYTES_PER_INDEX / 512)
/* NTFS specific error code when fixup failed. */
diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
index 0034952b9ccd..34ebfaa8fbab 100644
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -905,9 +905,17 @@ static int ntfs_init_from_boot(struct super_block
*sb, u32 sector_size,
goto out;
}
- sbi->record_size = record_size =
- boot->record_size < 0 ? 1 << (-boot->record_size) :
- (u32)boot->record_size << cluster_bits;
+ if (boot->record_size >= 0) {
+ record_size = (u32)boot->record_size << cluster_bits;
+ } else if (-boot->record_size <= MAXIMUM_SHIFT_BYTES_PER_MFT) {
+ record_size = 1u << (-boot->record_size);
+ } else {
+ ntfs_err(sb, "%s: invalid record size %d.", hint,
+ boot->record_size);
+ goto out;
+ }
+
+ sbi->record_size = record_size;
sbi->record_bits = blksize_bits(record_size);
sbi->attr_size_tr = (5 * record_size >> 4); // ~320 bytes
@@ -924,9 +932,15 @@ static int ntfs_init_from_boot(struct super_block
*sb, u32 sector_size,
goto out;
}
- sbi->index_size = boot->index_size < 0 ?
- 1u << (-boot->index_size) :
- (u32)boot->index_size << cluster_bits;
+ if (boot->index_size >= 0) {
+ sbi->index_size = (u32)boot->index_size << cluster_bits;
+ } else if (-boot->index_size <= MAXIMUM_SHIFT_BYTES_PER_INDEX) {
+ sbi->index_size = 1u << (-boot->index_size);
+ } else {
+ ntfs_err(sb, "%s: invalid index size %d.", hint,
+ boot->index_size);
+ goto out;
+ }
/* Check index record size. */
if (sbi->index_size < SECTOR_SIZE ||
!is_power_of_2(sbi->index_size)) {
--
2.34.1
next prev parent reply other threads:[~2023-07-03 7:28 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-03 7:23 [PATCH 0/8] fs/ntfs3: Bugfix and refactoring Konstantin Komarov
2023-07-03 7:24 ` [PATCH 1/8] fs/ntfs3: Add ckeck in ni_update_parent() Konstantin Komarov
2023-07-03 7:25 ` [PATCH 2/8] fs/ntfs3: Write immediately updated ntfs state Konstantin Komarov
2023-07-03 7:25 ` [PATCH 3/8] fs/ntfs3: Minor code refactoring and formatting Konstantin Komarov
2023-07-03 7:26 ` [PATCH 4/8] fs/ntfs3: Don't allow to change label if volume is read-only Konstantin Komarov
2023-07-03 7:26 ` [PATCH 5/8] fs/ntfs3: Use kvmalloc instead of kmalloc(... __GFP_NOWARN) Konstantin Komarov
2023-12-23 4:46 ` Matthew Wilcox
2023-12-23 13:33 ` Tetsuo Handa
2023-12-23 16:56 ` Matthew Wilcox
2023-07-03 7:27 ` [PATCH 6/8] fs/ntfs3: Add more attributes checks in mi_enum_attr() Konstantin Komarov
2023-07-03 7:27 ` [PATCH 7/8] fs/ntfs3: fix deadlock in mark_as_free_ex Konstantin Komarov
2023-07-03 7:28 ` Konstantin Komarov [this message]
2023-12-23 5:00 ` [PATCH 0/8] fs/ntfs3: Bugfix and refactoring Kent Overstreet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f54ef3d3-2cca-535d-344c-408d969545d8@paragon-software.com \
--to=almaz.alexandrovich@paragon-software.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ntfs3@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.