From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 65833C433E7 for ; Tue, 13 Oct 2020 23:48:21 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 0B6A421582 for ; Tue, 13 Oct 2020 23:48:21 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="a9fXMcyK" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0B6A421582 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id AA5466B007E; Tue, 13 Oct 2020 19:48:20 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id A7BDB6B0080; Tue, 13 Oct 2020 19:48:20 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9B89F6B0081; Tue, 13 Oct 2020 19:48:20 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0193.hostedemail.com [216.40.44.193]) by kanga.kvack.org (Postfix) with ESMTP id 6EBAE6B007E for ; Tue, 13 Oct 2020 19:48:20 -0400 (EDT) Received: from smtpin21.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 0B88E180AD806 for ; Tue, 13 Oct 2020 23:48:20 +0000 (UTC) X-FDA: 77368543560.21.salt56_63121cd27207 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin21.hostedemail.com (Postfix) with ESMTP id D7718180442C7 for ; Tue, 13 Oct 2020 23:48:19 +0000 (UTC) X-HE-Tag: salt56_63121cd27207 X-Filterd-Recvd-Size: 2755 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by imf09.hostedemail.com (Postfix) with ESMTP for ; Tue, 13 Oct 2020 23:48:19 +0000 (UTC) Received: from localhost.localdomain (c-73-231-172-41.hsd1.ca.comcast.net [73.231.172.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6F22C21D7F; Tue, 13 Oct 2020 23:48:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1602632898; bh=MG30du+WB4Ja68D+IS+bL1+JBbAJlRHun3Gliqw0jm0=; h=Date:From:To:Subject:In-Reply-To:From; b=a9fXMcyK/Q79fu0Gc6qOJ9KOQG71tr9P3MnGSPx3l88MpPZEA0dGEJp4g4v8DUq19 s+DtXtrFJbv+fY0g7Sg71gVNQq8+zdQZlj4+lmcT4tjzBoSQwmMmRjwCKQikfdCeXH pqUL5yPmk+BgLfAA602GbVGZ5LU9KB37LX8wURfQ= Date: Tue, 13 Oct 2020 16:48:17 -0700 From: Andrew Morton To: akpm@linux-foundation.org, anton@tuxera.com, linux-mm@kvack.org, mm-commits@vger.kernel.org, rkovhaev@gmail.com, torvalds@linux-foundation.org Subject: [patch 014/181] ntfs: add check for mft record size in superblock Message-ID: <20201013234817.kgKs7HBdo%akpm@linux-foundation.org> In-Reply-To: <20201013164658.3bfd96cc224d8923e66a9f4e@linux-foundation.org> User-Agent: s-nail v14.8.16 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Rustam Kovhaev Subject: ntfs: add check for mft record size in superblock Number of bytes allocated for mft record should be equal to the mft record size stored in ntfs superblock as reported by syzbot, userspace might trigger out-of-bounds read by dereferencing ctx->attr in ntfs_attr_find() Link: https://syzkaller.appspot.com/bug?extid=aed06913f36eff9b544e Link: https://lkml.kernel.org/r/20200824022804.226242-1-rkovhaev@gmail.com Reported-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com Tested-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com Signed-off-by: Rustam Kovhaev Acked-by: Anton Altaparmakov Signed-off-by: Andrew Morton --- fs/ntfs/inode.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/fs/ntfs/inode.c~ntfs-add-check-for-mft-record-size-in-superblock +++ a/fs/ntfs/inode.c @@ -1810,6 +1810,12 @@ int ntfs_read_inode_mount(struct inode * brelse(bh); } + if (le32_to_cpu(m->bytes_allocated) != vol->mft_record_size) { + ntfs_error(sb, "Incorrect mft record size %u in superblock, should be %u.", + le32_to_cpu(m->bytes_allocated), vol->mft_record_size); + goto err_out; + } + /* Apply the mst fixups. */ if (post_read_mst_fixup((NTFS_RECORD*)m, vol->mft_record_size)) { /* FIXME: Try to use the $MFTMirr now. */ _