number of bytes allocated for mft record should be equal to the mft
record size stored in ntfs superblock
as reported by syzbot, userspace might trigger out-of-bounds read by
dereferencing ctx->attr in ntfs_attr_find()
Reported-and-tested-by: [email protected]
Link: https://syzkaller.appspot.com/bug?extid=aed06913f36eff9b544e
Signed-off-by: Rustam Kovhaev <[email protected]>
Acked-by: Anton Altaparmakov <[email protected]>
---
fs/ntfs/inode.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
index 9bb9f0952b18..caf563981532 100644
--- a/fs/ntfs/inode.c
+++ b/fs/ntfs/inode.c
@@ -1810,6 +1810,12 @@ int ntfs_read_inode_mount(struct inode *vi)
brelse(bh);
}
+ if (le32_to_cpu(m->bytes_allocated) != vol->mft_record_size) {
+ ntfs_error(sb, "Incorrect mft record size %u in superblock, should be %u.",
+ le32_to_cpu(m->bytes_allocated), vol->mft_record_size);
+ goto err_out;
+ }
+
/* Apply the mst fixups. */
if (post_read_mst_fixup((NTFS_RECORD*)m, vol->mft_record_size)) {
/* FIXME: Try to use the $MFTMirr now. */
--
2.28.0
Hi Andrew,
Can you please merge this patch? Thanks a lot in advance!
Rustam, thank you for the updated patch!
Best regards,
Anton
> On 24 Aug 2020, at 03:28, Rustam Kovhaev <[email protected]> wrote:
>
> number of bytes allocated for mft record should be equal to the mft
> record size stored in ntfs superblock
> as reported by syzbot, userspace might trigger out-of-bounds read by
> dereferencing ctx->attr in ntfs_attr_find()
>
> Reported-and-tested-by: [email protected]
> Link: https://syzkaller.appspot.com/bug?extid=aed06913f36eff9b544e
> Signed-off-by: Rustam Kovhaev <[email protected]>
> Acked-by: Anton Altaparmakov <[email protected]>
> ---
> fs/ntfs/inode.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
> index 9bb9f0952b18..caf563981532 100644
> --- a/fs/ntfs/inode.c
> +++ b/fs/ntfs/inode.c
> @@ -1810,6 +1810,12 @@ int ntfs_read_inode_mount(struct inode *vi)
> brelse(bh);
> }
>
> + if (le32_to_cpu(m->bytes_allocated) != vol->mft_record_size) {
> + ntfs_error(sb, "Incorrect mft record size %u in superblock, should be %u.",
> + le32_to_cpu(m->bytes_allocated), vol->mft_record_size);
> + goto err_out;
> + }
> +
> /* Apply the mst fixups. */
> if (post_read_mst_fixup((NTFS_RECORD*)m, vol->mft_record_size)) {
> /* FIXME: Try to use the $MFTMirr now. */
> --
> 2.28.0
>
--
Anton Altaparmakov <anton at tuxera.com> (replace at with @)
Lead in File System Development, Tuxera Inc., http://www.tuxera.com/
Linux NTFS maintainer