LinuxLists.cc - [PATCH] ntfs: add check for mft record size in superblock

2020-08-24 02:40:59

Subject: [PATCH] ntfs: add check for mft record size in superblock

number of bytes allocated for mft record should be equal to the mft
record size stored in ntfs superblock
as reported by syzbot, userspace might trigger out-of-bounds read by
dereferencing ctx->attr in ntfs_attr_find()

Reported-and-tested-by: [email protected]
Link: https://syzkaller.appspot.com/bug?extid=aed06913f36eff9b544e
Signed-off-by: Rustam Kovhaev <[email protected]>
Acked-by: Anton Altaparmakov <[email protected]>
---
fs/ntfs/inode.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
index 9bb9f0952b18..caf563981532 100644
--- a/fs/ntfs/inode.c
+++ b/fs/ntfs/inode.c
@@ -1810,6 +1810,12 @@ int ntfs_read_inode_mount(struct inode *vi)
brelse(bh);
}

+ if (le32_to_cpu(m->bytes_allocated) != vol->mft_record_size) {
+ ntfs_error(sb, "Incorrect mft record size %u in superblock, should be %u.",
+ le32_to_cpu(m->bytes_allocated), vol->mft_record_size);
+ goto err_out;
+ }
+
/* Apply the mst fixups. */
if (post_read_mst_fixup((NTFS_RECORD*)m, vol->mft_record_size)) {
/* FIXME: Try to use the $MFTMirr now. */
--
2.28.0

2020-08-24 02:49:29

by Anton Altaparmakov

[permalink] [raw]

Subject: Re: [PATCH] ntfs: add check for mft record size in superblock

Hi Andrew,

Can you please merge this patch? Thanks a lot in advance!

Rustam, thank you for the updated patch!

Best regards,

Anton

> On 24 Aug 2020, at 03:28, Rustam Kovhaev <[email protected]> wrote:
>
> number of bytes allocated for mft record should be equal to the mft
> record size stored in ntfs superblock
> as reported by syzbot, userspace might trigger out-of-bounds read by
> dereferencing ctx->attr in ntfs_attr_find()
>
> Reported-and-tested-by: [email protected]
> Link: https://syzkaller.appspot.com/bug?extid=aed06913f36eff9b544e
> Signed-off-by: Rustam Kovhaev <[email protected]>
> Acked-by: Anton Altaparmakov <[email protected]>
> ---
> fs/ntfs/inode.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
> index 9bb9f0952b18..caf563981532 100644
> --- a/fs/ntfs/inode.c
> +++ b/fs/ntfs/inode.c
> @@ -1810,6 +1810,12 @@ int ntfs_read_inode_mount(struct inode *vi)
> brelse(bh);
> }
>
> + if (le32_to_cpu(m->bytes_allocated) != vol->mft_record_size) {
> + ntfs_error(sb, "Incorrect mft record size %u in superblock, should be %u.",
> + le32_to_cpu(m->bytes_allocated), vol->mft_record_size);
> + goto err_out;
> + }
> +
> /* Apply the mst fixups. */
> if (post_read_mst_fixup((NTFS_RECORD*)m, vol->mft_record_size)) {
> /* FIXME: Try to use the $MFTMirr now. */
> --
> 2.28.0
>

--
Anton Altaparmakov <anton at tuxera.com> (replace at with @)
Lead in File System Development, Tuxera Inc., http://www.tuxera.com/
Linux NTFS maintainer