Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1866702pxa; Sun, 23 Aug 2020 20:15:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzHVo/4JUQzUiJXQtszVpmNUy7Wp1nJKpr8YAjTVyOX4onayRsx8nbRiVkxnSt2gVxa1IKC X-Received: by 2002:aa7:da8e:: with SMTP id q14mr1472942eds.359.1598238922107; Sun, 23 Aug 2020 20:15:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598238922; cv=none; d=google.com; s=arc-20160816; b=RQ3xYVeJWYiH+pJtEMiAQTOUsC2SAQ7c4Mo74rVWK0CiV4+lTGglJj+rejrFnOTYPO klXMyGY/2LWIte+RrHkeqIzj4ITceM/gRnVqUf0jz3v/04FeztOB20BkOJExQ03lL+lC NVol7GLW1VisWGEdshqkrN8ebPjRJUCIUX6OKZ0m+t41K2tMadB9PdeeI4J5Ti1az59s 6XRrvmm7hEJUKEEKxySUJ7Lcbczs9EwWqUk5CeR1Y9GmDTqXjuByOcR5zywztMdou/6i /McvCIUJROxVrE5mMQIoqsNB+oXtHAkzNUzJjdBriZe0ZA838YfPPpfXS84D0oBV9/fF AjjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-id:content-language:accept-language:in-reply-to:references :message-id:date:thread-index:thread-topic:subject:cc:to:from; bh=mZwB5gkKMKUejJwccddYS/DtiT8oGBNM56sOh3uhK0w=; b=CGEx1G72hnKffPexxTJCVaQdFcJtH6JOLryv2Bgv5d/53/lmSlPgV9z6H2ewzMRLnX bx/CFKIAlqtMLNjh5rSOyIB7YDKn9BRlV8142w2OXBFXBp45RpbHp8JTlSmROS/AO2cp cmduH+XPqf3xOsfpJ1/YNxYX1R1Aeos0kQ9A/P1kYRrgfjSrow0LYWOr6ujOjrmZkHeS uI0XGfV8Fp6Hv1+Z0aGhy38rifSG8WbNwQ9tbjFys0kHrjsIdDp32rC+KIOi7a41W/8Y 0ey5NGqhCYBZvzk2hTRu52KmzUiItZkn6G5fJTuluGbto6/1eg6ORHXJzHG3cgUmVScD cNqA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n9si1349851edv.310.2020.08.23.20.14.45; Sun, 23 Aug 2020 20:15:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727927AbgHXCBn convert rfc822-to-8bit (ORCPT + 99 others); Sun, 23 Aug 2020 22:01:43 -0400 Received: from mgw-01.mpynet.fi ([82.197.21.90]:40154 "EHLO mgw-01.mpynet.fi" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727914AbgHXCBn (ORCPT ); Sun, 23 Aug 2020 22:01:43 -0400 X-Greylist: delayed 1031 seconds by postgrey-1.27 at vger.kernel.org; Sun, 23 Aug 2020 22:01:41 EDT Received: from pps.filterd (mgw-01.mpynet.fi [127.0.0.1]) by mgw-01.mpynet.fi (8.16.0.42/8.16.0.42) with SMTP id 07O1Y27U013400; Mon, 24 Aug 2020 04:44:08 +0300 Received: from ex13.tuxera.com (ex13.tuxera.com [178.16.184.72]) by mgw-01.mpynet.fi with ESMTP id 3342qur0yw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 24 Aug 2020 04:44:08 +0300 Received: from tuxera-exch.ad.tuxera.com (10.20.48.11) by tuxera-exch.ad.tuxera.com (10.20.48.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 24 Aug 2020 04:44:07 +0300 Received: from tuxera-exch.ad.tuxera.com ([fe80::552a:f9f0:68c3:d789]) by tuxera-exch.ad.tuxera.com ([fe80::552a:f9f0:68c3:d789%12]) with mapi id 15.00.1497.006; Mon, 24 Aug 2020 04:44:07 +0300 From: Anton Altaparmakov To: Rustam Kovhaev CC: "linux-ntfs-dev@lists.sourceforge.net" , LKML , "gregkh@linuxfoundation.org" Subject: Re: [PATCH] ntfs: add check for mft record size in superblock Thread-Topic: [PATCH] ntfs: add check for mft record size in superblock Thread-Index: AQHWeWEcxiS4EJ2kEU6+ZB9zUJco96lGSw4A Date: Mon, 24 Aug 2020 01:44:06 +0000 Message-ID: References: <20200823152147.55766-1-rkovhaev@gmail.com> In-Reply-To: <20200823152147.55766-1-rkovhaev@gmail.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [109.145.212.211] Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-08-24_01:2020-08-21,2020-08-24 signatures=0 X-Proofpoint-Spam-Details: rule=mpy_notspam policy=mpy score=0 mlxlogscore=999 adultscore=0 malwarescore=0 bulkscore=0 mlxscore=0 spamscore=0 phishscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2008240003 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Rustam, Thank you for the patch but it introduces an endianness bug - you have to us le32_to_cpu(m->bytes_allocated) both when doing the comparison and then printing the message. Also, please drop the square brackets. Wherever the driver prints such things it never uses brackets around the numbers and it would be better to have this consistent throughout. Can you please resend with the above issues addressed? You can then also add to the commit message: Acked-by: Anton Altaparmakov Thanks! Best regards, Anton > On 23 Aug 2020, at 16:21, Rustam Kovhaev wrote: > > number of bytes allocated for mft record should be equal to the mft > record size stored in ntfs superblock > as reported by syzbot, userspace might trigger out-of-bounds read by > dereferencing ctx->attr in ntfs_attr_find() > > Reported-and-tested-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com > Link: https://syzkaller.appspot.com/bug?extid=aed06913f36eff9b544e > Signed-off-by: Rustam Kovhaev > --- > fs/ntfs/inode.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c > index 9bb9f0952b18..6407af7c2e4f 100644 > --- a/fs/ntfs/inode.c > +++ b/fs/ntfs/inode.c > @@ -1810,6 +1810,12 @@ int ntfs_read_inode_mount(struct inode *vi) > brelse(bh); > } > > + if (m->bytes_allocated != vol->mft_record_size) { > + ntfs_error(sb, "Incorrect mft record size [%u] in superblock, should be [%u].", > + m->bytes_allocated, vol->mft_record_size); > + goto err_out; > + } > + > /* Apply the mst fixups. */ > if (post_read_mst_fixup((NTFS_RECORD*)m, vol->mft_record_size)) { > /* FIXME: Try to use the $MFTMirr now. */ > -- > 2.28.0 > -- Anton Altaparmakov (replace at with @) Lead in File System Development, Tuxera Inc., http://www.tuxera.com/ Linux NTFS maintainer