Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2466246pxj;
        Sun, 13 Jun 2021 22:10:57 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxUN2nBhwA/jtOqdxgx0NPACtaHLmkt8SERmulBMElECd2ClADeZU5grHHVl15hSiWMvzS8
X-Received: by 2002:a17:907:330d:: with SMTP id ym13mr13501923ejb.160.1623647457058;
        Sun, 13 Jun 2021 22:10:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1623647457; cv=none;
        d=google.com; s=arc-20160816;
        b=SgQlovx+C1EsHenIrNkhoyBbHCD2iRl1ZkW4yh2fz5E86CAhwhx5sI+ojQlesemg1+
         QypYF76+Kzr/EoQaIlJ6SZPcFeChUOaMJqUxBjRgrdz9VUDg/ucrwlIwcg/6hiys9LQL
         ZRsPxFC9gZZLrSkVrx78KdSWchKTuZJLH3qjmARpNIXlfR2Q8eckGjMs0YxOhUo68T5t
         k9dHSkpn3hd2hQ1OWScAfqgIn4Rl76EQsG51xDeA8l15A9B3ewmWgonnvJq5QtZSSkSg
         Nrw9Sz+mjeR3MrIIY3XQsOGOMTtTrmiibCL3Qy0bFpHP30+Q4ugqjoxtYqQ5+mCQU+J3
         gD6g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=7emn/WrNvxvMGRavk2ZZTU/O8HzrawGqoRrQamBs2vA=;
        b=RwwNlXY37Ca4Usv6XK6Q9uuPffk1AmrdbWEuMusmGiEJcw7JuaRdfnxv7kORSmZvYQ
         tLocproN4uxBku2m/etLRse5CVq5gnJJ8bZF4NOUiWEj07lL4hGaIWA7CM7FFJOf4a3+
         GK9HdHf6DRLnMq+2wNeOQ+AU3hbaCXFDt7gtSG8AtpE4Kax24KpixbZEi71d1BSGPhdg
         bqm9FaQ3yZG6xPBl+ky8ooP951REZfpV+cfRfuoVpqjyG14x+c5Ox5PapkQNOTTA8QoP
         b/2gjtihWv5JPy8Nmcag/k8zZp7/OAA/JJAQiVGLHkycGCpRO+x7hB0N5ks5w37zhqYA
         GIHQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=qmPKEk6n;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id 89si11474388eda.437.2021.06.13.22.10.34;
        Sun, 13 Jun 2021 22:10:57 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=qmPKEk6n;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231939AbhFNFJS (ORCPT <rfc822;ly15351151@gmail.com> + 99 others);
        Mon, 14 Jun 2021 01:09:18 -0400
Received: from mail-pl1-f178.google.com ([209.85.214.178]:46941 "EHLO
        mail-pl1-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229596AbhFNFJR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 14 Jun 2021 01:09:17 -0400
Received: by mail-pl1-f178.google.com with SMTP id e1so5900695pld.13
        for <linux-kernel@vger.kernel.org>; Sun, 13 Jun 2021 22:07:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=7emn/WrNvxvMGRavk2ZZTU/O8HzrawGqoRrQamBs2vA=;
        b=qmPKEk6nsUBRMtGUrK+YW0Y6lDW06gC2JDP/dJOSUGN5d342lCfmh+o3M/BfZEfIZ7
         UrWWPBqwOHjOS1MKQODSCKijNdC9JZ92OBn6nxj9W6bdPynpTSWQ3OtItph7SXAfIJT7
         HQGLMEn26hZi80/Yt4wgCTgGQPU5NujVvrFv0mtfvBo/qMXs3vVMBlI7qJv+sZzFfcS9
         2qzQjmiLeOhEPveuGIknOh/CTaIRn1dceppwLt9Vcb8OomnIOKDtAPYo6hpgCcqXfq+X
         TND5PXRfhgBChUUdpiBv7pZYLKpFhtd0nxI9ywJPuJTVNRIYiob76fP9q5bWf0edNWdq
         jVOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=7emn/WrNvxvMGRavk2ZZTU/O8HzrawGqoRrQamBs2vA=;
        b=dS/iild9v5srwmohXVKQdg+H1Atlb5mg/Rpi7Cci+rvzCDgNHy+YpqfaUFu4LvRya4
         JiYkacYa+NxbCPnDP6rs2UHPtw2oFr9HsgcK12AAvFZs+BsOq2YhIT+hpxtr0w5F3jh3
         hE1tlVzToeW6Phq6/XY3pE8GQb/3aJisrKISaR65UiDbD9SQGcxxcaCYfJoxf/maNDDe
         O9BZ31pDANLFuVlLN6dXIliIOXFYA8xq7GkBDitn+6KbmWgl1xo/I2LJkT4LAeL+LIHK
         JNeoVZq17a/IKpAmfb5l2muAc//Hud+5251kFSeFHWB8v995kFONZEM+2RHWmIXbU98B
         SPAA==
X-Gm-Message-State: AOAM531AIeycG+sdpczeurHVMN4BMCxAJkIM+tP7DhlzctBoTqXqZ8aM
        LMSgh/3xP0cOlerJdLr87EQ=
X-Received: by 2002:a17:90a:8c14:: with SMTP id a20mr16797974pjo.167.1623647166158;
        Sun, 13 Jun 2021 22:06:06 -0700 (PDT)
Received: from localhost.localdomain ([118.200.190.93])
        by smtp.gmail.com with ESMTPSA id q3sm10633391pfj.89.2021.06.13.22.06.03
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 13 Jun 2021 22:06:05 -0700 (PDT)
From:   Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
To:     anton@tuxera.com
Cc:     Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>,
        linux-ntfs-dev@lists.sourceforge.net, linux-kernel@vger.kernel.org,
        skhan@linuxfoundation.org, gregkh@linuxfoundation.org,
        linux-kernel-mentees@lists.linuxfoundation.org,
        syzbot+213ac8bb98f7f4420840@syzkaller.appspotmail.com
Subject: [PATCH] ntfs: Fix validity check for file name attribute
Date:   Mon, 14 Jun 2021 13:05:40 +0800
Message-Id: <20210614050540.289494-1-desmondcheongzx@gmail.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

When checking the file name attribute, we want to ensure that it fits
within the bounds of ATTR_RECORD. To do this, we should check
that (attr record + file name offset + file name length) < (attr
record + attr record length).

However, the original check did not include the file name offset in
the calculation. This means that corrupted on-disk metadata might not
caught by the incorrect file name check, and lead to an invalid memory
access.

An example can be seen in the crash report of a memory corruption
error found by Syzbot:
https://syzkaller.appspot.com/bug?id=a1a1e379b225812688566745c3e2f7242bffc246

Adding the file name offset to the validity check fixes this error and
passes the Syzbot reproducer test.

Reported-by: syzbot+213ac8bb98f7f4420840@syzkaller.appspotmail.com
Tested-by: syzbot+213ac8bb98f7f4420840@syzkaller.appspotmail.com
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
---
 fs/ntfs/inode.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
index f5c058b3192c..4474adb393ca 100644
--- a/fs/ntfs/inode.c
+++ b/fs/ntfs/inode.c
@@ -477,7 +477,7 @@ static int ntfs_is_extended_system_file(ntfs_attr_search_ctx *ctx)
 		}
 		file_name_attr = (FILE_NAME_ATTR*)((u8*)attr +
 				le16_to_cpu(attr->data.resident.value_offset));
-		p2 = (u8*)attr + le32_to_cpu(attr->data.resident.value_length);
+		p2 = (u8 *)file_name_attr + le32_to_cpu(attr->data.resident.value_length);
 		if (p2 < (u8*)attr || p2 > p)
 			goto err_corrupt_attr;
 		/* This attribute is ok, but is it in the $Extend directory? */
-- 
2.25.1