Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2466246pxj; Sun, 13 Jun 2021 22:10:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxUN2nBhwA/jtOqdxgx0NPACtaHLmkt8SERmulBMElECd2ClADeZU5grHHVl15hSiWMvzS8 X-Received: by 2002:a17:907:330d:: with SMTP id ym13mr13501923ejb.160.1623647457058; Sun, 13 Jun 2021 22:10:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623647457; cv=none; d=google.com; s=arc-20160816; b=SgQlovx+C1EsHenIrNkhoyBbHCD2iRl1ZkW4yh2fz5E86CAhwhx5sI+ojQlesemg1+ QypYF76+Kzr/EoQaIlJ6SZPcFeChUOaMJqUxBjRgrdz9VUDg/ucrwlIwcg/6hiys9LQL ZRsPxFC9gZZLrSkVrx78KdSWchKTuZJLH3qjmARpNIXlfR2Q8eckGjMs0YxOhUo68T5t k9dHSkpn3hd2hQ1OWScAfqgIn4Rl76EQsG51xDeA8l15A9B3ewmWgonnvJq5QtZSSkSg Nrw9Sz+mjeR3MrIIY3XQsOGOMTtTrmiibCL3Qy0bFpHP30+Q4ugqjoxtYqQ5+mCQU+J3 gD6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=7emn/WrNvxvMGRavk2ZZTU/O8HzrawGqoRrQamBs2vA=; b=RwwNlXY37Ca4Usv6XK6Q9uuPffk1AmrdbWEuMusmGiEJcw7JuaRdfnxv7kORSmZvYQ tLocproN4uxBku2m/etLRse5CVq5gnJJ8bZF4NOUiWEj07lL4hGaIWA7CM7FFJOf4a3+ GK9HdHf6DRLnMq+2wNeOQ+AU3hbaCXFDt7gtSG8AtpE4Kax24KpixbZEi71d1BSGPhdg bqm9FaQ3yZG6xPBl+ky8ooP951REZfpV+cfRfuoVpqjyG14x+c5Ox5PapkQNOTTA8QoP b/2gjtihWv5JPy8Nmcag/k8zZp7/OAA/JJAQiVGLHkycGCpRO+x7hB0N5ks5w37zhqYA GIHQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=qmPKEk6n; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 89si11474388eda.437.2021.06.13.22.10.34; Sun, 13 Jun 2021 22:10:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=qmPKEk6n; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231939AbhFNFJS (ORCPT + 99 others); Mon, 14 Jun 2021 01:09:18 -0400 Received: from mail-pl1-f178.google.com ([209.85.214.178]:46941 "EHLO mail-pl1-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229596AbhFNFJR (ORCPT ); Mon, 14 Jun 2021 01:09:17 -0400 Received: by mail-pl1-f178.google.com with SMTP id e1so5900695pld.13 for ; Sun, 13 Jun 2021 22:07:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=7emn/WrNvxvMGRavk2ZZTU/O8HzrawGqoRrQamBs2vA=; b=qmPKEk6nsUBRMtGUrK+YW0Y6lDW06gC2JDP/dJOSUGN5d342lCfmh+o3M/BfZEfIZ7 UrWWPBqwOHjOS1MKQODSCKijNdC9JZ92OBn6nxj9W6bdPynpTSWQ3OtItph7SXAfIJT7 HQGLMEn26hZi80/Yt4wgCTgGQPU5NujVvrFv0mtfvBo/qMXs3vVMBlI7qJv+sZzFfcS9 2qzQjmiLeOhEPveuGIknOh/CTaIRn1dceppwLt9Vcb8OomnIOKDtAPYo6hpgCcqXfq+X TND5PXRfhgBChUUdpiBv7pZYLKpFhtd0nxI9ywJPuJTVNRIYiob76fP9q5bWf0edNWdq jVOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=7emn/WrNvxvMGRavk2ZZTU/O8HzrawGqoRrQamBs2vA=; b=dS/iild9v5srwmohXVKQdg+H1Atlb5mg/Rpi7Cci+rvzCDgNHy+YpqfaUFu4LvRya4 JiYkacYa+NxbCPnDP6rs2UHPtw2oFr9HsgcK12AAvFZs+BsOq2YhIT+hpxtr0w5F3jh3 hE1tlVzToeW6Phq6/XY3pE8GQb/3aJisrKISaR65UiDbD9SQGcxxcaCYfJoxf/maNDDe O9BZ31pDANLFuVlLN6dXIliIOXFYA8xq7GkBDitn+6KbmWgl1xo/I2LJkT4LAeL+LIHK JNeoVZq17a/IKpAmfb5l2muAc//Hud+5251kFSeFHWB8v995kFONZEM+2RHWmIXbU98B SPAA== X-Gm-Message-State: AOAM531AIeycG+sdpczeurHVMN4BMCxAJkIM+tP7DhlzctBoTqXqZ8aM LMSgh/3xP0cOlerJdLr87EQ= X-Received: by 2002:a17:90a:8c14:: with SMTP id a20mr16797974pjo.167.1623647166158; Sun, 13 Jun 2021 22:06:06 -0700 (PDT) Received: from localhost.localdomain ([118.200.190.93]) by smtp.gmail.com with ESMTPSA id q3sm10633391pfj.89.2021.06.13.22.06.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Jun 2021 22:06:05 -0700 (PDT) From: Desmond Cheong Zhi Xi To: anton@tuxera.com Cc: Desmond Cheong Zhi Xi , linux-ntfs-dev@lists.sourceforge.net, linux-kernel@vger.kernel.org, skhan@linuxfoundation.org, gregkh@linuxfoundation.org, linux-kernel-mentees@lists.linuxfoundation.org, syzbot+213ac8bb98f7f4420840@syzkaller.appspotmail.com Subject: [PATCH] ntfs: Fix validity check for file name attribute Date: Mon, 14 Jun 2021 13:05:40 +0800 Message-Id: <20210614050540.289494-1-desmondcheongzx@gmail.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When checking the file name attribute, we want to ensure that it fits within the bounds of ATTR_RECORD. To do this, we should check that (attr record + file name offset + file name length) < (attr record + attr record length). However, the original check did not include the file name offset in the calculation. This means that corrupted on-disk metadata might not caught by the incorrect file name check, and lead to an invalid memory access. An example can be seen in the crash report of a memory corruption error found by Syzbot: https://syzkaller.appspot.com/bug?id=a1a1e379b225812688566745c3e2f7242bffc246 Adding the file name offset to the validity check fixes this error and passes the Syzbot reproducer test. Reported-by: syzbot+213ac8bb98f7f4420840@syzkaller.appspotmail.com Tested-by: syzbot+213ac8bb98f7f4420840@syzkaller.appspotmail.com Signed-off-by: Desmond Cheong Zhi Xi --- fs/ntfs/inode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c index f5c058b3192c..4474adb393ca 100644 --- a/fs/ntfs/inode.c +++ b/fs/ntfs/inode.c @@ -477,7 +477,7 @@ static int ntfs_is_extended_system_file(ntfs_attr_search_ctx *ctx) } file_name_attr = (FILE_NAME_ATTR*)((u8*)attr + le16_to_cpu(attr->data.resident.value_offset)); - p2 = (u8*)attr + le32_to_cpu(attr->data.resident.value_length); + p2 = (u8 *)file_name_attr + le32_to_cpu(attr->data.resident.value_length); if (p2 < (u8*)attr || p2 > p) goto err_corrupt_attr; /* This attribute is ok, but is it in the $Extend directory? */ -- 2.25.1