Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp6032347pxv; Thu, 29 Jul 2021 04:57:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz4vRkJFyKTmQLhLP+gwFURkrlvBbtCgO2J2Una9nypz5P5QIlV7IcpwEVUBPkGSc2dcO0J X-Received: by 2002:a6b:1685:: with SMTP id 127mr3892520iow.135.1627559834105; Thu, 29 Jul 2021 04:57:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627559834; cv=none; d=google.com; s=arc-20160816; b=tn3Ujq2hYbi91nmoGgUy5kVhbS1thT+CAVaRku6nSZZUl29MH/b26Km8WVC9HyJF47 Zz9Nl0usI1zSQr25JvmEcNELcJNaCusCqYOGAu54qc9trEVbNWKmaGAoJ9I0LcYipE6I snbzoN8vKNYfl7fCYf81hY3A/T5nTmGVsmMXNtWTmR1B/t1fiew38cT97s5gPllVflPo kzVS46wqOdeLEvt0gs0BPNODReZqkglaabDpOHwY80vS3sRvqfzursWOqhCXgkKjVgOH Lh07V3kg9Zf9S1QPL4r9D8u2dNhEf+EZPaSTRp9HAgh59pSx8E0d83tuSS8acB1bLKXe huoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=reWzh3OdEOGw7F78jU2h0BOb61+Bau+uTHia8Q/89V8=; b=aenqvtP5Vl7Lfof4F60PpZb2lNE4FqeYjnqWkN7I6CaZnYDECUlBrzQS7Uy9JAVY6o NukBw55Q+vrFVVBX1iz2pmVFNfU7LFb5/DJU2bazkIwB9Ptj3wcYq3HQgrqVlZFK8D/Z OWjUlYvfHJcwBPVNx5AV7Uv/veKR6x8KbH66NJ8zgPXyj3+zWuU3XRS5FlEWyilPrGJv S6XTI9WY9CiAedh9urJC5w/HzGBXLtzkoQXbkUpGGHazwC4M3f1wtDTHF2RcawDtH3Ib Y4ENsvWzxLFYQIthy5r/rknHOIRVC0v5SjnF8trMx86N619CWmHrIUC4gofYm6f2T5g6 6eiw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=IaL3rGM1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q23si3446192jav.118.2021.07.29.04.57.03; Thu, 29 Jul 2021 04:57:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=IaL3rGM1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234683AbhG2L4R (ORCPT + 99 others); Thu, 29 Jul 2021 07:56:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52054 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231674AbhG2L4R (ORCPT ); Thu, 29 Jul 2021 07:56:17 -0400 Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 28F6EC061765 for ; Thu, 29 Jul 2021 04:56:14 -0700 (PDT) Received: by mail-pl1-x62a.google.com with SMTP id d1so6717486pll.1 for ; Thu, 29 Jul 2021 04:56:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=reWzh3OdEOGw7F78jU2h0BOb61+Bau+uTHia8Q/89V8=; b=IaL3rGM1C0+p5EI4dwAtMi7JS2l80ZljyAWOK2arkXrKp3nTXS49OP6MfH3eVQW9kD pu5JqNu4HNx5plFv3VYgwzFZLfBBMWq84kURUBKQ5jEe0sqIPEWln+eSnF9MrVUw0exg 3CkRUhPvAydBUlUmx18mWAeMCrRGtbIA93B7Qd1h1EUXaPcnWE9VBfY3dY2oT8KjGlBP lKokRCRDeOKHFfCX/dA89sIO8QqdO7o8mZ07wal1pZEe3b5UXOKOWf3Uv0zSiih+6G0j tbE7I0jtp4aVsYUDMWtgRp0CL77BCGx8nKOKl7TQmw2YcUnmFlK6mES5XWRH3Voo3IZb oFFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=reWzh3OdEOGw7F78jU2h0BOb61+Bau+uTHia8Q/89V8=; b=kyCfycm4R0mq8NcY7MbcHnVw/HYsiCMmnNlCXE1e79/IcEvZzGvMJi+jJr7WR3ieE6 TmMGNPn2DSvFlr9S+xInxAsWIe74DmQvaCjlKzbdU7+c0ZSPSmIPbRi68ERObGx4uWdD X9Tvb4V8Xcvmc8p1am0l/u6NKe7R8005qbLyNQg92Y0k5+TYfKA3jn0aukd4hMoru/8w vXhiIUrcV2rFLwW0L57gG7ouPI8Q5lc+vJxse37BHIMfgN8fnDZ0HuIwptgicvb4kpt0 TGavLk8mz3vMyx7vO1ZPNdDVMRgMTOdcbjqh0Io6yP2Eh1XyLfLse9iy73SmzU0z4gHP vy/A== X-Gm-Message-State: AOAM532q8QDn0+Uqp2BUVs/QffEmy54MzjvOk7h+wu9aPSphc+dRIk3h jIA8+wHnF8vetuWIrRzMZVY= X-Received: by 2002:a17:902:b218:b029:11a:bf7b:1a80 with SMTP id t24-20020a170902b218b029011abf7b1a80mr4437298plr.82.1627559773713; Thu, 29 Jul 2021 04:56:13 -0700 (PDT) Received: from [192.168.1.237] ([118.200.190.93]) by smtp.gmail.com with ESMTPSA id e23sm9671103pjt.8.2021.07.29.04.56.10 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 29 Jul 2021 04:56:12 -0700 (PDT) Subject: Re: [PATCH] ntfs: Fix validity check for file name attribute To: Rolf Eike Beer Cc: anton@tuxera.com, gregkh@linuxfoundation.org, linux-kernel-mentees@lists.linuxfoundation.org, linux-kernel@vger.kernel.org, linux-ntfs-dev@lists.sourceforge.net, skhan@linuxfoundation.org, syzbot+213ac8bb98f7f4420840@syzkaller.appspotmail.com, rkovhaev@gmail.com References: <2424055.QlFIqzKPrH@devpool47> From: Desmond Cheong Zhi Xi Message-ID: Date: Thu, 29 Jul 2021 19:56:09 +0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: <2424055.QlFIqzKPrH@devpool47> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 29/7/21 4:31 pm, Rolf Eike Beer wrote: > Hi, > > I was just scanning through some older vulnerabilities and came across > CVE-2018-12929, CVE-2018-12930, and CVE-2018-12931, which are all still open > according to linuxkernelcves.com (originally reported against 4.15 [1]). I > looked into the commits in fs/ntfs/ from 4.15 onwards to see if they were just > missed, but I can't spot anything there. RedHat claims to have them fixed in > one of their kernels [2]. > > Which makes me wonder if the issue fixed here is a duplicate of the any of the > above. Is there a reason I can't find any patches for the original issue in > tree, like the issue only introduced in a custom patchset that Ubuntu/RedHat > were using? Is this thing worth it's own CVE if it's no duplicate? > > Greetings, > > Eike > > 1) https://marc.info/?t=152407734400002&r=1&w=2 > 2) https://access.redhat.com/errata/RHSA-2019:0641 > Hi Eike, Thanks for digging into this. From a first glance, this bug seems most similar to CVE-2018-12929. However, from the logs, the root causes are probably different. The cause of this bug is specifically in the call to ntfs_is_extended_system_file [1], but from what I can see this is not the case for CVE-2018-12929. I don't know enough to comment whether it needs a CVE, but it has been patched on Linux stable (up to 4.4). It's worth noting that there's another similar bug that was fixed by Rustam Kovhaev (+cc) in ntfs_read_locked_inode [2]. This may or may not have been the issue in CVE-2018-12929. Link: https://syzkaller.appspot.com/bug?id=a1a1e379b225812688566745c3e2f7242bffc246 [1] Link: https://syzkaller.appspot.com/bug?id=933dab9c03ac47a3d09dd4b0563a0a8fcb35f282 [2] Best wishes, Desmond