Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp3920408rwb; Fri, 30 Sep 2022 10:04:39 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6yN+Prypt7/A3iinYMu2un6lqB+JNwlJdfR0UwD1xxpzbuaCMvwzyrPHjN903HW7HZKLL9 X-Received: by 2002:a17:906:fe44:b0:77c:e313:a8e8 with SMTP id wz4-20020a170906fe4400b0077ce313a8e8mr7220490ejb.700.1664557479027; Fri, 30 Sep 2022 10:04:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664557479; cv=none; d=google.com; s=arc-20160816; b=myhwMjcDKebtCsgoY49CdcJLnn5Jsr5ZkCCuiA71RQr9Z5+9lbsRlUbPMP3Pfjv/6Q 9UAc8EDAKTRHowW/Gy4ghr29u9/e1Og04p2D8t8rJkkKzlC3VRwzBAa2mcDtV7OvQJQ/ 2ra4S8i5QU3Jx4s9JO5DDugG6DxoB8QCRR7X/0LpVayqhJMU8ffjpycUr6xEhf/5ppEX 4l+vklc7qFa+nyJqBYQm50EEuaVQmsEnpY/5CobUQKSJZvYEvrk0ZxctoNOs+Y5BKumK sf9E/6+eXdQEbH6o897jYQoeEN/fxD0xjBLAkiEJlnhf8D6icuHJh6d/v+25T4QBVouw XnJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=BfVyerR9nFKtgCb57f6dp6x16N8R+pt5FEJjtWJ7zOM=; b=KV4Bx0lAGDfW1AQxNBGimFitT+phjjPiAUkRh+iuwU5SPQUww78bJUWcHH1uFGoNk3 NMRMuWhEznfKzRtHW6tcVnUtA+NdJzIk2L+WQ4EqwVI0f+ScSSzJlGUV2nlafrv8KWyf P+T1I8m1KhQGAcQhuRWGJiziG4wizgXTIw9rH9FDgmRHrPmnUkXa4gir9KN4sE8a1DBw +7Ii7CDevspEbul+ORzKEeJxBK5BzqjE5rV84haETxRLIMFn0MiXJCpP9iXOLldfmlU/ siPUMFmp/bWYjIk8gQWcTTn9EdBb+sESoPcVczcl6nvqiYJKtS6ol++GkUe1vbClKIqH C+oA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paragon-software.com header.s=mail header.b=FY90ajQT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=paragon-software.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hp42-20020a1709073e2a00b007835897050esi2469340ejc.404.2022.09.30.10.04.12; Fri, 30 Sep 2022 10:04:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paragon-software.com header.s=mail header.b=FY90ajQT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=paragon-software.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232192AbiI3Qes (ORCPT + 99 others); Fri, 30 Sep 2022 12:34:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49636 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232165AbiI3Qeq (ORCPT ); Fri, 30 Sep 2022 12:34:46 -0400 Received: from relayaws-01.paragon-software.com (relayaws-01.paragon-software.com [35.157.23.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 028BF65E1 for ; Fri, 30 Sep 2022 09:34:37 -0700 (PDT) Received: from dlg2.mail.paragon-software.com (vdlg-exch-02.paragon-software.com [172.30.1.105]) by relayaws-01.paragon-software.com (Postfix) with ESMTPS id 16DF41D0C; Fri, 30 Sep 2022 16:32:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragon-software.com; s=mail; t=1664555540; bh=BfVyerR9nFKtgCb57f6dp6x16N8R+pt5FEJjtWJ7zOM=; h=Date:Subject:To:CC:References:From:In-Reply-To; b=FY90ajQTFrWtfufXwrzal59mCVc1Hk4VlDv8dY2/uo058Xq927W88OgSU+sJ99kOV 2KgnZ1ubpVxL7uGyfjjeK3aBElkhaHg790RnjXcT8aUiR6Z+KaDtS7DxUbAxvpD/4B tIrhNsBKnaKtNVgXr2UEKLGO2rsL81fgKVnhm4xs= Received: from [172.30.8.65] (172.30.8.65) by vdlg-exch-02.paragon-software.com (172.30.1.105) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.7; Fri, 30 Sep 2022 19:34:34 +0300 Message-ID: Date: Fri, 30 Sep 2022 19:34:34 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: [PATCH] fs/ntfs3: fix negative shift size in true_sectors_per_clst() Content-Language: en-US To: Tetsuo Handa , Andrew Morton , Namjae Jeon , Randy Dunlap CC: syzbot , , , LKML References: <000000000000f8b5ef05dd25b963@google.com> <4b37f037-3b10-b4e4-0644-73441c8fa0af@I-love.SAKURA.ne.jp> From: Konstantin Komarov In-Reply-To: <4b37f037-3b10-b4e4-0644-73441c8fa0af@I-love.SAKURA.ne.jp> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [172.30.8.65] X-ClientProxiedBy: vobn-exch-01.paragon-software.com (172.30.72.13) To vdlg-exch-02.paragon-software.com (172.30.1.105) X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 9/20/22 18:59, Tetsuo Handa wrote: > syzbot is reporting shift-out-of-bounds in true_sectors_per_clst() [1], for > commit a3b774342fa752a5 ("fs/ntfs3: validate BOOT sectors_per_clusters") > did not address that (0 - boot->sectors_per_clusters) < 0 because "u8" was > chosen for type of boot->sectors_per_clusters because 0x80 needs to be > positive in order to support 64K clusters. Use "s8" cast in order to make > sure that (0 - (s8) boot->sectors_per_clusters) > 0. > > Link: https://syzkaller.appspot.com/bug?extid=1631f09646bc214d2e76 [1] > Reported-by: syzbot > Signed-off-by: Tetsuo Handa > Tested-by: syzbot > Fixes: a3b774342fa752a5 ("fs/ntfs3: validate BOOT sectors_per_clusters") > > diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c > index 47012c9bf505..c7ffd21fb255 100644 > --- a/fs/ntfs3/super.c > +++ b/fs/ntfs3/super.c > @@ -672,7 +672,7 @@ static u32 true_sectors_per_clst(const struct NTFS_BOOT *boot) > if (boot->sectors_per_clusters <= 0x80) > return boot->sectors_per_clusters; > if (boot->sectors_per_clusters >= 0xf4) /* limit shift to 2MB max */ > - return 1U << (0 - boot->sectors_per_clusters); > + return 1U << (0 - (s8) boot->sectors_per_clusters); > return -EINVAL; > } > Hello Thanks for patch, but there was already a similar patch by Shigeru Yoshida, so I chose it. Sorry about that, thanks again for your work.