Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp25800222rwd; Mon, 3 Jul 2023 00:54:04 -0700 (PDT) X-Google-Smtp-Source: APBJJlH9DmUQQcF8hyzMTmr+soeNbNmKApDA9jV9AUaJFGc8z6rFnPeZrD7huWft1dQx4JFbfgrS X-Received: by 2002:a05:6a00:b93:b0:668:711a:7d93 with SMTP id g19-20020a056a000b9300b00668711a7d93mr7486550pfj.19.1688370844589; Mon, 03 Jul 2023 00:54:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688370844; cv=none; d=google.com; s=arc-20160816; b=CbID8KGg5LPe3Wz6OAGpMZKMrZMaGLKxYinh3T1jDZWJgHsx4mHgI1/O9ufYrtXCmy ii39RanrXisuA9xXp+iEAkXl/EGKFCdGk0CBvKFf+19tGbOzV8jimFvdhvMi/wnr+4Qr SBoIACVAD3jBiqIudYDolXiU5M+ocpOK6OocG8SWTnZX3s4/7uXJA4I2ww/KfNvp9fkW bWb1qRqAJU6t3DJbP220sseDvsZSwid4MRcuBKBGRKUpkfSbHYMBFZS8eyzDQu/RA2vD E/knEk9/TnoxnoCJiOcPqPUB48sF8+5o3LQKLHtvi8B2AnyyOoR+iU4sOg4ROJFOAic0 rBxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:references :cc:to:from:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature:dkim-signature; bh=D5iKNYHdfTlYuVyZq7hZxLedK3pQqQ8YbD1w2/CiIkM=; fh=+YFVdCJq57+piIgB3kUO3LUIuYykw/jnC0zhAUs0Z14=; b=kQQC/EWJ60iPn/h7jlyFLmu69OnEpTRfMbKZ/N2Wrv7r/JDpaeoTEgGZE6PdCVdQwL KICISWZRnll2ejIlZc0M/9waHGvJ6PncBm5El5ol3HqQnZEIkb4K3IOM6GXtTmosGoHy xFSmbO9jPIwCKoewizJtAm/bt19I8i2x608qRpyVAnl0Opk3HILeyYNOOS6ONHiafJ3c aF1mRUHPm+i0C1nVIdaEM6c/EmBpgXBIiCJuJeQqLuzteq1Uc1IvskscsNXhztq5bdjY GxMAuv1pIztzOWwO+WezmaYNaMshfrw2189auIbKThbRS3gaNuYa0jc/MQRjZoHnYS8u VOxw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paragon-software.com header.s=mail header.b=CI1shzoj; dkim=pass header.i=@paragon-software.com header.s=mail header.b="QLU2NYl/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=paragon-software.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l191-20020a6391c8000000b0055b93ea685bsi3360253pge.862.2023.07.03.00.53.52; Mon, 03 Jul 2023 00:54:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paragon-software.com header.s=mail header.b=CI1shzoj; dkim=pass header.i=@paragon-software.com header.s=mail header.b="QLU2NYl/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=paragon-software.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230431AbjGCH1v (ORCPT + 99 others); Mon, 3 Jul 2023 03:27:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33222 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230375AbjGCH1t (ORCPT ); Mon, 3 Jul 2023 03:27:49 -0400 Received: from relayaws-01.paragon-software.com (relayaws-01.paragon-software.com [35.157.23.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0FE02E73; Mon, 3 Jul 2023 00:27:24 -0700 (PDT) Received: from relayfre-01.paragon-software.com (unknown [172.30.72.12]) by relayaws-01.paragon-software.com (Postfix) with ESMTPS id 701271D74; Mon, 3 Jul 2023 07:22:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragon-software.com; s=mail; t=1688368931; bh=D5iKNYHdfTlYuVyZq7hZxLedK3pQqQ8YbD1w2/CiIkM=; h=Date:Subject:From:To:CC:References:In-Reply-To; b=CI1shzojPy5vSQ43J+xYNHD1Gzp0EmNYBN5Mogs5S3EuABT2FjWh00R7QynsARaqy L7Nmq6ppKhjiM2BncRx78NR9lx2quEERAFxeRoJLHNXG0vHRzRFzpn1MxA6fpxxEmF Am2OoGIy/JyfpI/3JZUBFO6opPSLk7uzr8jti1/g= Received: from dlg2.mail.paragon-software.com (vdlg-exch-02.paragon-software.com [172.30.1.105]) by relayfre-01.paragon-software.com (Postfix) with ESMTPS id D85EF1D1E; Mon, 3 Jul 2023 07:27:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragon-software.com; s=mail; t=1688369242; bh=D5iKNYHdfTlYuVyZq7hZxLedK3pQqQ8YbD1w2/CiIkM=; h=Date:Subject:From:To:CC:References:In-Reply-To; b=QLU2NYl/jPH9ptdm9LSZC8zXlU5D+m3dcAntTbIaWBkv4YUEl+TZvLtAyrmqWMP0X 0hjnpbirOKPB6D/3tyOtJXQ1+pbGGrisCNWVvD1n6B8kiABkXs1gxVlFPbqPIB2IZE fPlsir8M7+6++8uLNS8rbBZrXuMMDSSB6h1J6jto= Received: from [192.168.211.138] (192.168.211.138) by vdlg-exch-02.paragon-software.com (172.30.1.105) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.7; Mon, 3 Jul 2023 10:27:22 +0300 Message-ID: <18640b25-5018-ebf2-38d9-e750404cb66f@paragon-software.com> Date: Mon, 3 Jul 2023 11:27:21 +0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 Subject: [PATCH 6/8] fs/ntfs3: Add more attributes checks in mi_enum_attr() Content-Language: en-US From: Konstantin Komarov To: CC: Linux Kernel Mailing List , References: In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [192.168.211.138] X-ClientProxiedBy: vdlg-exch-02.paragon-software.com (172.30.1.105) To vdlg-exch-02.paragon-software.com (172.30.1.105) X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Signed-off-by: Konstantin Komarov ---  fs/ntfs3/record.c | 68 ++++++++++++++++++++++++++++++++++++-----------  1 file changed, 52 insertions(+), 16 deletions(-) diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c index cae939cb42cf..53629b1f65e9 100644 --- a/fs/ntfs3/record.c +++ b/fs/ntfs3/record.c @@ -199,8 +199,9 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr)  {      const struct MFT_REC *rec = mi->mrec;      u32 used = le32_to_cpu(rec->used); -    u32 t32, off, asize; +    u32 t32, off, asize, prev_type;      u16 t16; +    u64 data_size, alloc_size, tot_size;      if (!attr) {          u32 total = le32_to_cpu(rec->total); @@ -219,6 +220,7 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr)          if (!is_rec_inuse(rec))              return NULL; +        prev_type = 0;          attr = Add2Ptr(rec, off);      } else {          /* Check if input attr inside record. */ @@ -232,11 +234,11 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr)              return NULL;          } -        if (off + asize < off) { -            /* Overflow check. */ +        /* Overflow check. */ +        if (off + asize < off)              return NULL; -        } +        prev_type = le32_to_cpu(attr->type);          attr = Add2Ptr(attr, asize);          off += asize;      } @@ -256,7 +258,11 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr)      /* 0x100 is last known attribute for now. */      t32 = le32_to_cpu(attr->type); -    if ((t32 & 0xf) || (t32 > 0x100)) +    if (!t32 || (t32 & 0xf) || (t32 > 0x100)) +        return NULL; + +    /* attributes in record must be ordered by type */ +    if (t32 < prev_type)          return NULL;      /* Check overflow and boundary. */ @@ -265,16 +271,15 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr)      /* Check size of attribute. */      if (!attr->non_res) { +        /* Check resident fields. */          if (asize < SIZEOF_RESIDENT)              return NULL;          t16 = le16_to_cpu(attr->res.data_off); -          if (t16 > asize)              return NULL; -        t32 = le32_to_cpu(attr->res.data_size); -        if (t16 + t32 > asize) +        if (t16 + le32_to_cpu(attr->res.data_size) > asize)              return NULL;          t32 = sizeof(short) * attr->name_len; @@ -284,21 +289,52 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr)          return attr;      } -    /* Check some nonresident fields. */ -    if (attr->name_len && -        le16_to_cpu(attr->name_off) + sizeof(short) * attr->name_len > -            le16_to_cpu(attr->nres.run_off)) { +    /* Check nonresident fields. */ +    if (attr->non_res != 1) +        return NULL; + +    t16 = le16_to_cpu(attr->nres.run_off); +    if (t16 > asize) +        return NULL; + +    t32 = sizeof(short) * attr->name_len; +    if (t32 && le16_to_cpu(attr->name_off) + t32 > t16) +        return NULL; + +    /* Check start/end vcn. */ +    if (le64_to_cpu(attr->nres.svcn) > le64_to_cpu(attr->nres.evcn) + 1) +        return NULL; + +    data_size = le64_to_cpu(attr->nres.data_size); +    if (le64_to_cpu(attr->nres.valid_size) > data_size)          return NULL; -    } -    if (attr->nres.svcn || !is_attr_ext(attr)) { +    alloc_size = le64_to_cpu(attr->nres.alloc_size); +    if (data_size > alloc_size) +        return NULL; + +    t32 = mi->sbi->cluster_mask; +    if (alloc_size & t32) +        return NULL; + +    if (!attr->nres.svcn && is_attr_ext(attr)) { +        /* First segment of sparse/compressed attribute */ +        if (asize + 8 < SIZEOF_NONRESIDENT_EX) +            return NULL; + +        tot_size = le64_to_cpu(attr->nres.total_size); +        if (tot_size & t32) +            return NULL; + +        if (tot_size > alloc_size) +            return NULL; +    } else {          if (asize + 8 < SIZEOF_NONRESIDENT)              return NULL;          if (attr->nres.c_unit)              return NULL; -    } else if (asize + 8 < SIZEOF_NONRESIDENT_EX) -        return NULL; +    }      return attr;  } -- 2.34.1