Received: by 2002:a05:7412:a9a2:b0:e2:908c:2ebd with SMTP id o34csp2422189rdh; Sun, 29 Oct 2023 15:55:40 -0700 (PDT) X-Google-Smtp-Source: AGHT+IG9HKhlsOCAo62xioyka5MAnIJTJbMQdOHx4gr+Sr7PZBzzUnYlJoNAltPlw3qqFbdAJ6WC X-Received: by 2002:a05:6a20:938c:b0:14c:d494:77c5 with SMTP id x12-20020a056a20938c00b0014cd49477c5mr12049567pzh.13.1698620140030; Sun, 29 Oct 2023 15:55:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698620140; cv=none; d=google.com; s=arc-20160816; b=ev0AC1kJTGuZIkgurXF9eIzTYW8wkUNnZopOjZaBY7jq12rz4qH6IY5Jwc7PwzUeu5 ADbEh9aShg2itmXdeUdAHFXNk7Ncgtdh0Bm5EQkIl3WyW7qquGPtKXNde+kV7bS9fevF o0BE+0LZGm2i4rw3bHQFqxH9Fz60ivwS0qfNHAAGzT0ybvnMsB+EvWLn9lXp19E3uAFp oMaL80dFNhsfeI6ssxABQyVB34CpjZCScJjLQK5YzGzVs3bDjHAZL0GnkMeC2+HKSbFQ H/E9z60bsCEHwhsrxGwFranlRxFcsGt0HWwThDzfVq3BeV1csfCuYNesQroHlofj2Ca1 eo9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=z+cm+C+6yUHlibfhIhpSVwFC8t4fd0ACARRBKt/LC4U=; fh=ohF5hQvl3a6jEG8ltXQP7gOk1MeF+H17NT3y8yVpjyM=; b=Z+lFMlGAAl52xgnFsNoPJreOm69TSyyxJAU95tNjrbQr9u3tyuQqPB7Wd37Fou80Ei gmRKwCxl9WWGVkSHaWV+aF3vNkrTFdjsgm06+Up+5HghQUXdyX0ed/h74IQ/cUhOSYjV 4NeXlhaf20pPVEsHpxpgHb1xq1WcvdoYrgpTbmr4p8n9jPX84F+UWOd4+sGvWSGpiSic 94HH2a/W8kZmp8y4SrwcxHyLnrSzfPSZe/kqF12jTmmoNIGPp1T7qBRTFNsj8PdqXRHn Puo9xQ1ESSShGovHKqLlF2cQeDorj+LgkSjdXsFcTlML9Jp6zyo8LkbbmxJoCcdM0uaO jyJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=LHJOdTsQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id j190-20020a6380c7000000b005b928e3942esi4120468pgd.54.2023.10.29.15.55.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 29 Oct 2023 15:55:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=LHJOdTsQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id C08B580ACB7E; Sun, 29 Oct 2023 15:55:38 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231363AbjJ2Wzc (ORCPT + 99 others); Sun, 29 Oct 2023 18:55:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45316 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230516AbjJ2WzJ (ORCPT ); Sun, 29 Oct 2023 18:55:09 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2942B127; Sun, 29 Oct 2023 15:55:02 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 34CBCC433B7; Sun, 29 Oct 2023 22:55:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1698620102; bh=NoQZzpv+tusqHn149zAFE3btlz2ygWWHEiCBKTNsv3M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LHJOdTsQ02U8PWadZUv0AZPrO9UglGswyv4hfv3g3/0UO34eC5walEVsLvWCv4R0y iFOYzC+RmvkXuanXjucj5HstJEpERFFj4nniMIsepZYHNT53HraUc8Ywdhk8qmDcPJ tM3rgKhvqN4M/FXKY9Be7TEfB4L2pgG26eCMu0IbC0E97EpxKtIFvdx+5l8yZEsSEX URHP1eLOt1p2diUwdF5KNKG3BabE1RDcnyx9NxgTrXSziJGyzOo9vJuVv5kypihX6E +MOJofK3VlO9ShI845il8yKKA+DmC9wGXAJjCk+etnNlTfUeFCzUaI0MF1C5+crJRv 22H3hvUiSBG5Q== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Ziqi Zhao , syzbot+60cf892fc31d1f4358fc@syzkaller.appspotmail.com, Konstantin Komarov , Sasha Levin , ntfs3@lists.linux.dev Subject: [PATCH AUTOSEL 6.5 13/52] fs/ntfs3: Fix possible null-pointer dereference in hdr_find_e() Date: Sun, 29 Oct 2023 18:53:00 -0400 Message-ID: <20231029225441.789781-13-sashal@kernel.org> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231029225441.789781-1-sashal@kernel.org> References: <20231029225441.789781-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.5.9 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Sun, 29 Oct 2023 15:55:38 -0700 (PDT) From: Ziqi Zhao [ Upstream commit 1f9b94af923c88539426ed811ae7e9543834a5c5 ] Upon investigation of the C reproducer provided by Syzbot, it seemed the reproducer was trying to mount a corrupted NTFS filesystem, then issue a rename syscall to some nodes in the filesystem. This can be shown by modifying the reproducer to only include the mount syscall, and investigating the filesystem by e.g. `ls` and `rm` commands. As a result, during the problematic call to `hdr_fine_e`, the `inode` being supplied did not go through `indx_init`, hence the `cmp` function pointer was never set. The fix is simply to check whether `cmp` is not set, and return NULL if that's the case, in order to be consistent with other error scenarios of the `hdr_find_e` method. The rationale behind this patch is that: - We should prevent crashing the kernel even if the mounted filesystem is corrupted. Any syscalls made on the filesystem could return invalid, but the kernel should be able to sustain these calls. - Only very specific corruption would lead to this bug, so it would be a pretty rare case in actual usage anyways. Therefore, introducing a check to specifically protect against this bug seems appropriate. Because of its rarity, an `unlikely` clause is used to wrap around this nullity check. Reported-by: syzbot+60cf892fc31d1f4358fc@syzkaller.appspotmail.com Signed-off-by: Ziqi Zhao Signed-off-by: Konstantin Komarov Signed-off-by: Sasha Levin --- fs/ntfs3/index.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c index 124c6e822623f..cf92b2433f7a7 100644 --- a/fs/ntfs3/index.c +++ b/fs/ntfs3/index.c @@ -729,6 +729,9 @@ static struct NTFS_DE *hdr_find_e(const struct ntfs_index *indx, u32 total = le32_to_cpu(hdr->total); u16 offs[128]; + if (unlikely(!cmp)) + return NULL; + fill_table: if (end > total) return NULL; -- 2.42.0