lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 23 Aug 2020 19:28:04 -0700 From: Rustam Kovhaev <rkovhaev@...il.com> To: anton@...era.com, linux-ntfs-dev@...ts.sourceforge.net Cc: linux-kernel@...r.kernel.org, gregkh@...uxfoundation.org, Rustam Kovhaev <rkovhaev@...il.com> Subject: [PATCH] ntfs: add check for mft record size in superblock number of bytes allocated for mft record should be equal to the mft record size stored in ntfs superblock as reported by syzbot, userspace might trigger out-of-bounds read by dereferencing ctx->attr in ntfs_attr_find() Reported-and-tested-by: syzbot+aed06913f36eff9b544e@...kaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=aed06913f36eff9b544e Signed-off-by: Rustam Kovhaev <rkovhaev@...il.com> Acked-by: Anton Altaparmakov <anton@...era.com> --- fs/ntfs/inode.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c index 9bb9f0952b18..caf563981532 100644 --- a/fs/ntfs/inode.c +++ b/fs/ntfs/inode.c @@ -1810,6 +1810,12 @@ int ntfs_read_inode_mount(struct inode *vi) brelse(bh); } + if (le32_to_cpu(m->bytes_allocated) != vol->mft_record_size) { + ntfs_error(sb, "Incorrect mft record size %u in superblock, should be %u.", + le32_to_cpu(m->bytes_allocated), vol->mft_record_size); + goto err_out; + } + /* Apply the mst fixups. */ if (post_read_mst_fixup((NTFS_RECORD*)m, vol->mft_record_size)) { /* FIXME: Try to use the $MFTMirr now. */ -- 2.28.0
Powered by blists - more mailing lists