| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200824022804.226242-1-rkovhaev@gmail.com>
Date: Sun, 23 Aug 2020 19:28:04 -0700
From: Rustam Kovhaev <rkovhaev@...il.com>
To: anton@...era.com, linux-ntfs-dev@...ts.sourceforge.net
Cc: linux-kernel@...r.kernel.org, gregkh@...uxfoundation.org,
Rustam Kovhaev <rkovhaev@...il.com>
Subject: [PATCH] ntfs: add check for mft record size in superblock
number of bytes allocated for mft record should be equal to the mft
record size stored in ntfs superblock
as reported by syzbot, userspace might trigger out-of-bounds read by
dereferencing ctx->attr in ntfs_attr_find()
Reported-and-tested-by: syzbot+aed06913f36eff9b544e@...kaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=aed06913f36eff9b544e
Signed-off-by: Rustam Kovhaev <rkovhaev@...il.com>
Acked-by: Anton Altaparmakov <anton@...era.com>
---
fs/ntfs/inode.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
index 9bb9f0952b18..caf563981532 100644
--- a/fs/ntfs/inode.c
+++ b/fs/ntfs/inode.c
@@ -1810,6 +1810,12 @@ int ntfs_read_inode_mount(struct inode *vi)
brelse(bh);
}
+ if (le32_to_cpu(m->bytes_allocated) != vol->mft_record_size) {
+ ntfs_error(sb, "Incorrect mft record size %u in superblock, should be %u.",
+ le32_to_cpu(m->bytes_allocated), vol->mft_record_size);
+ goto err_out;
+ }
+
/* Apply the mst fixups. */
if (post_read_mst_fixup((NTFS_RECORD*)m, vol->mft_record_size)) {
/* FIXME: Try to use the $MFTMirr now. */
--
2.28.0
Powered by blists - more mailing lists