[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20201102090649.140696-1-foxhlchen@gmail.com>
Date: Mon, 2 Nov 2020 17:06:49 +0800
From: Fox Chen <foxhlchen@...il.com>
To: anton@...era.com
Cc: Fox Chen <foxhlchen@...il.com>,
linux-ntfs-dev@...ts.sourceforge.net, linux-kernel@...r.kernel.org,
gregkh@...uxfoundation.org,
syzbot+ecbcf37464c627253e44@...kaller.appspotmail.com
Subject: [PATCH] NTFS: Add name sanity check to ntfs_attr_find
When mounting, if Attribute data is correupted, doing named attribute
lookup can lead to invalid memory access. This is reported by syzkaller.
This patch adds a sanity check prior to attribute name lookup. If attribute's
name_offset is invalid, It will mark volume error and return -EIO.
Reported-by: syzbot+ecbcf37464c627253e44@...kaller.appspotmail.com
Signed-off-by: Fox Chen <foxhlchen@...il.com>
---
fs/ntfs/attrib.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/fs/ntfs/attrib.c b/fs/ntfs/attrib.c
index d563abc3e136..e7366f74ff62 100644
--- a/fs/ntfs/attrib.c
+++ b/fs/ntfs/attrib.c
@@ -607,6 +607,16 @@ static int ntfs_attr_find(const ATTR_TYPE type, const ntfschar *name,
* If @name is present, compare the two names. If @name is
* missing, assume we want an unnamed attribute.
*/
+
+ /*
+ * Sanity check, a->name_offset should be within the range of a->lengh,
+ */
+ if (name && ((u8*)a + le16_to_cpu(a->name_offset)) > ((u8*)a + le32_to_cpu(a->length))) {
+ ntfs_error(vol->sb, "Invalid Attribute Name. Inode is corrupt. Run chkdsk.");
+ NVolSetErrors(vol);
+ return -EIO;
+ }
+
if (!name) {
/* The search failed if the found attribute is named. */
if (a->name_length)
--
2.25.1
Powered by blists - more mailing lists