lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20201102090649.140696-1-foxhlchen@gmail.com>
Date:   Mon,  2 Nov 2020 17:06:49 +0800
From:   Fox Chen <foxhlchen@...il.com>
To:     anton@...era.com
Cc:     Fox Chen <foxhlchen@...il.com>,
        linux-ntfs-dev@...ts.sourceforge.net, linux-kernel@...r.kernel.org,
        gregkh@...uxfoundation.org,
        syzbot+ecbcf37464c627253e44@...kaller.appspotmail.com
Subject: [PATCH] NTFS: Add name sanity check to ntfs_attr_find

When mounting, if Attribute data is correupted, doing named attribute
lookup can lead to invalid memory access. This is reported by syzkaller.

This patch adds a sanity check prior to attribute name lookup. If attribute's
name_offset is invalid, It will mark volume error and return -EIO.

Reported-by: syzbot+ecbcf37464c627253e44@...kaller.appspotmail.com
Signed-off-by: Fox Chen <foxhlchen@...il.com>
---
 fs/ntfs/attrib.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/fs/ntfs/attrib.c b/fs/ntfs/attrib.c
index d563abc3e136..e7366f74ff62 100644
--- a/fs/ntfs/attrib.c
+++ b/fs/ntfs/attrib.c
@@ -607,6 +607,16 @@ static int ntfs_attr_find(const ATTR_TYPE type, const ntfschar *name,
 		 * If @name is present, compare the two names.  If @name is
 		 * missing, assume we want an unnamed attribute.
 		 */
+
+		/*
+		 * Sanity check, a->name_offset should be within the range of a->lengh,
+		 */
+		if (name && ((u8*)a + le16_to_cpu(a->name_offset)) > ((u8*)a + le32_to_cpu(a->length))) {
+			ntfs_error(vol->sb, "Invalid Attribute Name. Inode is corrupt.  Run chkdsk.");
+			NVolSetErrors(vol);
+			return -EIO;
+		}
+
 		if (!name) {
 			/* The search failed if the found attribute is named. */
 			if (a->name_length)
-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ