| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Aug 2022 14:07:12 +0300
From: Alon Zahavi <zahavi.alon@...il.com>
To: almaz.alexandrovich@...agon-software.com, ntfs3@...ts.linux.dev,
linux-kernel@...r.kernel.org
Cc: Alon Zahavi <zahavi.alon@...il.com>,
Tal Lossos <tallossos@...il.com>
Subject: [PATCH] ntfs3: Fix attr_punch_hole() null pointer derenference
From: Alon Zahavi <zahavi.alon@...il.com>
The bug occours due to a misuse of `attr` variable instead of `attr_b`.
`attr` is being initialized as NULL, then being derenfernced
as `attr->res.data_size`.
This bug causes a crash of the ntfs3 driver itself,
If compiled directly to the kernel, it crashes the whole system.
Signed-off-by: Alon Zahavi <zahavi.alon@...il.com>
Co-developed-by: Tal Lossos <tallossos@...il.com>
Signed-off-by: Tal Lossos <tallossos@...il.com>
---
fs/ntfs3/attrib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ntfs3/attrib.c b/fs/ntfs3/attrib.c
index e8c00dda42ad..4e74bc8f01ed 100644
--- a/fs/ntfs3/attrib.c
+++ b/fs/ntfs3/attrib.c
@@ -1949,7 +1949,7 @@ int attr_punch_hole(struct ntfs_inode *ni, u64 vbo, u64 bytes, u32 *frame_size)
return -ENOENT;
if (!attr_b->non_res) {
- u32 data_size = le32_to_cpu(attr->res.data_size);
+ u32 data_size = le32_to_cpu(attr_b->res.data_size);
u32 from, to;
if (vbo > data_size)
--
2.25.1
Powered by blists - more mailing lists