lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 26 Dec 2022 19:32:50 +0400
From:   Konstantin Komarov <almaz.alexandrovich@...agon-software.com>
To:     Abdun Nihaal <abdun.nihaal@...il.com>
CC:     <ntfs3@...ts.linux.dev>, <linux-kernel@...r.kernel.org>,
        <skhan@...uxfoundation.org>,
        <linux-kernel-mentees@...ts.linuxfoundation.org>,
        <syzbot+fa4648a5446460b7b963@...kaller.appspotmail.com>
Subject: Re: [PATCH v2] fs/ntfs3: Validate attribute data and valid sizes

On 14.11.2022 15:53, Abdun Nihaal wrote:
> The data_size and valid_size fields of non resident attributes should be
> less than the its alloc_size field, but this is not checked in
> ntfs_read_mft function.
>
> Syzbot reports a allocation order warning due to a large unchecked value
> of data_size getting assigned to inode->i_size which is then passed to
> kcalloc.
>
> Add sanity check for ensuring that the data_size and valid_size fields
> are not larger than alloc_size field.
>
> Link: https://syzkaller.appspot.com/bug?extid=fa4648a5446460b7b963
> Reported-and-tested-by: syzbot+fa4648a5446460b7b963@...kaller.appspotmail.com
> Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block")
> Signed-off-by: Abdun Nihaal <abdun.nihaal@...il.com>
> ---
>
> Please apply this instead of my previous patch.
>
> Changes in v2:
>   Correct the format used for the Fixes tag.
>
>   fs/ntfs3/inode.c | 7 +++++++
>   1 file changed, 7 insertions(+)
>
> diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
> index 970bb7c357c7..763dd982a43a 100644
> --- a/fs/ntfs3/inode.c
> +++ b/fs/ntfs3/inode.c
> @@ -132,6 +132,13 @@ static struct inode *ntfs_read_mft(struct inode *inode,
>   	if (le16_to_cpu(attr->name_off) + attr->name_len > asize)
>   		goto out;
>   
> +	if (attr->non_res) {
> +		t64 = le64_to_cpu(attr->nres.alloc_size);
> +		if (le64_to_cpu(attr->nres.data_size) > t64 ||
> +		    le64_to_cpu(attr->nres.valid_size) > t64)
> +			goto out;
> +	}
> +
>   	switch (attr->type) {
>   	case ATTR_STD:
>   		if (attr->non_res ||
Hello. Your patch has been already applied.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ