lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 10 Jan 2023 19:04:40 +0800
From:   Zeng Heng <zengheng4@...wei.com>
To:     <almaz.alexandrovich@...agon-software.com>
CC:     <ntfs3@...ts.linux.dev>, <liwei391@...wei.com>,
        <linux-kernel@...r.kernel.org>, <syzkaller-bugs@...glegroups.com>
Subject: Re: [PATCH] ntfs: fix panic about slab-out-of-bounds caused by
 ntfs_listxattr()


On 2022/12/8 0:28, Zeng Heng wrote:
> Here is a BUG report from syzbot:
>
> BUG: KASAN: slab-out-of-bounds in ntfs_list_ea fs/ntfs3/xattr.c:191 [inline]
> BUG: KASAN: slab-out-of-bounds in ntfs_listxattr+0x401/0x570 fs/ntfs3/xattr.c:710
> Read of size 1 at addr ffff888021acaf3d by task syz-executor128/3632
>
> Call Trace:
>   ntfs_list_ea fs/ntfs3/xattr.c:191 [inline]
>   ntfs_listxattr+0x401/0x570 fs/ntfs3/xattr.c:710
>   vfs_listxattr fs/xattr.c:457 [inline]
>   listxattr+0x293/0x2d0 fs/xattr.c:804
>
> Fix the logic of ea_all iteration. When the ea->name_len is 0,
> return immediately, or Add2Ptr() would visit invalid memory
> in the next loop.
>
> Fixes: be71b5cba2e6 ("fs/ntfs3: Add attrib operations")
> Reported-by: syzbot+9fcea5ef6dc4dc72d334@...kaller.appspotmail.com
> Signed-off-by: Zeng Heng <zengheng4@...wei.com>
> ---
>   fs/ntfs3/xattr.c | 3 +++
>   1 file changed, 3 insertions(+)
>
> diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
> index 7de8718c68a9..911e110b8d6e 100644
> --- a/fs/ntfs3/xattr.c
> +++ b/fs/ntfs3/xattr.c
> @@ -178,6 +178,9 @@ static ssize_t ntfs_list_ea(struct ntfs_inode *ni, char *buffer,
>   	for (ret = 0, off = 0; off < size; off += unpacked_ea_size(ea)) {
>   		ea = Add2Ptr(ea_all, off);
>   
> +		if (!ea->name_len)
> +			break;
> +
>   		if (buffer) {
>   			if (ret + ea->name_len + 1 > bytes_per_buffer) {
>   				err = -ERANGE;

Is there any comment about this patch?

Thanks for advance.


Zeng Heng

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ