| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240515123946.874688-1-andrewjballance@gmail.com>
Date: Wed, 15 May 2024 07:38:33 -0500
From: Andrew Ballance <andrewjballance@...il.com>
To: syzbot+39b2fb0f2638669008ec@...kaller.appspotmail.com
Cc: almaz.alexandrovich@...agon-software.com,
linux-kernel@...r.kernel.org,
ntfs3@...ts.linux.dev,
syzkaller-bugs@...glegroups.com,
skhan@...uxfoundation.org,
linux-kernel-mentees@...ts.linuxfoundation.org,
Andrew Ballance <andrewjballance@...il.com>
Subject: [PATCH] ntfs3: check if more than chunk-size bytes are written
#syz test
a incorrectly formatted chunk may decompress into
more than LZNT_CHUNK_SIZE bytes and a index out of bounds
will occur in s_max_off.
Signed-off-by: Andrew Ballance <andrewjballance@...il.com>
---
fs/ntfs3/lznt.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/ntfs3/lznt.c b/fs/ntfs3/lznt.c
index 4aae598d6d88..fdc9b2ebf341 100644
--- a/fs/ntfs3/lznt.c
+++ b/fs/ntfs3/lznt.c
@@ -236,6 +236,9 @@ static inline ssize_t decompress_chunk(u8 *unc, u8 *unc_end, const u8 *cmpr,
/* Do decompression until pointers are inside range. */
while (up < unc_end && cmpr < cmpr_end) {
+ // return err if more than LZNT_CHUNK_SIZE bytes are written
+ if (up - unc > LZNT_CHUNK_SIZE)
+ return -EINVAL;
/* Correct index */
while (unc + s_max_off[index] < up)
index += 1;
--
2.45.0
Powered by blists - more mailing lists