[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20241014035815.2247153-2-sashal@kernel.org>
Date: Sun, 13 Oct 2024 23:57:52 -0400
From: Sasha Levin <sashal@...nel.org>
To: linux-kernel@...r.kernel.org,
stable@...r.kernel.org
Cc: Andrew Ballance <andrewjballance@...il.com>,
Konstantin Komarov <almaz.alexandrovich@...agon-software.com>,
Sasha Levin <sashal@...nel.org>,
ntfs3@...ts.linux.dev
Subject: [PATCH AUTOSEL 6.6 02/17] fs/ntfs3: Check if more than chunk-size bytes are written
From: Andrew Ballance <andrewjballance@...il.com>
[ Upstream commit 9931122d04c6d431b2c11b5bb7b10f28584067f0 ]
A incorrectly formatted chunk may decompress into
more than LZNT_CHUNK_SIZE bytes and a index out of bounds
will occur in s_max_off.
Signed-off-by: Andrew Ballance <andrewjballance@...il.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@...agon-software.com>
Signed-off-by: Sasha Levin <sashal@...nel.org>
---
fs/ntfs3/lznt.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/ntfs3/lznt.c b/fs/ntfs3/lznt.c
index 4aae598d6d884..fdc9b2ebf3410 100644
--- a/fs/ntfs3/lznt.c
+++ b/fs/ntfs3/lznt.c
@@ -236,6 +236,9 @@ static inline ssize_t decompress_chunk(u8 *unc, u8 *unc_end, const u8 *cmpr,
/* Do decompression until pointers are inside range. */
while (up < unc_end && cmpr < cmpr_end) {
+ // return err if more than LZNT_CHUNK_SIZE bytes are written
+ if (up - unc > LZNT_CHUNK_SIZE)
+ return -EINVAL;
/* Correct index */
while (unc + s_max_off[index] < up)
index += 1;
--
2.43.0
Powered by blists - more mailing lists