| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250925203701.223744-2-rpthibeault@gmail.com>
Date: Thu, 25 Sep 2025 16:36:59 -0400
From: Raphael Pinsonneault-Thibeault <rpthibeault@...il.com>
To: almaz.alexandrovich@...agon-software.com
Cc: Raphael Pinsonneault-Thibeault <rpthibeault@...il.com>,
ntfs3@...ts.linux.dev,
linux-kernel@...r.kernel.org,
skhan@...uxfoundation.org,
david.hunter.linux@...il.com,
syzbot+7a2ba6b7b66340cff225@...kaller.appspotmail.com
Subject: [PATCH] ntfs3: fix uninit memory after failed mi_read in mi_format_new
attr_insert_range() called from ntfs_fallocate() has 2 different
code paths that trigger mi_read() (which calls ntfs_read_bh).
If the first mi_read() -> ntfs_read_bh() fails with an IO error, it
leaves an uninitialized buffer in the buffer cache.
The second mi_read() -> ntfs_read_bh() then uses that buffer,
where we get KMSAN warning "uninit-value in ntfs_read_bh".
The fix is to check if mi_read failed in mi_format_new.
Reported-by: syzbot+7a2ba6b7b66340cff225@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7a2ba6b7b66340cff225
Tested-by: syzbot+7a2ba6b7b66340cff225@...kaller.appspotmail.com
Fixes: 4342306f0f0d5 ("fs/ntfs3: Add file operations and implementation")
Signed-off-by: Raphael Pinsonneault-Thibeault <rpthibeault@...il.com>
---
fs/ntfs3/record.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c
index 714c7ecedca8..98d2e5517077 100644
--- a/fs/ntfs3/record.c
+++ b/fs/ntfs3/record.c
@@ -431,13 +431,18 @@ int mi_format_new(struct mft_inode *mi, struct ntfs_sb_info *sbi, CLST rno,
seq = rno;
} else if (rno >= sbi->mft.used) {
;
- } else if (mi_read(mi, is_mft)) {
- ;
- } else if (rec->rhdr.sign == NTFS_FILE_SIGNATURE) {
- /* Record is reused. Update its sequence number. */
- seq = le16_to_cpu(rec->seq) + 1;
- if (!seq)
- seq = 1;
+ } else {
+ err = mi_read(mi, is_mft);
+ if (err) {
+ return err;
+ }
+
+ if (rec->rhdr.sign == NTFS_FILE_SIGNATURE) {
+ /* Record is reused. Update its sequence number. */
+ seq = le16_to_cpu(rec->seq) + 1;
+ if (!seq)
+ seq = 1;
+ }
}
memcpy(rec, sbi->new_rec, sbi->record_size);
--
2.43.0
Powered by blists - more mailing lists