The patch titled
Subject: ntfs: check overflow when iterating ATTR_RECORDs
has been added to the -mm mm-nonmm-unstable branch. Its filename is
ntfs-check-overflow-when-iterates-attr_records.patch
This patch will shortly appear at
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patches/ntfs-check-overflow-when-iterates-attr_records.patch
This patch will later appear in the mm-nonmm-unstable branch at
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via the mm-everything
branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there every 2-3 working days
------------------------------------------------------
From: Hawkins Jiawei <yin31149@xxxxxxxxx>
Subject: ntfs: check overflow when iterating ATTR_RECORDs
Date: Thu, 1 Sep 2022 00:09:38 +0800
Kernel iterates over ATTR_RECORDs in mft record in ntfs_attr_find().
Because the ATTR_RECORDs are next to each other, kernel can get the next
ATTR_RECORD from end address of current ATTR_RECORD, through current
ATTR_RECORD length field.
The problem is that during iteration, when kernel calculates the end
address of current ATTR_RECORD, kernel may trigger an integer overflow bug
in executing `a = (ATTR_RECORD*)((u8*)a + le32_to_cpu(a->length))`. This
may wrap, leading to a forever iteration on 32bit systems.
This patch solves it by adding some checks on calculating end address
of current ATTR_RECORD during iteration.
Link: https://lkml.kernel.org/r/20220831160935.3409-4-yin31149@xxxxxxxxx
Link: https://lore.kernel.org/all/20220827105842.GM2030@kadam/
Signed-off-by: Hawkins Jiawei <yin31149@xxxxxxxxx>
Suggested-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Cc: Anton Altaparmakov <anton@xxxxxxxxxx>
Cc: chenxiaosong (A) <chenxiaosong2@xxxxxxxxxx>
Cc: syzkaller-bugs <syzkaller-bugs@xxxxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
fs/ntfs/attrib.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/fs/ntfs/attrib.c~ntfs-check-overflow-when-iterates-attr_records
+++ a/fs/ntfs/attrib.c
@@ -617,6 +617,14 @@ static int ntfs_attr_find(const ATTR_TYP
return -ENOENT;
if (unlikely(!a->length))
break;
+
+ /* check whether ATTR_RECORD's length wrap */
+ if ((u8 *)a + le32_to_cpu(a->length) < (u8 *)a)
+ break;
+ /* check whether ATTR_RECORD's length is within bounds */
+ if ((u8 *)a + le32_to_cpu(a->length) > mrec_end)
+ break;
+
if (a->type != type)
continue;
/*
_
Patches currently in -mm which might be from yin31149@xxxxxxxxx are
ntfs-fix-use-after-free-in-ntfs_attr_find.patch
ntfs-fix-out-of-bounds-read-in-ntfs_attr_find.patch
ntfs-check-overflow-when-iterates-attr_records.patch
