When the NTFS BOOT sectors_per_clusters field is > 0x80,
it represents a shift value. First change its sign to positive
and then make sure that the shift count is not too large.
This prevents negative shift values and shift values that are
larger than the field size.
Prevents this UBSAN error:
UBSAN: shift-out-of-bounds in ../fs/ntfs3/super.c:673:16
shift exponent -192 is negative
Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block")
Signed-off-by: Randy Dunlap <rdunlap@xxxxxxxxxxxxx>
Reported-by: syzbot+1631f09646bc214d2e76@xxxxxxxxxxxxxxxxxxxxxxxxx
Cc: Konstantin Komarov <almaz.alexandrovich@xxxxxxxxxxxxxxxxxxxx>
Cc: ntfs3@xxxxxxxxxxxxxxx
Cc: Alexander Viro <viro@xxxxxxxxxxxxxxxxxx>
Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Cc: Kari Argillander <kari.argillander@xxxxxxxxxxxxxxxxxxxx>
Cc: Namjae Jeon <linkinjeon@xxxxxxxxxx>
---
fs/ntfs3/super.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- linux-next-20220428.orig/fs/ntfs3/super.c
+++ linux-next-20220428/fs/ntfs3/super.c
@@ -670,7 +670,8 @@ static u32 true_sectors_per_clst(const s
{
return boot->sectors_per_clusters <= 0x80
? boot->sectors_per_clusters
- : (1u << (0 - boot->sectors_per_clusters));
+ : -(s8)boot->sectors_per_clusters > 31 ? -1
+ : (1u << -(s8)boot->sectors_per_clusters);
}
/*
@@ -713,7 +714,7 @@ static int ntfs_init_from_boot(struct su
/* cluster size: 512, 1K, 2K, 4K, ... 2M */
sct_per_clst = true_sectors_per_clst(boot);
- if (!is_power_of_2(sct_per_clst))
+ if ((int)sct_per_clst < 0 || !is_power_of_2(sct_per_clst))
goto out;
mlcn = le64_to_cpu(boot->mft_clst);
